IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 09 October 2022 19:38 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687A4C14CF0F; Sun, 9 Oct 2022 12:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ix-Vt58l5uWn; Sun, 9 Oct 2022 12:38:08 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4A7DC14F74D; Sun, 9 Oct 2022 12:38:08 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id z20so8700600plb.10; Sun, 09 Oct 2022 12:38:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=uF02T0sOxoY1UmnS2FDZ/VS8tIClQYZU2Sy1wDIoyBw=; b=L8SdPsCHlIpBy43j0sFjhiqgpHGLysKEoKqD87DntSn7lBi7mDu+A/eECW4kRiqXOT Dope3rSCVPViAS3AgcwGLED2N8Yytb0AQt1nt89jHj9XgIq410LtQo4pP72+qgY0FPdo 147d7mSyoREJnCEf585kZhqZ7w8pt/UtaCRGdp1hMChGj7rtG4aOpiFbclhQYRZ1+r4I lcdvVgdauuY5cDK4lYA1rbgQ5vMOsAx4IYrCmpjT5XNkbsxLUAANECkNfALHYBzHHsO0 qeJU24W3ObkKuNhI3idLi9rPN/nWNlHBF75C/ttpXYm84F6MNJOKpYPSS8llCWf0VvbA H+kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uF02T0sOxoY1UmnS2FDZ/VS8tIClQYZU2Sy1wDIoyBw=; b=onRnzmyyeD9WQ6h5GsWDg8IbJ0dYn/Feu8YnKC1wECD7PUSbTZ+oTDaj42xZMq0Scu q/KtTza8pTC1PsCYpcbog65RfA+HBeesrCvdnTGONiMFU8cz9tZp42K5Vg/BddHpxYID ogIwI+zyyz/CtEmkdtnYLZTu8aacq3oxhmMK5kkkXcZ9YoSElWlf259zIPXt/nYiEdlh ksV/1dWpRYCylmkMKWQy8wW0QclysZDI8U85UU0mKAdYNwgpnJQ1CNS2Yb67fk9UUMpN JpjeZJZ2d4FppLpO4csSfxu1pw4a+LPh/KzdKVOSa9BvGOQkXwIMMSXroXLaT7fFhLec nESQ==
X-Gm-Message-State: ACrzQf3Ai+gpZCK9U7OuJFbD0dhTEhHHBDLzy88XBdMztTYN6grza/Am z5hQAMsNbs9Uvj2lqL5UmFo=
X-Google-Smtp-Source: AMsMyM7evLnPyBSGi9s2TYeOSrqbD+wyjBYlsZ97vU7r7a9TEjc2VyqIJoSiT8TRrQUWyayErxKLnQ==
X-Received: by 2002:a17:902:ccc7:b0:16c:484f:4c69 with SMTP id z7-20020a170902ccc700b0016c484f4c69mr15917894ple.118.1665344288075; Sun, 09 Oct 2022 12:38:08 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id c12-20020a170903234c00b001780e4e6b65sm5052671plh.114.2022.10.09.12.38.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 09 Oct 2022 12:38:07 -0700 (PDT)
Message-ID: <77e0b05f-e23d-65d6-6f81-99303d1e1bda@gmail.com>
Date: Mon, 10 Oct 2022 08:38:01 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Robert Raszuk <robert@raszuk.net>, Suresh Krishnan <suresh.krishnan@gmail.com>
Cc: 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <CAOj+MMF-dWpdLwQjc611Uv6s_0jaexvvRNmiMbkqxwjAfqwHbw@mail.gmail.com> <e894c1bd-1474-f732-9d39-50e9d48e1d6d@joelhalpern.com> <CAOj+MME8Ca=ANegECKvDeDH22zwZxL5OQKjrvWVg42OZNaMrXQ@mail.gmail.com> <EF93A54E-0DB4-48F9-B210-15FE3AF82B0F@gmail.com> <CAOj+MMEqyWaLq=D0SLPeGhRzFYi6w0p53UdqKxSgaxqJwDPvmw@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAOj+MMEqyWaLq=D0SLPeGhRzFYi6w0p53UdqKxSgaxqJwDPvmw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/bH8ytdX3y55cZ2KpzyVn9j0BLvU>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2022 19:38:13 -0000

On 10-Oct-22 05:15, Robert Raszuk wrote:
> Hi Suresh,
> 
>  > One thing that is for certain is that this draft (draft-ietf-6man-sids) does not specify any
>  > restrictions or provide any recommendations on filtering if this allocated prefix is not used
> 
> OK many thx for this clarification I was not clear on this hence comments made. In general I would consider such a block to be part of my infra and naturally do filter on ingress.
> 
> However one point still remains unclear. What if a distributed domain interconnected over the Internet is using a mix of these new allocated prefixes within each site and publicly routable IPv6 addressing to jump between sites within SRH ?
> 
> Then still blind filtering based on SRH presence would be a bad thing.

Easily avoided by another layer of encapsulation, surely? Personally I would want to do that, and to use an encrypted encapsulation, to make sure that the SR domain is not penetrated.

Or to quote RFC8402: "By default, SR operates within a trusted domain.  Traffic MUST be filtered at the domain boundaries." The only way a distributed SR domain can provide that trust and filtering is by encrypted encapsulation, as far as I can see.

> 
> Not sure if this could be reflected in the document with a bit more precision ...

It doesn't, IMHO, belong in this draft. It really looks like an update to 8402: how to build a distributed SR domain.

    Brian
> 
> Cheers,
> R.
> 
> On Sun, Oct 9, 2022 at 6:01 PM Suresh Krishnan <suresh.krishnan@gmail.com <mailto:suresh.krishnan@gmail.com>> wrote:
> 
>     Hi Robert,
>        Thanks for your further clarifications on the topic. I think I do understand your concern now based on your discussions with Joel and Brian. If I understand it correctly, the concern exists whether or not someone is using their own allocated address block or if they use the prefix allocated in this draft (Please correct me if this is not right). One thing that is for certain is that this draft (draft-ietf-6man-sids) does not specify any restrictions or provide any recommendations on filtering if this allocated prefix is not used, and that would be covered by what Section 5.1 of RFC8754 states.
> 
>     The generic concern you mentioned is something that needs to be discussed in the scope of the operational guidelines draft. I certainly do see this as a polarizing topic between the transit operators who would carry SR traffic and those who do not wish to do so and as you say below we can only provide recommendations.
> 
>     Regards
>     Suresh
> 
>>     On Oct 9, 2022, at 11:42 AM, Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>> wrote:
>>
>>     Joel,
>>
>>     > You can't tell a packet validly from another piece of your domain from a packet being
>>     > sourced by an attacker and spoofing its source address.
>>
>>     Please rest assured that it is way easier to filter unplanned actions carried in SRH inserted by an attacker than to protect all end systems from globally reachable IPv6 destinations.
>>
>>     So the former is a "bad idea" and the latter great one ... very interesting observation.
>>
>>     Nevertheless it is great that all you can do is to write an operational recommendation. What will be actually done in the production networks is beyond your control.
>>
>>     Cheers,
>>     R.
>>
>>     On Sun, Oct 9, 2022 at 5:26 PM Joel Halpern <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>> wrote:
>>
>>         It is accurate that transits that do not use SRH do not need to worry about SRH.  And arguably, even those that do use SRH do not need to worry about SIDs not in their usage ranges.  Getting that right is non-trivial, but...
>>
>>         The point in this particular case is that connecting pieces of your domain in the clear over the Internet puts you at significant risk.  You can't tell a packet validly from another piece of your domain from a packet being sourced by an attacker and spoofing its source address.  So if you deploy the use case you have described, that causes you to object to other folks filtering SRH, you are doing something that the IETF has good reason to say is a bad idea.
>>
>>         So folks who filter the SRH, even if you do not like it, are doing what we told them to do.  SRv6 was approved only for limited domains.
>>
>>         While you have said you do not like limited domains, and there is a lot of ambiguity and bending of rules around such things, it does seem appropraite and legitimate for us to write in restrictions based on that property that the RFCs require.
>>
>>         Yours,
>>
>>         Joel
>>
>>         On 10/9/2022 10:49 AM, Robert Raszuk wrote:
>>>         Joel,
>>>
>>>         > it turns SRH into a powerful attack vector
>>>
>>>         Really ?
>>>
>>>         How is this possible if IPv6 destination address of the packet does not belong to the block of locally allocated range used as ASN's infra subnet ? I am talking about a pure IPv6 transit case.
>>>
>>>         Isn't this the case that SRH should be examined by the node listed in the destination address of the packet ?
>>>
>>>         And of course it is common and very good practice to filter any external attempt to reach my own address blocks use for management and node configuration. But this is way more granular then to say kill all packets entering my network which have SRH.
>>>
>>>         Thx,
>>>         R.
>>>
>>>         On Sun, Oct 9, 2022 at 4:37 PM Joel Halpern <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>> wrote:
>>>
>>>             We require, per the RFC, blocking SRH outside of the limited domain for many reasons.
>>>
>>>             One example is that it turns SRH into a powerful attack vector, given that source address spoofing means there is little way to tell whether an unencapsulated packet actually came from another piece of the same domain.
>>>
>>>             So yes, I think making this restriction clear in this RFC is important and useful.
>>>
>>>             Yours,
>>>
>>>             Joel
>>>
>>>             On 10/8/2022 5:07 PM, Robert Raszuk wrote:
>>>>             Hi Brian,
>>>>
>>>>             Completely agree.
>>>>
>>>>             One thing is not to guarantee anything in respect to forwarding IPv6 packets with SRH (or any other extension header) and the other thing is to on purpose recommending killing it at interdomain boundary as some sort of evil.
>>>>
>>>>             Cheers,
>>>>             R.
>>>>
>>>>
>>>>
>>>>             On Sat, Oct 8, 2022 at 9:51 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>>>>
>>>>                 Robert,
>>>>
>>>>                 > If there is any spec which mandates that someone will drop my IPv6 packets only because they contain SRH in the IPv6 header I consider this an evil and unjustified action.
>>>>
>>>>                 The Internet is more or less opaque to most extension headers, especially to recently defined ones, so I don't hold out much hope for SRH outside SR domains.
>>>>
>>>>                 https://www.rfc-editor.org/rfc/rfc9098.html <https://www.rfc-editor.org/rfc/rfc9098.html>
>>>>                 https://datatracker.ietf.org/doc/html/draft-elkins-v6ops-eh-deepdive-fw <https://datatracker.ietf.org/doc/html/draft-elkins-v6ops-eh-deepdive-fw>
>>>>
>>>>                 Regards
>>>>                     Brian Carpenter
>>>>
>>>>                 On 09-Oct-22 07:52, Robert Raszuk wrote:
>>>>                 > Hi Joel,
>>>>                 >
>>>>                 > I was hoping this is apparent so let me restate that I do not buy into "limited domain" business for SRv6.
>>>>                 >
>>>>                 > I have N sites connected over v6 Internet. I want to send IPv6 packets between my "distributed globally limited domain" without yet one more encap.
>>>>                 >
>>>>                 > If there is any spec which mandates that someone will drop my IPv6 packets only because they contain SRH in the IPv6 header I consider this an evil and unjustified action.
>>>>                 >
>>>>                 > Kind regards,
>>>>                 > Robert
>>>>                 >
>>>>                 > On Sat, Oct 8, 2022 at 7:40 PM Joel Halpern <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com> <mailto:jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>>> wrote:
>>>>                 >
>>>>                 >     Robert, I am having trouble understanding your email.
>>>>                 >
>>>>                 >     1) A Domain would only filter the allocated SIDs plus what it chooses to use for SRv6.
>>>>                 >
>>>>                 >     2) Whatever it a domain filters should be irrelevant to any other domain, since by definition SRv6 is for use only within a limited domain.  So as far as I can see there is no way a domain can apply incorrect filtering.
>>>>                 >
>>>>                 >     Yours,
>>>>                 >
>>>>                 >     Joel
>>>>                 >
>>>>                 >     On 10/8/2022 3:16 AM, Robert Raszuk wrote:
>>>>                 >>     Hi Suresh,
>>>>                 >>
>>>>                 >>         NEW:
>>>>                 >>         In case the deployments do not use this allocated prefix additional care needs to be exercised at network ingress and egress points so that SRv6 packets do not leak out of SR domains and they do not accidentally enter SR unaware domains.
>>>>                 >>
>>>>                 >>
>>>>                 >>     IMO this is too broad. I would say that such ingress filtering could/should happen only if dst or locator is within locally  configured/allocated prefixes. Otherwise it is pure IPv6 transit and I see no harm not to allow it.
>>>>                 >>
>>>>                 >>         Similarly as stated in Section 5.1 of RFC8754 packets entering an SR domain from the outside need to be configured to filter out the selected prefix if it is different from the prefix allocated here.
>>>>                 >>
>>>>                 >>
>>>>                 >>     Again the way I read it this kills pure IPv6 transit for SRv6 packets. Why ?
>>>>                 >>
>>>>                 >>     (Well I know the answer to "why" from our endless discussions about SRv6 itself and network programming however I still see no need to mandate in any spec to treat SRv6 packets as unwanted/forbidden for pure IPv6 transit.)
>>>>                 >>
>>>>                 >>     Thx,
>>>>                 >>     R.
>>>>                 >
>>>>                 >
>>>>                 > --------------------------------------------------------------------
>>>>                 > IETF IPv6 working group mailing list
>>>>                 > ipv6@ietf.org <mailto:ipv6@ietf.org>
>>>>                 > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>>>>                 > --------------------------------------------------------------------
>>>>
>>     --------------------------------------------------------------------
>>     IETF IPv6 working group mailing list
>>     ipv6@ietf.org <mailto:ipv6@ietf.org>
>>     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>>     --------------------------------------------------------------------
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email