Re: [spring] All IPv6 fields are now mutable (Re: Typo correction Re: Question from SPRING regarding draft-filsfilscheng-spring-srv6-srh-compression)
Tom Herbert <tom@herbertland.com> Mon, 18 October 2021 00:35 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6393A168B for <spring@ietfa.amsl.com>; Sun, 17 Oct 2021 17:35:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ekia8nMz6t69 for <spring@ietfa.amsl.com>; Sun, 17 Oct 2021 17:35:29 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6103A168F for <spring@ietf.org>; Sun, 17 Oct 2021 17:35:29 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id d9so63683663edh.5 for <spring@ietf.org>; Sun, 17 Oct 2021 17:35:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x6msWSqEHZm1iXVIvu7i2VNufCSwTKUdFAJRVPoqE2U=; b=AKoXrmINUFW68wAD/2+5WMgryXu5MNZbxJJ9S2vPpEYsd0HPmqdDIIn/ZKDV3hLayx EadZO60q2LMj2bY2kTPkx9xL/h81dQSNjDCJw+wbHEkep7oN2z1SGxeEoGDDntOnFGQL qN07D2v50kIGm4FC61uNOI23fwp1XzSS7OlaVArigCXiJbJtCsGyDyw+kaBTHIcp/n0Z Fh8Z6rXWhfRlHOBNZ0zrzPFgyQsaL0z0LXg7CB9FWJ0+/uWWpM+9lGK0NkbopZiEl+lB RYV3QwNkhCA+wQ13u8V9fWEvwsjqNsfAEOO/2meKN5Lj4QuxYjCnZ+HwJ6r1t6m/TnyL lxRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x6msWSqEHZm1iXVIvu7i2VNufCSwTKUdFAJRVPoqE2U=; b=YA2vuCqhFdV6XXmaD83m/1ngOFVKqaTLVSuz9BatVvoAflSyMx/UUxoSreYW/X6qfi QDR48Ty1Q7OzJyMtu4cKO4DHu08vlm2mAFJNNyltHLfLOzJ6QdXmNDlIjoaYTgUWHsBX b1htA8NJgP6qONbIBaqUtEHpmyITqkyb25KihHUwNyXQMKDNIwubEnIfL/vsFVxsu2kC k3w3mFuu5gEk0OVBkPrZ6g7j3AOZ/jXE/rhAvg+91A94RSHIN1BfC8H0dBcSMASlw8Iz 4pRwLGFfWnK18Pwi3/kPgk2+IUxgwStBBXCgH+0wurIQpdoWGJf3FN6OkiPugRVvngDp UEKA==
X-Gm-Message-State: AOAM5323kRfE28CDkrs+TDaE2th9CzYP3nnC+lgydrV8VfOE2bvGH0JU cLeHJ03Jht9mx05XeCMAzy38kWRRWynsq3lIiqWN8Q==
X-Google-Smtp-Source: ABdhPJxlihKOD1m7YKFIs+gxGgEp5Rdo2O7T7zy2z6SfdIfM4HXhrL7VLo5HvPPweHXJ7yfPg3nHyzjLmHXe90ROI40=
X-Received: by 2002:a17:907:3312:: with SMTP id ym18mr25076200ejb.370.1634517327163; Sun, 17 Oct 2021 17:35:27 -0700 (PDT)
MIME-Version: 1.0
References: <85fddbe9-4eb8-7d90-d246-a888fe8bdcd3@joelhalpern.com> <139d72fd-98de-f46a-767f-6a493c4facc9@joelhalpern.com> <1396_1634278622_61691CDE_1396_28_5_787AE7BB302AE849A7480A190F8B93303542C654@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAO42Z2wvKNyYeKAZdVOh2c8G95JZuhgxumNixMWWsK9u_QDRTQ@mail.gmail.com> <1101.1634412958@localhost> <CAO42Z2yFMjPhQFrJH2eJWpYZpiM4gDS_hAEDUVj4aJO-UyTxSg@mail.gmail.com> <CALx6S34G6a1DOWNfZxZ=XjYjFxR-kOPMMMLeQ18woUhrqwLUWQ@mail.gmail.com> <5bbcf175-10a7-4839-b968-eea0a0ad8a1b@gmail.com>
In-Reply-To: <5bbcf175-10a7-4839-b968-eea0a0ad8a1b@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Sun, 17 Oct 2021 17:35:15 -0700
Message-ID: <CALx6S35RPdDj7g+X376yHH541d1GODK4tnn9gv-ty_wsx841FA@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, SPRING WG <spring@ietf.org>, 6man WG <ipv6@ietf.org>, Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000aa455505ce95b8d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/YiAaPWttJPd4-ZJNknjlmo0-_SE>
Subject: Re: [spring] All IPv6 fields are now mutable (Re: Typo correction Re: Question from SPRING regarding draft-filsfilscheng-spring-srv6-srh-compression)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 00:35:36 -0000
On Sun, Oct 17, 2021, 3:22 PM Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > On 18-Oct-21 09:39, Tom Herbert wrote: > > On Sat, Oct 16, 2021 at 4:59 PM Mark Smith <markzzzsmith@gmail.com> > wrote: > >> > >> On Sun, 17 Oct 2021, 06:36 Michael Richardson, <mcr@sandelman.ca> > wrote: > >>> > >>> Mark Smith <markzzzsmith@gmail.com> wrote: > >>> > In fight changing DAs also will break AH protection of the IPv6 > header. > >>> > >>> AH is dead. It's been dead for decades. > >>> I say this as an IPsec enthusiast who wishes this wasn't true. > >>> But it is. > >> > >> > >> Then all IPv6 field immutability while the packet is in flight is also > dead. > >> > >> "Controlled domain" == redefine any field, field semantics, and field > >> processing we like in an existing protocol, yet claim we're still > >> using the original protocol. > >> > >> That has been tacitly endorsed via standards track RFC8986. The Next > >> Header field is not supposed to be modified in flight per internet > >> standard RFC8200, yet standards track RFC8986 specifies the behaviour > >> via PSP. > >> > >> This SRH compression ID is redefining the IPv6 DA field semantics. It > >> encodes multiple network hop destinations in the single IPv6 > >> destination address field. > >> > >> Structured Flow Label - > >> > https://datatracker.ietf.org/doc/draft-filsfils-6man-structured-flow-label/ > >> is redefining the IPv6 flow label field. > >> > >> This will be an operational nightmare in the future, when there are > >> multiple applicable RFCs that conflict with each other. I don't want > >> to have to spend time getting into arguments with vendors about which > >> protocol variant RFC their implementation should or shouldn't have to > >> comply with while I have 1000s, 10s or 100s of 1000s of customers > >> off-line. > > > > Mark, > > > > I think you might be lumping together several disparate proposals in > > your general claim that "IPv6 field immutability while the packet is > > in flight is also dead". > > > > When SRH was under discussion in 6man there was a lot of work to > > define which fields were immutable and that is described in RFC8754. > > Those definitions are sufficient to specify proper interaction between > > SRH and AH, however RFC8754 knowingly breaks AH as that handling was > > not specified. Some of us did object to that, but I suppose expediency > > to publish the protocol won out. Nevertheless, there is nothing that > > prevents someone from properly defining AH usage with SRH. > > > > As for the IPv6 destination address, it was never defined to be an > > immutable field inflight. In fact, the core operation of a routing > > header is to overwrite the destination address at each intermediate > > destination. NAT also changes the DA in flight, but there is a > > significant difference between NAT and the routing header header > > operation: when a routing header is set in a packet the sender knows > > and indicates the destination address. For the purposes of AH or > > transport checksum, both the sender and final receiver use this > > address-- there is no ambiguity and the fact that the destination > > address is mutable in flight doesn't adversely impact end to end > > protocol operations that operate on the addresses. > > > > We have seen various proposals to steal bits or redefine flow label > > fields, but IMO it's unlikely any of those will ever get consensus. > > Hosts routinely set the flow label as an unstructured value, and > > redefining flow label semantics would be a massive retroactive change > > in deployment. I would point out though, that the flow label is > > technically not immutable in flight, RFC6437 allows it to be modified > > by intermediate nodes for "only for compelling operational security > > reasons". > > Correct, because it was very clear that some firewalls were going to > clobber it whatever we wrote. So we tried to describe behaviour > that would not nullify the usefulness of the field for stateless > load balancing. > Brian, Thanks for the explanation concerning why the exception was created. For the concern that the flow label could be used a a covert channel, was this a hypothetical possibility or in response to some real events (sending twenty bits at a time doesn't seem like a very effective covert channel compared to other methods :-) ) Tom > As for draft-filsfils-6man-structured-flow-label, the problems in > https://mailarchive.ietf.org/arch/browse/ipv6/?gbt=1&index=qrTou1rjtNDDchE5yFfSN31pkMc > remain unsolved. > > Brian >
- Re: [spring] Question from SPRING regarding draft… Stefano Salsano
- [spring] Question from SPRING regarding draft-fil… Joel M. Halpern
- [spring] Typo correction Re: Question from SPRING… Joel M. Halpern
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- Re: [spring] Typo correction Re: Question from SP… Michael Richardson
- Re: [spring] Typo correction Re: Question from SP… Ted Hardie
- Re: [spring] Typo correction Re: Question from SP… Carsten Bormann
- Re: [spring] Question from SPRING regarding draft… Erik Kline
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- Re: [spring] Typo correction Re: Question from SP… Tom Herbert
- Re: [spring] Typo correction Re: Question from SP… mohamed.boucadair
- Re: [spring] Typo correction Re: Question from SP… Mark Smith
- Re: [spring] Typo correction Re: Question from SP… mohamed.boucadair
- Re: [spring] Typo correction Re: Question from SP… Ted Hardie
- [spring] short term plan regarding adoption call … Joel M. Halpern
- Re: [spring] Typo correction Re: Question from SP… Tom Herbert
- Re: [spring] Question from SPRING regarding draft… Andrew Alston
- Re: [spring] Question from SPRING regarding draft… Francois Clad (fclad)
- Re: [spring] Typo correction Re: Question from SP… Michael Richardson
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- [spring] All IPv6 fields are now mutable (Re: Typ… Mark Smith
- Re: [spring] Question from SPRING regarding draft… Brian E Carpenter
- Re: [spring] Question from SPRING regarding draft… Brian E Carpenter
- Re: [spring] All IPv6 fields are now mutable (Re:… Andrew Alston
- Re: [spring] Question from SPRING regarding draft… Mark Smith
- Re: [spring] Question from SPRING regarding draft… Brian Carpenter
- Re: [spring] Question from SPRING regarding draft… Michael Richardson
- Re: [spring] Question from SPRING regarding draft… Darren Dukes (ddukes)
- Re: [spring] All IPv6 fields are now mutable (Re:… Tom Herbert
- Re: [spring] Question from SPRING regarding draft… Brian E Carpenter
- Re: [spring] All IPv6 fields are now mutable (Re:… Brian E Carpenter
- Re: [spring] Question from SPRING regarding draft… Nick Hilliard
- Re: [spring] All IPv6 fields are now mutable (Re:… Tom Herbert
- Re: [spring] Question from SPRING regarding draft… Darren Dukes (ddukes)
- Re: [spring] Question from SPRING regarding draft… Brian E Carpenter
- Re: [spring] All IPv6 fields are now mutable (Re:… Brian E Carpenter
- Re: [spring] Question from SPRING regarding draft… otroan
- Re: [spring] Typo correction Re: Question from SP… Ted Hardie
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- Re: [spring] Typo correction Re: Question from SP… Mark Smith
- [spring] Administrative interfaces (was draft-fil… Ted Hardie
- Re: [spring] Administrative interfaces (was draft… Robert Raszuk
- Re: [spring] Typo correction Re: Question from SP… Tom Herbert
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- Re: [spring] Typo correction Re: Question from SP… Greg Mirsky
- Re: [spring] Typo correction Re: Question from SP… Brian E Carpenter
- Re: [spring] Question from SPRING regarding draft… Nick Hilliard
- Re: [spring] Typo correction Re: Question from SP… Darren Dukes (ddukes)
- Re: [spring] Typo correction Re: Question from SP… Gyan Mishra
- Re: [spring] Typo correction Re: Question from SP… Gyan Mishra
- Re: [spring] Typo correction Re: Question from SP… Chengli (Cheng Li)
- Re: [spring] Typo correction Re: Question from SP… Darren Dukes (ddukes)
- Re: [spring] Question from SPRING regarding draft… Erik Kline
- Re: [spring] Typo correction Re: Question from SP… Gyan Mishra
- Re: [spring] Typo correction Re: Question from SP… Greg Mirsky
- Re: [spring] Typo correction Re: Question from SP… Darren Dukes (ddukes)
- Re: [spring] Typo correction Re: Question from SP… Erik Kline
- Re: [spring] Typo correction Re: Question from SP… Erik Kline