IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 10 October 2022 00:40 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3694C14F733; Sun, 9 Oct 2022 17:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79NG4zmVjt9k; Sun, 9 Oct 2022 17:40:43 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C43DC14F72C; Sun, 9 Oct 2022 17:40:43 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id b2so9045701plc.7; Sun, 09 Oct 2022 17:40:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=XG/kUCTjzeJvJMjADhXWWwXzaKmeyW01VaI+bsYOnNc=; b=EjMLNbLqfRP5Iv/p9/sOKnJPpE3C7lHUPnkrfyUWo0U+rdKdGFI43Yd93sX387n8Mf OmpmrMR7p8BvqJjbMhWL7CJ8myhbAn7vgv5luQzsSppbwJ99/h5XACDeGXrLgH7rd5Sw b49KUc+37Wst+C8jfIbrCNd4PkA8oKTLfoWVosvzFlRyQ8vUDiqsfUEijTq5KiJu6bF7 +aBrAh/CQFWmthlt2gO3/Q2wqpRkBjraW98cUbHJo+q9/kxcCctuQ8Zn0l6fTyTs2ZiM YzlMmNYJEnL4G6qOM/qO3sVnTuZJxSrGCxR58fw14vefphPVBz/XpHIAbxAm8dhMXqwY XKBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XG/kUCTjzeJvJMjADhXWWwXzaKmeyW01VaI+bsYOnNc=; b=UoLUbltB4bGn4TKvPs/mjzREHB6fTIii0/noonlKM8vZ7iIr9USknyX2Sn0hrZUvEx iKfEsnSrccbkZsWvD4S9ffBMbHBOaqE0dtD7KS49n/MpPMHemDLYKl2PirgGcOKkawP4 Sa8lIuU1Ub/eJJPpCdIS4qD5ZBmn++YDLubEN0qovotKadzel04sqzFA7M93B/s2g4xZ b9dDsHOC4EECnX+0a7xchc+T0cowjuiKpwtl4+cmOx/N2AKnGHPTGBJDBHTlLpic3DU/ MPV4rS5XhN7jJdn870I0Z1Go14lJiwzpWkYELIngb7MD9TtbTF3NrrED/qW9pqA/0BB9 iZrQ==
X-Gm-Message-State: ACrzQf2Qe2sZA8hOoZYEWNtH3bSyJKKXQIdnZ77V7z6qlg2fkRagn/1r 60gKczHsvDeus0Dd3jZKA+w=
X-Google-Smtp-Source: AMsMyM7lq0id8J0fKFC51TcFZjizUXm7U4rNbCs10Adxgy58j0rVYyxNue9iiVm+F8+wUPQWztr1aA==
X-Received: by 2002:a17:90b:3b90:b0:202:8a60:c852 with SMTP id pc16-20020a17090b3b9000b002028a60c852mr17934717pjb.169.1665362442550; Sun, 09 Oct 2022 17:40:42 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id 197-20020a6214ce000000b0055fe65e9203sm5574321pfu.0.2022.10.09.17.40.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 09 Oct 2022 17:40:41 -0700 (PDT)
Message-ID: <26327b32-54bf-c155-ebbb-b01eb11b79b5@gmail.com>
Date: Mon, 10 Oct 2022 13:40:36 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Robert Raszuk <robert@raszuk.net>
Cc: Suresh Krishnan <suresh.krishnan@gmail.com>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <CAOj+MMF-dWpdLwQjc611Uv6s_0jaexvvRNmiMbkqxwjAfqwHbw@mail.gmail.com> <e894c1bd-1474-f732-9d39-50e9d48e1d6d@joelhalpern.com> <CAOj+MME8Ca=ANegECKvDeDH22zwZxL5OQKjrvWVg42OZNaMrXQ@mail.gmail.com> <EF93A54E-0DB4-48F9-B210-15FE3AF82B0F@gmail.com> <CAOj+MMEqyWaLq=D0SLPeGhRzFYi6w0p53UdqKxSgaxqJwDPvmw@mail.gmail.com> <77e0b05f-e23d-65d6-6f81-99303d1e1bda@gmail.com> <CAOj+MMEwHam3ST0gt8OzachoPm5oS1iCS+TGMLnGKwR8jBdJwg@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAOj+MMEwHam3ST0gt8OzachoPm5oS1iCS+TGMLnGKwR8jBdJwg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/kTLg93l1J227KoJbLujgzqrhJhM>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 00:40:43 -0000

On 10-Oct-22 11:49, Robert Raszuk wrote:
> Hi Brian,
> 
>     Easily avoided by another layer of encapsulation, surely? Personally I would want to do that, and to use an encrypted encapsulation, to make sure that the SR domain is not penetrated.
> 
> 
> I am not even sure what you call SR domain ... In the old days, slides showed the domain as a little cloud or circle. Well times have changed.

What I call an SR domain is defined in RFC8402:

   "Segment Routing domain (SR domain): the set of nodes participating in
    the source-based routing model.  These nodes may be connected to the
    same physical infrastructure (e.g., a Service Provider's network).
    They may as well be remotely connected to each other (e.g., an
    enterprise VPN or an overlay)."
  
> Today your domain may be using AWS internal links for interconnect shared with other users. Is this still limited domain buzz ?

Yes, according to the way we defined it in RFC8799 (which is not an IETF document):

"In other cases, it may refer to a defined set of users or nodes distributed over a much wider area, but drawn together by a single virtual network over the Internet, or a single physical network running in parallel with the Internet."

> Then we have a concept of DMZs. Are those part of a limited domain or not ? Note that DMZs are usually open to the Internet (perhaps with few ACls protection and often IPS systems).

In other words, they are not completely open. We didn't cite them in RFC8799, but they are a pretty good example. They are a bit complicated, because the trust models are different at the boundary between the DMZ and the Internet, and at the boundary between the DMZ and the inner enterprise or DC network.

> 
> Life is not as simple as RFCs to say "limited domain" and move on when you are dealing with Internet accepted ethertype.

Nobody said it was simple. In my view the IETF has largely ignored this issue, because it goes against the naive view of "end to end". That's why RFC8799 is not an IETF document, but is cited in ~35 IETF drafts.

     Brian

> 
>     It doesn't, IMHO, belong in this draft. It really looks like an update to 8402: how to build a distributed SR domain.
> 
> 
> Well if you recall during those discussions I illustrated this use case. It was not taken into consideration.
> 
> And my overall point here - let's be a bit closer to reality. Sure some IETF WGs could work completely detached and produce RFCs which not many will follow - but is this really a good thing ?
> 
> Best,
> R.
>

v2.23.0 | Report a Bug | By Email