IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Robert Raszuk <robert@raszuk.net> Mon, 10 October 2022 13:50 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102EEC14F73D for <spring@ietfa.amsl.com>; Mon, 10 Oct 2022 06:50:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvF4Ks0IX2QM for <spring@ietfa.amsl.com>; Mon, 10 Oct 2022 06:50:21 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F303C1524A8 for <spring@ietf.org>; Mon, 10 Oct 2022 06:49:57 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id n16-20020a05600c4f9000b003c17bf8ddecso4918289wmq.0 for <spring@ietf.org>; Mon, 10 Oct 2022 06:49:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fcsqWV+kInIsLWaDD28RwN3/QgMZucEKBOM1cagsdew=; b=NNeR40j3nCvJgTK44dyEF1HkeQwftcLNlD4M8O6jdoINdNYD8X65oAChP4/FjAf+od toTHlSweNQNPxw042UXDvLIRlHT3kiwYyByXH50YiVafgSsSXz8nf2M/3RMQHHHw6P9J 0erogm8UvO2eqGGaw2U1k5odG1nZBw5eFk7cFPD2wu75UJlI4FQGUcw0Se1cceIHH9HE bzG6v4NphH+G1Q1RQiYQYm7F3dLJE9keTA/wWNzcHchJ3u1t6avAjVxatIWCmuNlBI1F lUpqn7UP8ryWtpyHI4K7pOvdxxNfoUB9k+CfGIaIzcrj+sCFPzYLe/AGPfRmGvcsLxNI o24w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fcsqWV+kInIsLWaDD28RwN3/QgMZucEKBOM1cagsdew=; b=U+oi/nSoO+U+d7Pxhfh1xoky/GifXknqSJyK3OhOTutEIJqiuDbmJLEJ9fKhss9N6Z l9IQohAJp+ADJO1lgusO28qeedZ1Lqyf1fyS4htPJAZd9piYaVKpSLlVeicNoNW/6b5v yoig0IZ3x0mvg5aaivps4hl3n2Y5vXeaFCr6/iJAvp5cqk+rkIVJkdzCFH2/Kd6iXF4T 1tQPhqVa1vNsKMf0ihxpMwIgbSkDFuMHW2a9Arzs9CPSZ4FSz6o0kDfM/ufWIS+wJ0R1 OUytTtWQ2Fm4e5znfLlYwUE2eKxZGlzV/MyoxJqxzFqb6FJUQBLAvJa282OqGVsh6VuR dmxw==
X-Gm-Message-State: ACrzQf1+Fn1eWfsRMsktWLOk5ZJMtqkhBS33dcZdUW0c+7PVfiX9zyht WwBLIhAWn2dx4uRS/Ti13W8S4Igq7jOB6Og74tAF7w==
X-Google-Smtp-Source: AMsMyM7+wPETJg2vdTnYZJpjDZEZrIJx0mtfThrpfp70lZjyXfQGdN3D/ajJnlp4Mnm+nrbXaS6JGpbp3gwKSumfIX8=
X-Received: by 2002:a05:600c:2255:b0:3c4:6c57:3d19 with SMTP id a21-20020a05600c225500b003c46c573d19mr8514716wmm.92.1665409795557; Mon, 10 Oct 2022 06:49:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4+N31=ggO03AAQJANv7RgHaC1eNGXRUQ9B20rLK+nJyg@mail.gmail.com> <E77D8982-11E9-45F9-81BF-3CA1E1F6B745@gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com> <35484ed3-509a-39ba-6a16-8f2bf807f4f2@joelhalpern.com> <BAAD744A-2AD2-4498-90EC-9C9A184E0A8A@cisco.com>
In-Reply-To: <BAAD744A-2AD2-4498-90EC-9C9A184E0A8A@cisco.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 10 Oct 2022 15:49:43 +0200
Message-ID: <CAOj+MMGjTa+zwRHnRWWu-+bRZd83vo4xz22XuRK+7TJ5A81DQQ@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: Joel Halpern <jmh@joelhalpern.com>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004520b605eaae6fac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/r7rNYhYnl8tWsEftlP1lQdmaKE8>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 13:50:27 -0000

All,

So protection not to leak outside the domain is all cool.

But we now see a notion of "leaking inwards" which is exactly my
observation .. as if applied by any transit will kill SRv6 "limited domain"
interconnect over Internet.

Best,
R.

On Mon, Oct 10, 2022 at 3:45 PM Eric Vyncke (evyncke) <evyncke@cisco.com>
wrote:

> Hi Joel,
>
>
>
> So, your sentence below "We require, per the RFC, blocking SRH outside of
> the limited domain for many reasons" was to be read as "do not leak SRH
> outside your own domain" ? If so, I guess we agree for 99%, the remaining
> 1% seems to be related to Robert's use case, which is valid in my mind. All
> in all, I really hope that IPv6 packets with extension headers could travel
> safely the global public Internet without being dropped, hence my original
> reply.
>
>
>
> And of course, this email and the previous one are written without any hat
> and are not related to Suresh's I-D.
>
>
>
> Regards
>
>
>
> -éric
>
>
>
>
>
> *From: *Joel Halpern <jmh@joelhalpern.com>
> *Date: *Monday, 10 October 2022 at 15:36
> *To: *Eric Vyncke <evyncke@cisco.com>, Robert Raszuk <robert@raszuk.net>
> *Cc: *6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
> *Subject: *Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
>
>
>
> Eric, you seem to be objecting to something I did not say.  I have not
> asked, and do not expect, for the document to mandate or even suggest that
> arbitrary domains should drop packets with SRH.  I will note that given
> that SRH is explicitly for limited domains, an operator who chooses to drop
> such packets is well within his rights.  And I am told there are such
> operators.  But that is not what I asked for this document.
>
> What I asked, and I believe Suresh has agreed to, and I beleive the WG
> supports, is that the document note that an operator using SRv6 who does
> not use the allocated SID, and block the allocated SID at his boundaries,
> has to be more careful to define his ingress and egress filters to comply
> with the existing RFCs which require that SRv6 not leak inwards or outwards.
>
> Robert objected to that requirement.  And propounde3d a use case that he
> says he needs.  I pointed out that the use case violates the RFC.  And then
> pointed out one of the many reasons why the IETF has put in the requirement
> which he wants to violate.
>
> Yours,
>
> Joel
>
> On 10/10/2022 5:57 AM, Eric Vyncke (evyncke) wrote:
>
> Hmmm I really wonder why a transit network should look into my packets (to
> check for SRH) and decide to drop my packets; assuming of course that my
> packets are not damaging the transit network (like some hop-by-hop years
> ago) or attempting to trick my network (anti-spoofing or using transit
> provider own SID -- both being layer-3 filters BTW).
>
>
>
> -éric
>
>
>
> *From: *ipv6 <ipv6-bounces@ietf.org> <ipv6-bounces@ietf.org> on behalf of
> Joel Halpern <jmh@joelhalpern.com> <jmh@joelhalpern.com>
> *Date: *Sunday, 9 October 2022 at 16:38
> *To: *Robert Raszuk <robert@raszuk.net> <robert@raszuk.net>
> *Cc: *6man <ipv6@ietf.org> <ipv6@ietf.org>, SPRING WG List
> <spring@ietf.org> <spring@ietf.org>
> *Subject: *Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
>
>
>
> We require, per the RFC, blocking SRH outside of the limited domain for
> many reasons.
>
> One example is that it turns SRH into a powerful attack vector, given that
> source address spoofing means there is little way to tell whether an
> unencapsulated packet actually came from another piece of the same domain.
>
> So yes, I think making this restriction clear in this RFC is important and
> useful.
>
> Yours,
>
> Joel
>
> On 10/8/2022 5:07 PM, Robert Raszuk wrote:
>
> Hi Brian,
>
>
>
> Completely agree.
>
>
>
> One thing is not to guarantee anything in respect to forwarding IPv6
> packets with SRH (or any other extension header) and the other thing is to
> on purpose recommending killing it at interdomain boundary as some sort of
> evil.
>
>
>
> Cheers,
>
> R.
>
>
>
>
>
>
>
> On Sat, Oct 8, 2022 at 9:51 PM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
>
> Robert,
>
> > If there is any spec which mandates that someone will drop my IPv6
> packets only because they contain SRH in the IPv6 header I consider this an
> evil and unjustified action.
>
> The Internet is more or less opaque to most extension headers, especially
> to recently defined ones, so I don't hold out much hope for SRH outside SR
> domains.
>
> https://www.rfc-editor.org/rfc/rfc9098.html
> https://datatracker.ietf.org/doc/html/draft-elkins-v6ops-eh-deepdive-fw
>
> Regards
>     Brian Carpenter
>
> On 09-Oct-22 07:52, Robert Raszuk wrote:
> > Hi Joel,
> >
> > I was hoping this is apparent so let me restate that I do not buy into
> "limited domain" business for SRv6.
> >
> > I have N sites connected over v6 Internet. I want to send IPv6 packets
> between my "distributed globally limited domain" without yet one more encap.
> >
> > If there is any spec which mandates that someone will drop my IPv6
> packets only because they contain SRH in the IPv6 header I consider this an
> evil and unjustified action.
> >
> > Kind regards,
> > Robert
> >
> > On Sat, Oct 8, 2022 at 7:40 PM Joel Halpern <jmh@joelhalpern.com
> <mailto:jmh@joelhalpern.com>> wrote:
> >
> >     Robert, I am having trouble understanding your email.
> >
> >     1) A Domain would only filter the allocated SIDs plus what it
> chooses to use for SRv6.
> >
> >     2) Whatever it a domain filters should be irrelevant to any other
> domain, since by definition SRv6 is for use only within a limited domain.
> So as far as I can see there is no way a domain can apply incorrect
> filtering.
> >
> >     Yours,
> >
> >     Joel
> >
> >     On 10/8/2022 3:16 AM, Robert Raszuk wrote:
> >>     Hi Suresh,
> >>
> >>         NEW:
> >>         In case the deployments do not use this allocated prefix
> additional care needs to be exercised at network ingress and egress points
> so that SRv6 packets do not leak out of SR domains and they do not
> accidentally enter SR unaware domains.
> >>
> >>
> >>     IMO this is too broad. I would say that such ingress filtering
> could/should happen only if dst or locator is within locally
> configured/allocated prefixes. Otherwise it is pure IPv6 transit and I see
> no harm not to allow it.
> >>
> >>         Similarly as stated in Section 5.1 of RFC8754 packets entering
> an SR domain from the outside need to be configured to filter out the
> selected prefix if it is different from the prefix allocated here.
> >>
> >>
> >>     Again the way I read it this kills pure IPv6 transit for SRv6
> packets. Why ?
> >>
> >>     (Well I know the answer to "why" from our endless discussions about
> SRv6 itself and network programming however I still see no need to mandate
> in any spec to treat SRv6 packets as unwanted/forbidden for pure IPv6
> transit.)
> >>
> >>     Thx,
> >>     R.
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>
>

v2.23.0 | Report a Bug | By Email