IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Joel Halpern <jmh.direct@joelhalpern.com> Mon, 10 October 2022 14:03 UTC

Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E49CC14CF0B; Mon, 10 Oct 2022 07:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.808
X-Spam-Level:
X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hwOiIQw7C9E; Mon, 10 Oct 2022 07:03:17 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F33BC1524A0; Mon, 10 Oct 2022 07:03:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4MmLGq3qmCz1pW9w; Mon, 10 Oct 2022 07:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1665410595; bh=8MRm54XRWToSIo/T82cjnAkrRJw9P4WqP743nHaVZcA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=GAme1StFW4Qh28IIjB01vdZ5zsRQxgo4+c1JBqvxLWoWu3dStxt46ZVdgEu9DsfL7 A4WiqXcUJhFuvnhyJT7ZxF6RVZei1R8EYAm7srdquEFsPIjWW193yZ1LWMqMkHfu6X 9ffbzZy31XSD4eaoYw/eS1OQOGNr5kuLPNYecddI=
X-Quarantine-ID: <zFDfHwEg4tUl>
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [192.168.23.73] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4MmLGp4DDSz1pHXG; Mon, 10 Oct 2022 07:03:14 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------qMocg0Ruq7jmQnLceBGGrQhu"
Message-ID: <0d911d38-b939-692a-9b8b-24ff752672bc@joelhalpern.com>
Date: Mon, 10 Oct 2022 10:03:12 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1
Content-Language: en-US
To: Robert Raszuk <robert@raszuk.net>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com> <35484ed3-509a-39ba-6a16-8f2bf807f4f2@joelhalpern.com> <BAAD744A-2AD2-4498-90EC-9C9A184E0A8A@cisco.com> <CAOj+MMGjTa+zwRHnRWWu-+bRZd83vo4xz22XuRK+7TJ5A81DQQ@mail.gmail.com> <a10a6d8c-ef59-398b-1b53-dc3e688c16b0@joelhalpern.com> <CAOj+MMFGRjevpYLGxwiRs1GP-yN8eAxE6a7JKxuhbsYrJgUyLA@mail.gmail.com>
From: Joel Halpern <jmh.direct@joelhalpern.com>
In-Reply-To: <CAOj+MMFGRjevpYLGxwiRs1GP-yN8eAxE6a7JKxuhbsYrJgUyLA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/nF9swobI3tgBGDN1xhJHjhTzm5k>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 14:03:21 -0000

SRH was explicitly defined for use in limited domains.   That is why I 
think dropping it is acceptable.  Certainly not required, but 
permitted.  The closest equivalent is NSH, which is also defined for 
limited domains.  In my personal opinion (not speaking for the SFC 
working group) I think it would be legitimate for a domain, particularly 
one that is using NSH, to drop packets where the IP carried protocol is 
NSH.  (I would prefer that they block only packets to their domain with 
carried protocol of NSH, but that is up to the operator.)

You have said that you consider the limited domain requirement to be 
wrong and irrelevant.  Whether you agree with it or not, it is in the 
RFC.  Operators may reasonably act on that.

Yours,

Joel

On 10/10/2022 9:59 AM, Robert Raszuk wrote:
> >  it seems acceptable to block all packets with SRH
>
> And such statements you are making are exactly my point.
>
> Just curious - Is there any other extension header type subject to 
> being a good enough reason to drop packets at any transit node in IPv6 ?
>
> Thx,
> R.
>
> On Mon, Oct 10, 2022 at 3:53 PM Joel Halpern 
> <jmh.direct@joelhalpern.com> wrote:
>
>     Protection from leaking inwards is required by the RFCs as far as
>     I know.
>
>     Note that there are multiple ways to apply such protection.  It is
>     sufficient for the domain only to block packets addressed to its
>     own SID prefixes.  If the domain is using SRv6 without compression
>     or reduction, it seems acceptable to block all packets with SRH.
>     After all, they should not be occurring.  But we do not tell
>     operators how to perform the filtering.  It is up to them what
>     they do.
>
>     Yours,
>
>     Joel
>

v2.23.0 | Report a Bug | By Email