IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Nick Buraglio <buraglio@es.net> Thu, 13 October 2022 18:42 UTC

Return-Path: <buraglio@es.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11741C152710 for <spring@ietfa.amsl.com>; Thu, 13 Oct 2022 11:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjuU9fXkUHt0 for <spring@ietfa.amsl.com>; Thu, 13 Oct 2022 11:42:49 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D6DC157B52 for <spring@ietf.org>; Thu, 13 Oct 2022 11:41:54 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id d26so5804945ejc.8 for <spring@ietf.org>; Thu, 13 Oct 2022 11:41:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+uL4idYeHCQRwxy6xu5vvC3SqlVdNnrjIc8h1n+lpF4=; b=muU8RQ1h9wV9DTR3By3v3R1Zyw1LiRRN2JaJ0gBXDiDZv7AzSJEX2cIlqdMGsrSpNL Hv4RYMrySmKu0G7ZIvdyoxwF/BoeaSydBcpIoEI8Znm+bsWEYERKPivwskLwz/DRxl49 XIoj/+IOfwn0vBtdN5Q6R/Shy0BgsYLEuf/NfVgUbrFA8DcT1/5zSh+TsdG2lufO0xgR nh6KRDIe7EmiB2Te+3LIQj9LpmdMVwwA30Vxf2MLP1W4bBIpFvu3Wp2GduzbyM0oj9qK 6RjsZAsDVdPxRSPvZDYa8fu6A9GE3h0gvxIdVvGe7DOmWVFD9ksl2QiNQcqR5v1GeJr2 6/Og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+uL4idYeHCQRwxy6xu5vvC3SqlVdNnrjIc8h1n+lpF4=; b=hVh0qr60WjDxEaCO9r9hffxVyfAANJ4K/uVwtgYFsJblFqjKGRVHPE4YNZ4sYu/Zxa 1sQ5hfQzRfQK36CWmWfzkr9Jyy0RCRwsSm2B/p6zJAvnQjWSmD+M5KpqZATxcVlMptCO tHqqMyjSouGpHDRlq0+YPdlHT3cu3E0DOq9HQQYc5d4yUFsLLuk0sG5+9DZSpEAnZxJA 8VuXuX/0NlebdIiT28aIFN+Idrap+EodktdwcJcWOiwmWmd+ATxqhXMVJXO+9CIygMSb KY3n4PiE1Z9LgIHznu4LIfmEu3MZneB7X9QDkheVcvg4HiT17IfYTihu3m0kP0+/cyBw /++Q==
X-Gm-Message-State: ACrzQf16AgbJSrSsbIrU/g2r7ox5tjqCSDkbTFp2X0CDehI0l6+SFdXI bjn1Qh6uDd0EUJ/uP5QczcGydrB1r6p6NnHN2qWJELbiyY0KXec6r4xHDbd6vZa6PTW/BRm88tR okDBBAZ7q9wp0nPa2hDEux1QABmc00Cc3z8X/82A6GMKxtpFUav3HeFLeBZveHvdNftM3AgBaU3 BGTg==
X-Google-Smtp-Source: AMsMyM7YOYBxFAPCaUguxh5voYbH4WQ9nlq98XrHOJ2fpe/WSWxJfdEdU3cKDOC1EsPZLARd7UTa3ncc98UKSWov9Ro=
X-Received: by 2002:a17:907:a04a:b0:78d:cef2:b219 with SMTP id gz10-20020a170907a04a00b0078dcef2b219mr787702ejc.735.1665686513152; Thu, 13 Oct 2022 11:41:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4+N31=ggO03AAQJANv7RgHaC1eNGXRUQ9B20rLK+nJyg@mail.gmail.com> <E77D8982-11E9-45F9-81BF-3CA1E1F6B745@gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com>
In-Reply-To: <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Thu, 13 Oct 2022 11:41:41 -0700
Message-ID: <CAM5+tA_R0Jm6+hViMOmkSgzPqYqngE5MhR+pjpc_fX50e6Y4pw@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: Joel Halpern <jmh@joelhalpern.com>, Robert Raszuk <robert@raszuk.net>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ecda1c05eaeedc9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Sbd7rwgiZhFRN9QSj2PdasIceMo>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2022 18:42:54 -0000

----
nb


On Mon, Oct 10, 2022 at 2:57 AM Eric Vyncke (evyncke) <evyncke=
40cisco.com@dmarc.ietf.org> wrote:

> Hmmm I really wonder why a transit network should look into my packets (to
> check for SRH) and decide to drop my packets; assuming of course that my
> packets are not damaging the transit network (like some hop-by-hop years
> ago) or attempting to trick my network (anti-spoofing or using transit
> provider own SID -- both being layer-3 filters BTW).
>

There is some, I think, relevant precedent from a provider perspective. In
the old days when worms with consistent byte boundaries were ravaging the
networks I personally worked on filtering those at the network perimeters.
While I am a very staunch proponent of not meddling with transit packets on
a carrier network, there are a handful of demonstrative examples (primarily
amplification attacks, etc.) that are de facto expected, but in many cases
can be lifted if there is a use case. Filtering SRH filters at the
perimeter of a given network as brian has described feels a lot like that
at a deeper network level.
As we have discussed SRv6 for solving use cases for our organizations, one
of the first questions I have consistently heard is "how do we prevent
abuse of this?" because of the nature of using IPv6 as the traffic
engineering steering stack. Referencing section 8 of RFC8402 is useful, and
also highlights some current operational limitations, and encourages
vendor implementation of the needful filtering options.



>
> -éric
>
>
>
> *From: *ipv6 <ipv6-bounces@ietf.org> on behalf of Joel Halpern <
> jmh@joelhalpern.com>
> *Date: *Sunday, 9 October 2022 at 16:38
> *To: *Robert Raszuk <robert@raszuk.net>
> *Cc: *6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
> *Subject: *Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
>
>
>
> We require, per the RFC, blocking SRH outside of the limited domain for
> many reasons.
>
> One example is that it turns SRH into a powerful attack vector, given that
> source address spoofing means there is little way to tell whether an
> unencapsulated packet actually came from another piece of the same domain.
>
> So yes, I think making this restriction clear in this RFC is important and
> useful.
>
> Yours,
>
> Joel
>
> On 10/8/2022 5:07 PM, Robert Raszuk wrote:
>
> Hi Brian,
>
>
>
> Completely agree.
>
>
>
> One thing is not to guarantee anything in respect to forwarding IPv6
> packets with SRH (or any other extension header) and the other thing is to
> on purpose recommending killing it at interdomain boundary as some sort of
> evil.
>
>
>
> Cheers,
>
> R.
>
>
>
>
>
>
>
> On Sat, Oct 8, 2022 at 9:51 PM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
>
> Robert,
>
> > If there is any spec which mandates that someone will drop my IPv6
> packets only because they contain SRH in the IPv6 header I consider this an
> evil and unjustified action.
>
> The Internet is more or less opaque to most extension headers, especially
> to recently defined ones, so I don't hold out much hope for SRH outside SR
> domains.
>
> https://www.rfc-editor.org/rfc/rfc9098.html
> https://datatracker.ietf.org/doc/html/draft-elkins-v6ops-eh-deepdive-fw
>
> Regards
>     Brian Carpenter
>
> On 09-Oct-22 07:52, Robert Raszuk wrote:
> > Hi Joel,
> >
> > I was hoping this is apparent so let me restate that I do not buy into
> "limited domain" business for SRv6.
> >
> > I have N sites connected over v6 Internet. I want to send IPv6 packets
> between my "distributed globally limited domain" without yet one more encap.
> >
> > If there is any spec which mandates that someone will drop my IPv6
> packets only because they contain SRH in the IPv6 header I consider this an
> evil and unjustified action.
> >
> > Kind regards,
> > Robert
> >
> > On Sat, Oct 8, 2022 at 7:40 PM Joel Halpern <jmh@joelhalpern.com
> <mailto:jmh@joelhalpern.com>> wrote:
> >
> >     Robert, I am having trouble understanding your email.
> >
> >     1) A Domain would only filter the allocated SIDs plus what it
> chooses to use for SRv6.
> >
> >     2) Whatever it a domain filters should be irrelevant to any other
> domain, since by definition SRv6 is for use only within a limited domain.
> So as far as I can see there is no way a domain can apply incorrect
> filtering.
> >
> >     Yours,
> >
> >     Joel
> >
> >     On 10/8/2022 3:16 AM, Robert Raszuk wrote:
> >>     Hi Suresh,
> >>
> >>         NEW:
> >>         In case the deployments do not use this allocated prefix
> additional care needs to be exercised at network ingress and egress points
> so that SRv6 packets do not leak out of SR domains and they do not
> accidentally enter SR unaware domains.
> >>
> >>
> >>     IMO this is too broad. I would say that such ingress filtering
> could/should happen only if dst or locator is within locally
> configured/allocated prefixes. Otherwise it is pure IPv6 transit and I see
> no harm not to allow it.
> >>
> >>         Similarly as stated in Section 5.1 of RFC8754 packets entering
> an SR domain from the outside need to be configured to filter out the
> selected prefix if it is different from the prefix allocated here.
> >>
> >>
> >>     Again the way I read it this kills pure IPv6 transit for SRv6
> packets. Why ?
> >>
> >>     (Well I know the answer to "why" from our endless discussions about
> SRv6 itself and network programming however I still see no need to mandate
> in any spec to treat SRv6 packets as unwanted/forbidden for pure IPv6
> transit.)
> >>
> >>     Thx,
> >>     R.
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
ᐧ

v2.23.0 | Report a Bug | By Email