IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Robert Raszuk <robert@raszuk.net> Mon, 10 October 2022 15:05 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E804C14CE27 for <spring@ietfa.amsl.com>; Mon, 10 Oct 2022 08:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHUs_SVJ0W1h for <spring@ietfa.amsl.com>; Mon, 10 Oct 2022 08:05:22 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047FBC1522A8 for <spring@ietf.org>; Mon, 10 Oct 2022 08:05:21 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id b4so17497936wrs.1 for <spring@ietf.org>; Mon, 10 Oct 2022 08:05:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WJ7LAF1MIX3j6bGpqh51SM1PXMbf6+3GhEWS29i6wH4=; b=HCq/mC9lXQ3n59htgrXMc10JTFx/qxQX44g37EIZBE7/4EVmsx0ccavh6XdpynLfAJ KMsrxJ+HEc0IUBrNKJzaKsL8Yh7S+47Kk7gqRhQCtQOZLCMqwl5m9WZzHUjhCH5VcLdj No5dI15+7qrA2ot7ByQB0j5VGFg2uAKmWT9lHX+5KyFwGEBl2mBN9RrhW5kh82g43455 jtl2GotUGPHLcy8rWmvb5Iy3J2bdNT9fOgrviNOmP3hX99X+bnnVgGdNQrpyQhQ/CvZn SurHSlVOmSc2EB/cTChtsw+nfXCD+l0JHLwRvJs0U2Nccmbh5pXtXIFTZcoWnehcNBPB rn5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WJ7LAF1MIX3j6bGpqh51SM1PXMbf6+3GhEWS29i6wH4=; b=5gWAIPMW3+N+tFDEHcJfZn6TL4k8/2ZOGG0wT8fUTKGJJk3gawAbKGB/BXUzhBmNW1 jbvt6rozJamk/Lvha/qU3Lyxu2xiopcub8Kl4pygaRyAm5FqpZlqZn6gRsFqqb8AKQgG oHlGNS4OJFn5iljjDTfJyIX3uMSxl09I9ffCGr/klXeJfV4OC7CffA5Dq3QyjdSbQixE YRxWVUWVH+FOmX2LDjct7+hr3PIgIw668OxC9ClFYQkmIb0n1qOPvNVNVmSxmEjmDgAP gYCmk0jM88VNaKpF8yja9VYau0R8gaMp7JXkmmlxYfv6yPVawXlXmcpgrDza/dvSIcIg A+dQ==
X-Gm-Message-State: ACrzQf1GyOmNEZJovmvb+C59GQtIoohIUkgQKnLTBMCyu9jQJ9gFYs4E QvokxUfcwTZtJ2iZAraRnVnyokGusDkR2/2FhehXcw==
X-Google-Smtp-Source: AMsMyM6VbXEYPSfxMkeM5fFdHrrOa0psOPKH4B1GK6O1j+PxSveGxpZ2KnUNV6AXditiWTsrDo6uZtFqXz2s3FSeW+0=
X-Received: by 2002:a5d:6409:0:b0:22e:f12:2abd with SMTP id z9-20020a5d6409000000b0022e0f122abdmr12278673wru.157.1665414319716; Mon, 10 Oct 2022 08:05:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com> <35484ed3-509a-39ba-6a16-8f2bf807f4f2@joelhalpern.com> <BAAD744A-2AD2-4498-90EC-9C9A184E0A8A@cisco.com> <CAOj+MMGjTa+zwRHnRWWu-+bRZd83vo4xz22XuRK+7TJ5A81DQQ@mail.gmail.com> <a10a6d8c-ef59-398b-1b53-dc3e688c16b0@joelhalpern.com> <CAOj+MMFGRjevpYLGxwiRs1GP-yN8eAxE6a7JKxuhbsYrJgUyLA@mail.gmail.com> <0d911d38-b939-692a-9b8b-24ff752672bc@joelhalpern.com> <CAOj+MMEnYR-ORvtUg+mrq=TW=QXrKYRXoJx=eaFhv2rc+rb+WQ@mail.gmail.com> <CAN-Dau1iOPn5kiu1nxNmp7U+ziCqN1m+isadBwQTZfz1WTFgiQ@mail.gmail.com>
In-Reply-To: <CAN-Dau1iOPn5kiu1nxNmp7U+ziCqN1m+isadBwQTZfz1WTFgiQ@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 10 Oct 2022 17:05:07 +0200
Message-ID: <CAOj+MMHWGVDKO5NAzP=hcb3swoO-i+PKz+dkb7j-AZ5CY=DYWQ@mail.gmail.com>
To: David Farmer <farmer@umn.edu>
Cc: Joel Halpern <jmh.direct@joelhalpern.com>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ee53bf05eaaf7c40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/yhLDa-wxyODBv1pkxAGGLyS-inY>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 15:05:26 -0000

David,

No, that is not what I am saying. I am saying that the concept of limited
domains is very loosely defined in rfc8799 and using it as a base to drop
packets which contain SRH is not right.

For example are my enterprise sites interconnected with SD-WAN a limited
domain - surely is for me even if I use vanilla IPv6 Interconnect to talk
between them.

And let's not worry about such sites' security ... This is a completely
different topic. Let's agree that dropping IPv6 packets somewhere in
transit only because they contain specific extension header is illegal.

Thx,
R.




On Mon, Oct 10, 2022 at 4:56 PM David Farmer <farmer@umn.edu> wrote:

> If you are saying the concept of Limited Domains does not apply to SRH
> since it isn't an IETF consensus document, then I believe that calls the
> consensus for SRH into serious question. Furthermore, if the SRH consensus
> is questionable, the idea that operators might filter it shouldn't be
> surprising.
>
> Thanks
>
> On Mon, Oct 10, 2022 at 9:24 AM Robert Raszuk <robert@raszuk.net> wrote:
>
>> Joel,
>>
>> Am I wrong understanding that definition of "limited domain" was never
>> approved by any formal IETF process ?
>>
>> If so do you really think we should be bounded on something which has
>> been defined outside of IETF ?
>>
>> Cheers,
>> Robert
>>
>> On Mon, Oct 10, 2022 at 4:03 PM Joel Halpern <jmh.direct@joelhalpern.com>
>> wrote:
>>
>>> SRH was explicitly defined for use in limited domains.   That is why I
>>> think dropping it is acceptable.  Certainly not required, but permitted.
>>> The closest equivalent is NSH, which is also defined for limited domains.
>>> In my personal opinion (not speaking for the SFC working group) I think it
>>> would be legitimate for a domain, particularly one that is using NSH, to
>>> drop packets where the IP carried protocol is NSH.  (I would prefer that
>>> they block only packets to their domain with carried protocol of NSH, but
>>> that is up to the operator.)
>>>
>>> You have said that you consider the limited domain requirement to be
>>> wrong and irrelevant.  Whether you agree with it or not, it is in the RFC.
>>> Operators may reasonably act on that.
>>>
>>> Yours,
>>>
>>> Joel
>>> On 10/10/2022 9:59 AM, Robert Raszuk wrote:
>>>
>>> >  it seems acceptable to block all packets with SRH
>>>
>>> And such statements you are making are exactly my point.
>>>
>>> Just curious - Is there any other extension header type subject to being
>>> a good enough reason to drop packets at any transit node in IPv6 ?
>>>
>>> Thx,
>>> R.
>>>
>>> On Mon, Oct 10, 2022 at 3:53 PM Joel Halpern <jmh.direct@joelhalpern.com>
>>> wrote:
>>>
>>>> Protection from leaking inwards is required by the RFCs as far as I
>>>> know.
>>>>
>>>> Note that there are multiple ways to apply such protection.  It is
>>>> sufficient for the domain only to block packets addressed to its own SID
>>>> prefixes.  If the domain is using SRv6 without compression or reduction, it
>>>> seems acceptable to block all packets with SRH.  After all, they should not
>>>> be occurring.  But we do not tell operators how to perform the filtering.
>>>> It is up to them what they do.
>>>>
>>>> Yours,
>>>>
>>>> Joel
>>>>
>>>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
>

v2.23.0 | Report a Bug | By Email