IETF Logo Mail Archive

Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06

Robert Raszuk <robert@raszuk.net> Fri, 11 October 2013 19:49 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE7B611E8155 for <status@ietfa.amsl.com>; Fri, 11 Oct 2013 12:49:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.631
X-Spam-Level:
X-Spam-Status: No, score=-1.631 tagged_above=-999 required=5 tests=[AWL=0.347, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKeOuslFZw-J for <status@ietfa.amsl.com>; Fri, 11 Oct 2013 12:49:12 -0700 (PDT)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 146EA21F9FEE for <status@ietf.org>; Fri, 11 Oct 2013 12:49:11 -0700 (PDT)
Received: by mail-ie0-f170.google.com with SMTP id x13so9636876ief.29 for <status@ietf.org>; Fri, 11 Oct 2013 12:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UkThk1To/68fIboPwc1CplWqaUUFHOlruxemG/kk0FM=; b=YAwVkHLH/FFprbB9lr9Zvp6dxyE3bprV/wLnN9ybrallXrg6LC/Cro2I9eQOYYdL8z rN5UhwkQEoBRgMpZikwEf+dr+6h2a+lnt9t5mGDzqfNqeC90ygcJlUuLS7KiG/S6QFeO wQAo0w0UlMY2wvWjsU7YtWx3880XdMj/dDNW3ncIpY/Ds8cl9liBIwfWu50rm5gieP/X DmIzoVXhSIU7LI84W9HMMYSa94JfNVvIwD5iyUaGYfcx8d3bm9hJ4GiU4ASKl7gst31x wfzGZPr5RqL5p2SCUrYU5lmvRHNyyjTSdiXzrDG0kEZA5zmgSEJonfOBnz8sDxK6YVa8 VsJQ==
MIME-Version: 1.0
X-Received: by 10.42.40.83 with SMTP id k19mr12285050ice.3.1381520951504; Fri, 11 Oct 2013 12:49:11 -0700 (PDT)
Sender: rraszuk@gmail.com
Received: by 10.64.61.129 with HTTP; Fri, 11 Oct 2013 12:49:11 -0700 (PDT)
In-Reply-To: <2B72AA5C-D7A9-40E7-846D-4FBCCCAF1B1B@juniper.net>
References: <525639F6.8010503@cisco.com> <201310101354.r9ADsib8019588@cichlid.raleigh.ibm.com> <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net> <5256E527.1030806@cisco.com> <37FBE6FA-0ECE-478A-861A-FD4CC0A8FC74@piuha.net> <20131011183222.GA30073@juniper.net> <CA+b+ERmusM-giWnBuXoAZ1xXyTpR6RMQipL6GS_HJF17TH4+3Q@mail.gmail.com> <2B72AA5C-D7A9-40E7-846D-4FBCCCAF1B1B@juniper.net>
Date: Fri, 11 Oct 2013 21:49:11 +0200
X-Google-Sender-Auth: J54qkCbiriL2R_Yu1-5c44t1hT4
Message-ID: <CA+b+ERkB0fnkb41a+Mr-zDwfbVK0cJ+a4mqHU84N3KVfLeey5A@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
To: Hannes Gredler <hannes@juniper.net>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "status@ietf.org" <status@ietf.org>
Subject: Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2013 19:49:13 -0000

> all an attacker then needs to do is:
>
> 1. pick a route which transits an IPv6-SR capable node
> 2. add a forged extension header
>
> voila - you can get anywhere you want in the IPv6-SR domain;

Not really ...

Yes it will be allowed to get into any network, however it is very
easy not to examine extension headers on such packets hence only
provide v6 transit as any DFZ would provide today without any SR
enabled.

Segment routing != source routing .. perhaps the analogy made by some
folks is really counter productive to the technology at stake. But
your points are great as those issues you bring when addressed by
subsequent drafts will make the solution much more robust for any AF
it is deployed to work with.

Many thx,
R.

v2.23.0 | Report a Bug | By Email