IETF Logo Mail Archive

Re: [spring] PSP and a logical application of RFC8200

"Pablo Camarillo (pcamaril)" <pcamaril@cisco.com> Tue, 03 March 2020 20:37 UTC

Return-Path: <pcamaril@cisco.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2B63A0912; Tue, 3 Mar 2020 12:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XH9OO6Wh; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=hGffN+tb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E324ccfY8z63; Tue, 3 Mar 2020 12:37:40 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D08D23A090B; Tue, 3 Mar 2020 12:37:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=73235; q=dns/txt; s=iport; t=1583267859; x=1584477459; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=JW6JUCcygezN+pXKYTNNvw1Lf/c5TnamsCCdDZwEtT4=; b=XH9OO6WhK7ZwYfW3iE06F7wF1IbGqwWMFBYwOw+IqVLyrZZxnWgbXzJn R9K9mict8Dwqdg0TAI8tzGHosOJ4izt9rug3FqtxeK9kO6lT7F/IWRnrJ Yp0YpT23owxSlSeM8/ig0NWdnl7C743KmcmlJPwRnARpD+NTkaZ9VjVUD Y=;
IronPort-PHdr: 9a23:8Qi8Nx8ZZxUszP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVdaOAEjyNv/uRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BbAQDnvl5e/49dJa1bChoBAQEBAQEBAQEDAQEBAREBAQECAgEBAQGBe4ElL1AFbFggBAsqCoQKg0YDimeCOiWBAYhijjKBQoEQA1AECQEBAQwBARgBCgoCBAEBhEACF4FlJDgTAgMNAQEFAQEBAgEFBG2FVgyFYwEBAQECAQEBEAgJHQEBLAsBBAcEAgEIEQMBAhYLAQYDAgICHwYLFAkIAgQBDQUigwQBgX1NAw4gAQ6iPwKBOYhidYEygn8BAQWBLwGDYg0LggwDBoE4jCUagUE/gREnDBSCGDU+gQSBF0kBAQKBHA4EAQcLAQchGRYCB4JSMoIsjU0IHAeCboVwJIlnjntECoI8h1KKXoQ2FQeCSYgfkEmOcoFNhy+CL5AgAgQCBAUCDgEBBYFpImdxcBU7KgGCDQEBMlAYDY4dDAwLg1CFFIVBdAKBJ4x8gTMBMF8BAQ
X-IronPort-AV: E=Sophos;i="5.70,511,1574121600"; d="scan'208,217";a="441453796"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Mar 2020 20:37:37 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 023KbbWI029609 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Mar 2020 20:37:37 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 14:37:37 -0600
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 14:37:36 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Mar 2020 15:37:36 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NzRy7osRpfn96VHBqSY4GU564AykQV8Sz8UbAFK/ORYaG+t/zrIhVwxua/sOjVThYJUAuTjHSkYkRuKOvcV7Vr8Qp8DrfmHjJgU3ViIFbiyu8MoTPSlHRFZuFbSV8b1OZxRw+nfFG8eFqCFyf0+wp4dIDqPtFk5xpCpwdR3UxXkhItQx2yuV/e5+UerX/fzkvrlMDu781x9fHldjyoHnHrVVCGUT1J8ngN7y1BRj/EoPThG08ucZ3z0pYkh8hLDomEXlKtuVXIXJf1Rkkh7cVFBSP0Lw+Out8BRoTNVZKHVefm4LXwLDsUsiCGGMqI4jxHyZTn+Ds2hQbQ1bboPYmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=JW6JUCcygezN+pXKYTNNvw1Lf/c5TnamsCCdDZwEtT4=; b=f3LcHhJQ6lEhOsjOa0BpIK7Xhg5jZzkStPpVt3tHRgiBfRZQiOeEtq0TU1j7HkQqsOUTAo3xlVzvQku6jHsk9uBcqPV1Mt4O5qYFiYBo0CNc/JZPuuXHX2MdFgrM43f84v0TFsKxZs5Ho8dMTUR6PCb/qrWMVpiEu8oWKpaGu1LRdDBS/tp858jCBP1xylWyIFrDUJoLG5d103tSJfDfLYktEAWBZNxC+iddmnm2YomYYd63it7/jDWnh8nRdM5pPLpO8wHByY4CPCKW8DrRbN7rG+BOhXI0HpFO/TiJT+HrCclQrwGuWAV1ncTd2DCkZfzRuB8FKxBHjnUxm38NwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JW6JUCcygezN+pXKYTNNvw1Lf/c5TnamsCCdDZwEtT4=; b=hGffN+tbnepcei3LL7S5WuxSMdrk9kCcgghbQLIbRjwK6Z7e0nXCIQ4FnZCelQu1dLXmiXZpg0w6nBQNsj/HSMePfx0RkfH40P7rMuoprnXwX/ena3AF6Xm+4AZDnsmfrNvjUEySxKX3ntUcjDVSo69COFONIcrclEYvctI1EC0=
Received: from MWHPR11MB1374.namprd11.prod.outlook.com (2603:10b6:300:24::8) by MWHPR11MB1935.namprd11.prod.outlook.com (2603:10b6:300:10c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Tue, 3 Mar 2020 20:37:34 +0000
Received: from MWHPR11MB1374.namprd11.prod.outlook.com ([fe80::e481:a191:e31:f948]) by MWHPR11MB1374.namprd11.prod.outlook.com ([fe80::e481:a191:e31:f948%12]) with mapi id 15.20.2772.019; Tue, 3 Mar 2020 20:37:34 +0000
From: "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>
To: "bruno.decraene@orange.com" <bruno.decraene@orange.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: "Darren Dukes (ddukes)" <ddukes@cisco.com>, 6man WG <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
Thread-Topic: PSP and a logical application of RFC8200
Thread-Index: AQHV8KJBHQV7i2M+30qDa3hDw/FBnKg1sb8AgAAY3YCAACbPgIABAuaAgAByT4A=
Date: Tue, 03 Mar 2020 20:37:34 +0000
Message-ID: <E6BE5ABD-FEE7-4814-A2E2-9CF7C343F40D@cisco.com>
References: <39544C17-1AD0-412E-A8BD-E17376537FCF@cisco.com> <bf9d68e6-cbae-2b19-11e0-1e452f0bf654@gmail.com> <FD806998-8218-4C70-B383-332C5F934A73@cisco.com> <176e9bbf-41c8-8e8a-f26e-e0de5d89735f@gmail.com> <23291_1583246906_5E5E6E3A_23291_112_19_53C29892C857584299CBF5D05346208A48DD7F0D@OPEXCAUBM43.corporate.adroot.infra.ftgroup>
In-Reply-To: <23291_1583246906_5E5E6E3A_23291_112_19_53C29892C857584299CBF5D05346208A48DD7F0D@OPEXCAUBM43.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pcamaril@cisco.com;
x-originating-ip: [173.38.220.43]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e3e88bb-df2e-4cff-eee4-08d7bfb2b400
x-ms-traffictypediagnostic: MWHPR11MB1935:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MWHPR11MB1935A952DDEE881DA00ACC96C9E40@MWHPR11MB1935.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(346002)(396003)(376002)(136003)(189003)(199004)(4326008)(30864003)(81166006)(91956017)(8676002)(76116006)(81156014)(5660300002)(26005)(6486002)(86362001)(186003)(36756003)(316002)(71200400001)(6506007)(64756008)(66476007)(478600001)(66446008)(66556008)(2906002)(53546011)(33656002)(6512007)(2616005)(54906003)(66946007)(966005)(8936002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR11MB1935; H:MWHPR11MB1374.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +btLppX/m/WTjpJhnPthM7hNWZ0l8zvruFP1p6CAfj7GcfuyQddrXvlTzA7hqlQIS/bZcif0QjORJCMJSKJtbXMwZEJihMR1jWjNvV+N6eDjyrx7NoCe/skwn32JVrjv0VSxbuWDmz1hkN4QuT1Wen6LGWsO44Pc9PrKLTyIvMXRdhmOGGKGaWLVph7Gx4jjBeXzn6oBWlf5xlx8uHVVUlxuoxQIPuZNuumLcZZkb2VQ11ZdGQqy9nKHt7YjJxxEHWahjeHHBAtME+bYMwblikn6eOJbiy6EoI6xWyhjH2FYJ/moR8SCSBESmOms8bVEwserMQqIwD0+w4xkbAYRVmCxpVjQQF1fPKf4ok/gRBPF9CrvndV/qCpJbulnVsElWG+WpcvPHEDo3dH9b4zYWVNzMniROzImtMpSwDtZAbxyqOnyDkiiCB4QB/Srzhm7CGbPFuSu39vxxjkW3GLAvgLkWDgcImCeNIx8pxjUHhhCIkuQcFt/J4lQqAUsUY8DC6f/3bhIBN3XYHlJuytRig==
x-ms-exchange-antispam-messagedata: 0XE6u0CHKp0MRe0KgiwXjDMMSmT+IDIIbDnQnrhZfISsHjLra4OjNWZAsIgHjGHGDwTwaZQVfvn0xGmuwHL5gwEids+4vpyg/+oAikOIuv6hzHuUWTlhMDVqVPjim9h4VTveiwuUK9Y0mBW25UjGUw==
Content-Type: multipart/alternative; boundary="_000_E6BE5ABDFEE74814A2E29CF7C343F40Dciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e3e88bb-df2e-4cff-eee4-08d7bfb2b400
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 20:37:34.0888 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ON8ikSS86/Etk+ETBD1zid2TiHHFnwzHygr5IO1rNcQLrdJCluVLAV2hY6VQQrruuWIC9ECm6fjdy6xSw4ZhAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1935
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/nrGKue-dQCD2N-Y22FEtAgsNMSk>
Subject: Re: [spring] PSP and a logical application of RFC8200
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 20:37:44 -0000

Brian, Bruno,



Many thanks for your comments.

Based on the feedback I would propose to add Brian's proposed text as is into the draft.



4.16.1.  PSP: Penultimate Segment Pop of the SRH



   SR Segment Endpoint Nodes advertise the SIDs instantiated on them via

   control plane protocols as described in Section 8.  Different

   behavior ids are allocated for flavored and unflavored SIDs [Table 4]

   such that an SR Source Node can identify PSP-flavored SIDs as such.



   The PSP flavor is specifically used by the Source SR Node when it

   needs to instruct the penultimate SR Segment Endpoint Node listed in

   the SRH to remove the SRH from the IPv6 header.



   SR Segment Endpoint Nodes receive the IPv6 packet with the

   Destination Address field of the IPv6 Header equal to its SID

   address.  A penultimate SR Segment Endpoint Node is one that, as part

   of the SID processing, copies the last SID from the SRH into the IPv6

   Destination Address and decrements Segments Left value from one to

   zero.



   The PSP operation only takes place at a penultimate SR Segment

   Endpoint Node and does not happen at any Transit Node.



   The SRH processing of the End, End.X and End.T behaviors are

   modified: after the instruction "S14.  Update IPv6 DA with Segment

   List[Segments Left]" is executed, the following instructions must be

   executed as well:



S14.1.   If (Segments Left == 0) {

S14.2.      Update the Next Header field in the preceding header to the

                Next Header value of the SRH

S14.3.      Decrease the IPv6 header Payload Length by the Hdr Ext Len

                value of the SRH

S14.4.      Remove the SRH from the IPv6 extension header chain

S14.5.   }



   The usage of PSP does not increase the MTU of the IPv6 packet and

   hence does not have any impact on the PMTU discovery mechanism.



   As a reminder, [I-D.ietf-6man-segment-routing-header] defines in

   section 5 the SR Deployment Model within the SR Domain [RFC8402].

   Within this framework, the Authentication Header (AH) is not used to

   secure the SRH as described in Section 7.5 of

   [I-D.ietf-6man-segment-routing-header].



<NEW>

This behavior does not contravene section 4 of [RFC8200]

because the current destination address of the incoming packet

is the address of the node executing the PSP behavior.

</NEW>



Additionally, please find some replies inline to the comments from Bruno [PC2].



Thanks,

Pablo.



-----Original Message-----

From: "bruno.decraene@orange.com" <bruno.decraene@orange.com>

Date: Tuesday, 3 March 2020 at 15:49

To: "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>

Cc: "Darren Dukes (ddukes)" <ddukes=40cisco.com@dmarc.ietf.org>, 6man WG <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>

Subject: RE: PSP and a logical application of RFC8200



    Pablo,



    My reading is that Brian is asking for a clarification of the text, not a change in the behavior.

    In general, I think that clarification is good and that Brian's request is reasonable.



    Related to Brian's comment, but on top of them, I have further points on this section 4.16.1:



    1)

    " S14.1.   If (Segments Left == 0) {"



    Although I agree that reading the whole pseudo code (split across the whole document) is self-descriptive, there is the opportunity for people to misread and confuse "Segment Left in the received packet" with "Updated Segment Left". I'd like to avoid misunderstanding similar to the ones in RFC 8200. Could you propose something? E.g.  :s/ Segments Left/ Updated Segments Left.



PC2: In previous versions of this document we used the term “updated SL”. As part of the WGLC we changed this text in December to “Segments Left” since it is the name of the field defined in the SRH. While I do find the “Updated Segments Left” easier to understand, the working group feedback wasn’t the same in December. Hence I would tend to keep it as is. But no strong preference on my side really.



    2)

    As a possible change to try to address Brian's comment

    OLD:

       The PSP operation only takes place at a penultimate SR Segment

       Endpoint Node and does not happen at any Transit Node.



    NEW:

       The PSP operation only takes place at a penultimate SR Segment

       Endpoint Node (where Segment Left == 1) and does not happen at any Transit Node.



PC2: Given the new text added, and given that we already have this, do we need it?

A penultimate SR Segment Endpoint Node is one that, as part

   of the SID processing, copies the last SID from the SRH into the IPv6

   Destination Address and decrements Segments Left value from one to

   zero.



    More inline



    > From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Brian E Carpenter

    >

    > On 03-Mar-20 09:02, Pablo Camarillo (pcamaril) wrote:

    > > Brian,

    > >

    > > The PSP pseudocode is presented as a modification to the End pseudocode starting at line S14 of such.

    > > Please go through the PSP pseudocode in conjunction with the End pseudocode (Section 4.1).

    > > You will see that the ingress state of the packet is (Segments Left == 1 and Destination Address == the PSP node's address).

    >

    > Exactly my point. With SL == 1, you are not at the ultimate destination, so according to what I'll call "Fernando's reading" of RFC8200, you are not entitled to delete the header. That is the point that IMHO needs to be stated explicitly in the draft. You are using "Darren's reading" of RFC8200.

    >

    > I really think you need to say so explicitly. Something like:

    >

    > Note: this behavior does not contravene section 4 of [RFC8200]

    > because the current destination address of the incoming packet

    > is the address of the node executing the PSP behavior.

    >

    > This will not change the argument, but it will make the issue clear so that we (the IETF) can decide whether to accept it or not. And that is orthogonal to whether RFC 8200 is wrong.



    3)

    Given that there is even heated discussions on the text/wording in RFC8200, I'm afraid that whatever text be inserted in draft-ietf-spring-srv6-network-programming would trigger controversy and that in the end be asked to be removed.

    However, I'm also in favor of making the issue clear.



    Brian, I would personally prefer to stick as close as possible to the text from RFC 8200, plus that we make clear that we are not changing it but only referring to. So I would propose something along the following:



                As indicated in RFC 8200 section 4, extension headers [...] are not [to be]

                   processed, inserted, or deleted by any node along a packet's delivery

                   path, until the packet reaches the node [...] identified in the Destination Address field

                   of the IPv6 header.



                The PSP behavior defined in this section specifies that, the node identified in the Destination Address field of the IPv6 header (as restricted by RFC 8200 section 4), when Segment Left is received as 1 and when specifically instructed by the source node, removes the SRH header.





    As a reminder, the text from RFC 8200 is

    "   Extension headers (except for the Hop-by-Hop Options header) are not

       processed, inserted, or deleted by any node along a packet's delivery

       path, until the packet reaches the node (or each of the set of nodes,

       in the case of multicast) identified in the Destination Address field

       of the IPv6 header."



    I believe that my proposed edits are clearly indicated by "[]" and helps the reader to focus on the relevant text. However, I'm also fine with copy pasting the text verbatim from RFC 8200.



    4) There is an interesting comment on the 6MAN WG https://mailarchive.ietf.org/arch/msg/ipv6/AJzOX97mUeHjEcDSIgpqUw8gNk0/

    Although not sent in the SPRING WG, and not mentioning to this document, I think that I should be taken into account.

    More specifically

    " IMHO, any specification breaking AH (e.g., by modifying the NextHeader in transport mode) should clearly note that it 'breaks AH' or constraints its use; but, this is still acceptable for an IETF standard specification IMHO to 'break AH'."



    I'd propose:

    OLD:

       As a reminder, [I-D.ietf-6man-segment-routing-header] defines in

       section 5 the SR Deployment Model within the SR Domain [RFC8402].

       Within this framework, the Authentication Header (AH) is not used to

       secure the SRH as described in Section 7.5 of

       [I-D.ietf-6man-segment-routing-header].



    NEW:

    Removing the SRH requires modifying the Next Header field which is defined as Immutable by RFC 4302.  As indicated in [I-D.ietf-6man-segment-routing-header], the use of RH with AH by an SR source node, and processing at a SR

       segment endpoint node is not defined in this document.  Future documents may define use of SRH with AH and its processing. Such future document needs to take into account that the use of PSP requires the Next Header field to not be Immutable.



PC2: Given the following text from RFC4301, and the quote above from the SRH, do we really need this?
   IPsec implementations MUST support ESP and MAY
   support AH. (Support for AH has been downgraded to MAY because
   experience has shown that there are very few contexts in which ESP
   cannot provide the requisite security services.  Note that ESP can be
   used to provide only integrity, without confidentiality, making it
   comparable to AH in most contexts.)







    Or whatever text indicating the issue.



    Regards,

    --Bruno



    >

    > Regards

        > Brian

    > >

    > > Many thanks,

    > > Pablo.

    > >

    > > -----Original Message-----

    > > From: ipv6 <ipv6-bounces@ietf.org> on behalf of Brian E Carpenter <brian.e.carpenter@gmail.com>

    > > Date: Monday, 2 March 2020 at 20:34

    > > To: "Darren Dukes (ddukes)" <ddukes=40cisco.com@dmarc.ietf.org>, 6man WG <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>

    > > Subject: Re: PSP and a logical application of RFC8200

    > >

    > >     Darren,

    > >

    > >     Regardless of whether you accept Fernando's comment about the intention of RFC 8200, there is also the fact that the description of the PSP flavor cheats by considering the packet to have

    > >      (Segments Left == 0 and Destination Address == the PSP node's address).

    > >     In fact that is *never* the state of the packet on the wire, which is either

    > >      (Segments Left == 1 and Destination Address == the PSP node's address)

    > >     or

    > >      (Segments Left == 0 and Destination Address == the final node's address)

    > >

    > >     OK, maybe it's not cheating, maybe it's only a side effect of the pseudocode, but the fact is that the test "S14.1.   If (Segments Left == 0) {" in section 4.16.1 is very confusing because it's applied to a packet that is half way through processing of the routing header (Segments Left has been updated, but Destination Address has not been updated). This makes it very unclear how the spec is claiming to interpret RFC 8200.

    > >

    > >     Regards

    > >        Brian Carpenter

    > >

    > >     On 03-Mar-20 03:52, Darren Dukes (ddukes) wrote:

    > >     > What follows has been made clear on the list for a while,

    > >     > I am re-stating it.

    > >     >

    > >     > The draft-ietf-spring-srv6-network-programming PSP behavior

    > >     > strictly follows the letter of RFC 8200.

    > >     >

    > >     >      RFC8200 section 4 says:

    > >     >

    > >     >      Extension headers (except for the Hop-by-Hop Options header) are not

    > >     >      *processed, inserted, or deleted* by any node along a packet's delivery

    > >     >      path, until the packet reaches *the node* (or each of the set of nodes,

    > >     >      in the case of multicast) *identified in the Destination Address field*

    > >     >     * of the IPv6 header.*

    > >     >

    > >     >

    > >     > The processing, insertion and deletion restrictions only apply

    > >     > “until the packet reaches the node identified in the Destination

    > >     > Address field of the IPv6 header”.

    > >     >

    > >     > At the penuptimate segment of the segment list, the endpoint IS

    > >     > “the node identified in the Destination Address field of the IPv6

    > >     > header” and hence the PSP operation programmed by the source SR

    > >     > node strictly follows the letter of RFC 8200.

    > >     >

    > >     >

    > >     > Thanks,

    > >     >   Darren

    > >     >

    > >     > --------------------------------------------------------------------

    > >     > IETF IPv6 working group mailing list

    > >     > ipv6@ietf.org

    > >     > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6

    > >     > --------------------------------------------------------------------

    > >     >

    > >

    > >     --------------------------------------------------------------------

    > >     IETF IPv6 working group mailing list

    > >     ipv6@ietf.org

    > >     Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6

    > >     --------------------------------------------------------------------

    > >

    > >

    >

    > --------------------------------------------------------------------

    > IETF IPv6 working group mailing list

    > ipv6@ietf.org

    > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6

    > --------------------------------------------------------------------



    _________________________________________________________________________________________________________________________



    Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

    pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

    a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

    Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



    This message and its attachments may contain confidential or privileged information that may be protected by law;

    they should not be distributed, used or copied without authorisation.

    If you have received this email in error, please notify the sender and delete this message and its attachments.

    As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

    Thank you.

v2.23.0 | Report a Bug | By Email