IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Robert Raszuk <robert@raszuk.net> Sun, 09 October 2022 16:15 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80643C1522A3 for <spring@ietfa.amsl.com>; Sun, 9 Oct 2022 09:15:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgEYBq59eJNI for <spring@ietfa.amsl.com>; Sun, 9 Oct 2022 09:15:07 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25363C14F749 for <spring@ietf.org>; Sun, 9 Oct 2022 09:15:06 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id l8so5563388wmi.2 for <spring@ietf.org>; Sun, 09 Oct 2022 09:15:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cSHnIzHcUxV2jUiROKMHHkDVFVYjrihEU/bmfn/3GTc=; b=Ws7hR/tJZ7uvMrFFXo9zxfR+Soac/yYxchrRqwrv7o6ZNo9sId/DYhWO7s6vWvgyU/ kBwyHwF+HKzIOj8ry9T92QzRvw1ZHz1Kutk5Z4CIQjjgJw5OtUE2KoJAdr2hhnigf5vf AiT0yU2IQ0M45E1HcQZ07JFrtCtmT5HTr0V5FVi2b5+kdf0B5LD5rp7LBy4QTjqMZI/u APMHhUsVZpHmEFjU8FHof27Fh6NSOIAz023DwVR5wd3+5uolLL8O9SswPYkoy9GeMdbm DcNffgGphcbWvg4VHHipJiy5j7Pw6hT+dqZd073J3e4aKNjn8bqsvqeHwY/QYziSa01U ubBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cSHnIzHcUxV2jUiROKMHHkDVFVYjrihEU/bmfn/3GTc=; b=a2xcZAX5Lh9C91IcSqupXPqMVxPRKQoDKbQLrfnlckt90iZpOZhTwwuwrbpWIlLA4N II7xrHpX1P1Iwk+bZCeXx27747jMl4crejm+V/moJNa4axqdxnNmF/NoY99ODym5Pbn5 BCXm6NV0wv7tgSClIaamdzB9lPdyIedjAoYN12aw/l7fXFitsJYqjHB2TeiEHmnkZgrW +JNinndsvZ3K2I1PoIc8cnsooEu70ehLHebnY45vwnGgeqZGDnFclRIYxdkWWMUMihXr VmDPfz5cSOIF48VVQlCIA/Xbl2rjppD+5Y6eRaEbGw8SwzRTGjOn/TOWrcfDIK4Iq+lD F+iw==
X-Gm-Message-State: ACrzQf0qEWzvPHj1yPJA/gM+HS/xpZlPpptjhtaDWM5g+wg+BHFMd3CL IBwodsj8v4rY7hPnrkpqt3am9zYv0ALE2BYvEDljoA==
X-Google-Smtp-Source: AMsMyM4v2BXvVNuv++hPQqIWRNgeVqS27dhyUJvVezM6ZLtflm55jWMtvb/iCb/cTacQEjzqb+BKSI+kQ/d9wgyr84g=
X-Received: by 2002:a05:600c:3844:b0:3b4:becc:e43 with SMTP id s4-20020a05600c384400b003b4becc0e43mr17069868wmr.33.1665332104555; Sun, 09 Oct 2022 09:15:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4+N31=ggO03AAQJANv7RgHaC1eNGXRUQ9B20rLK+nJyg@mail.gmail.com> <E77D8982-11E9-45F9-81BF-3CA1E1F6B745@gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <CAOj+MMF-dWpdLwQjc611Uv6s_0jaexvvRNmiMbkqxwjAfqwHbw@mail.gmail.com> <e894c1bd-1474-f732-9d39-50e9d48e1d6d@joelhalpern.com> <CAOj+MME8Ca=ANegECKvDeDH22zwZxL5OQKjrvWVg42OZNaMrXQ@mail.gmail.com> <EF93A54E-0DB4-48F9-B210-15FE3AF82B0F@gmail.com>
In-Reply-To: <EF93A54E-0DB4-48F9-B210-15FE3AF82B0F@gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Sun, 09 Oct 2022 18:15:43 +0200
Message-ID: <CAOj+MMEqyWaLq=D0SLPeGhRzFYi6w0p53UdqKxSgaxqJwDPvmw@mail.gmail.com>
To: Suresh Krishnan <suresh.krishnan@gmail.com>
Cc: 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008685e105ea9c5891"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/jX_KXUyyqq7K_lKlzflu0bnGTdI>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2022 16:15:11 -0000

Hi Suresh,

> One thing that is for certain is that this draft (draft-ietf-6man-sids)
does not specify any
> restrictions or provide any recommendations on filtering if this
allocated prefix is not used

OK many thx for this clarification I was not clear on this hence comments
made. In general I would consider such a block to be part of my infra and
naturally do filter on ingress.

However one point still remains unclear. What if a distributed domain
interconnected over the Internet is using a mix of these new allocated
prefixes within each site and publicly routable IPv6 addressing to jump
between sites within SRH ?

Then still blind filtering based on SRH presence would be a bad thing.

Not sure if this could be reflected in the document with a bit more
precision ...

Cheers,
R.

On Sun, Oct 9, 2022 at 6:01 PM Suresh Krishnan <suresh.krishnan@gmail.com>
wrote:

> Hi Robert,
>   Thanks for your further clarifications on the topic. I think I do
> understand your concern now based on your discussions with Joel and Brian.
> If I understand it correctly, the concern exists whether or not someone is
> using their own allocated address block or if they use the prefix allocated
> in this draft (Please correct me if this is not right). One thing that is
> for certain is that this draft (draft-ietf-6man-sids) does not specify any
> restrictions or provide any recommendations on filtering if this allocated
> prefix is not used, and that would be covered by what Section 5.1 of
> RFC8754 states.
>
> The generic concern you mentioned is something that needs to be discussed
> in the scope of the operational guidelines draft. I certainly do see this
> as a polarizing topic between the transit operators who would carry SR
> traffic and those who do not wish to do so and as you say below we can only
> provide recommendations.
>
> Regards
> Suresh
>
> On Oct 9, 2022, at 11:42 AM, Robert Raszuk <robert@raszuk.net> wrote:
>
> Joel,
>
> > You can't tell a packet validly from another piece of your domain from a
> packet being
> > sourced by an attacker and spoofing its source address.
>
> Please rest assured that it is way easier to filter unplanned actions
> carried in SRH inserted by an attacker than to protect all end systems from
> globally reachable IPv6 destinations.
>
> So the former is a "bad idea" and the latter great one ... very
> interesting observation.
>
> Nevertheless it is great that all you can do is to write an operational
> recommendation. What will be actually done in the production networks is
> beyond your control.
>
> Cheers,
> R.
>
> On Sun, Oct 9, 2022 at 5:26 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>
>> It is accurate that transits that do not use SRH do not need to worry
>> about SRH.  And arguably, even those that do use SRH do not need to worry
>> about SIDs not in their usage ranges.  Getting that right is non-trivial,
>> but...
>>
>> The point in this particular case is that connecting pieces of your
>> domain in the clear over the Internet puts you at significant risk.  You
>> can't tell a packet validly from another piece of your domain from a packet
>> being sourced by an attacker and spoofing its source address.  So if you
>> deploy the use case you have described, that causes you to object to other
>> folks filtering SRH, you are doing something that the IETF has good reason
>> to say is a bad idea.
>>
>> So folks who filter the SRH, even if you do not like it, are doing what
>> we told them to do.  SRv6 was approved only for limited domains.
>>
>> While you have said you do not like limited domains, and there is a lot
>> of ambiguity and bending of rules around such things, it does seem
>> appropraite and legitimate for us to write in restrictions based on that
>> property that the RFCs require.
>>
>> Yours,
>>
>> Joel
>> On 10/9/2022 10:49 AM, Robert Raszuk wrote:
>>
>> Joel,
>>
>> > it turns SRH into a powerful attack vector
>>
>> Really ?
>>
>> How is this possible if IPv6 destination address of the packet does not
>> belong to the block of locally allocated range used as ASN's infra subnet ?
>> I am talking about a pure IPv6 transit case.
>>
>> Isn't this the case that SRH should be examined by the node listed in the
>> destination address of the packet ?
>>
>> And of course it is common and very good practice to filter any external
>> attempt to reach my own address blocks use for management and node
>> configuration. But this is way more granular then to say kill all packets
>> entering my network which have SRH.
>>
>> Thx,
>> R.
>>
>> On Sun, Oct 9, 2022 at 4:37 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>>
>>> We require, per the RFC, blocking SRH outside of the limited domain for
>>> many reasons.
>>>
>>> One example is that it turns SRH into a powerful attack vector, given
>>> that source address spoofing means there is little way to tell whether an
>>> unencapsulated packet actually came from another piece of the same domain.
>>>
>>> So yes, I think making this restriction clear in this RFC is important
>>> and useful.
>>>
>>> Yours,
>>>
>>> Joel
>>> On 10/8/2022 5:07 PM, Robert Raszuk wrote:
>>>
>>> Hi Brian,
>>>
>>> Completely agree.
>>>
>>> One thing is not to guarantee anything in respect to forwarding IPv6
>>> packets with SRH (or any other extension header) and the other thing is to
>>> on purpose recommending killing it at interdomain boundary as some sort of
>>> evil.
>>>
>>> Cheers,
>>> R.
>>>
>>>
>>>
>>> On Sat, Oct 8, 2022 at 9:51 PM Brian E Carpenter <
>>> brian.e.carpenter@gmail.com> wrote:
>>>
>>>> Robert,
>>>>
>>>> > If there is any spec which mandates that someone will drop my IPv6
>>>> packets only because they contain SRH in the IPv6 header I consider this an
>>>> evil and unjustified action.
>>>>
>>>> The Internet is more or less opaque to most extension headers,
>>>> especially to recently defined ones, so I don't hold out much hope for SRH
>>>> outside SR domains.
>>>>
>>>> https://www.rfc-editor.org/rfc/rfc9098.html
>>>> https://datatracker.ietf.org/doc/html/draft-elkins-v6ops-eh-deepdive-fw
>>>>
>>>> Regards
>>>>     Brian Carpenter
>>>>
>>>> On 09-Oct-22 07:52, Robert Raszuk wrote:
>>>> > Hi Joel,
>>>> >
>>>> > I was hoping this is apparent so let me restate that I do not buy
>>>> into "limited domain" business for SRv6.
>>>> >
>>>> > I have N sites connected over v6 Internet. I want to send IPv6
>>>> packets between my "distributed globally limited domain" without yet one
>>>> more encap.
>>>> >
>>>> > If there is any spec which mandates that someone will drop my IPv6
>>>> packets only because they contain SRH in the IPv6 header I consider this an
>>>> evil and unjustified action.
>>>> >
>>>> > Kind regards,
>>>> > Robert
>>>> >
>>>> > On Sat, Oct 8, 2022 at 7:40 PM Joel Halpern <jmh@joelhalpern.com
>>>> <mailto:jmh@joelhalpern.com>> wrote:
>>>> >
>>>> >     Robert, I am having trouble understanding your email.
>>>> >
>>>> >     1) A Domain would only filter the allocated SIDs plus what it
>>>> chooses to use for SRv6.
>>>> >
>>>> >     2) Whatever it a domain filters should be irrelevant to any other
>>>> domain, since by definition SRv6 is for use only within a limited domain.
>>>> So as far as I can see there is no way a domain can apply incorrect
>>>> filtering.
>>>> >
>>>> >     Yours,
>>>> >
>>>> >     Joel
>>>> >
>>>> >     On 10/8/2022 3:16 AM, Robert Raszuk wrote:
>>>> >>     Hi Suresh,
>>>> >>
>>>> >>         NEW:
>>>> >>         In case the deployments do not use this allocated prefix
>>>> additional care needs to be exercised at network ingress and egress points
>>>> so that SRv6 packets do not leak out of SR domains and they do not
>>>> accidentally enter SR unaware domains.
>>>> >>
>>>> >>
>>>> >>     IMO this is too broad. I would say that such ingress filtering
>>>> could/should happen only if dst or locator is within locally
>>>> configured/allocated prefixes. Otherwise it is pure IPv6 transit and I see
>>>> no harm not to allow it.
>>>> >>
>>>> >>         Similarly as stated in Section 5.1 of RFC8754 packets
>>>> entering an SR domain from the outside need to be configured to filter out
>>>> the selected prefix if it is different from the prefix allocated here.
>>>> >>
>>>> >>
>>>> >>     Again the way I read it this kills pure IPv6 transit for SRv6
>>>> packets. Why ?
>>>> >>
>>>> >>     (Well I know the answer to "why" from our endless discussions
>>>> about SRv6 itself and network programming however I still see no need to
>>>> mandate in any spec to treat SRv6 packets as unwanted/forbidden for pure
>>>> IPv6 transit.)
>>>> >>
>>>> >>     Thx,
>>>> >>     R.
>>>> >
>>>> >
>>>> > --------------------------------------------------------------------
>>>> > IETF IPv6 working group mailing list
>>>> > ipv6@ietf.org
>>>> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> > --------------------------------------------------------------------
>>>>
>>> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>
>

v2.23.0 | Report a Bug | By Email