IETF Logo Mail Archive

Re: [Status] SPRING Charter

Thomas Narten <narten@us.ibm.com> Tue, 15 October 2013 13:46 UTC

Return-Path: <narten@us.ibm.com>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC2621E8128 for <status@ietfa.amsl.com>; Tue, 15 Oct 2013 06:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQtBX8FYxWTx for <status@ietfa.amsl.com>; Tue, 15 Oct 2013 06:46:39 -0700 (PDT)
Received: from e32.co.us.ibm.com (e32.co.us.ibm.com [32.97.110.150]) by ietfa.amsl.com (Postfix) with ESMTP id 0E89321E80E8 for <status@ietf.org>; Tue, 15 Oct 2013 06:46:38 -0700 (PDT)
Received: from /spool/local by e32.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <status@ietf.org> from <narten@us.ibm.com>; Tue, 15 Oct 2013 07:46:35 -0600
Received: from d03dlp02.boulder.ibm.com (9.17.202.178) by e32.co.us.ibm.com (192.168.1.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 15 Oct 2013 07:46:33 -0600
Received: from d03relay05.boulder.ibm.com (d03relay05.boulder.ibm.com [9.17.195.107]) by d03dlp02.boulder.ibm.com (Postfix) with ESMTP id A1A033E40026; Tue, 15 Oct 2013 07:46:32 -0600 (MDT)
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by d03relay05.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r9FDkWat395284; Tue, 15 Oct 2013 07:46:32 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r9FDkVIi004954; Tue, 15 Oct 2013 07:46:31 -0600
Received: from cichlid.raleigh.ibm.com (sig-9-65-214-137.mts.ibm.com [9.65.214.137]) by d03av01.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r9FDkTfZ004703 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 Oct 2013 07:46:30 -0600
Received: from cichlid.raleigh.ibm.com (localhost [127.0.0.1]) by cichlid.raleigh.ibm.com (8.14.4/8.12.5) with ESMTP id r9FDkSIl023262; Tue, 15 Oct 2013 09:46:28 -0400
Message-Id: <201310151346.r9FDkSIl023262@cichlid.raleigh.ibm.com>
To: stbryant@cisco.com
In-reply-to: <52584CCA.8000902@cisco.com>
References: <52584CCA.8000902@cisco.com>
Comments: In-reply-to Stewart Bryant <stbryant@cisco.com> message dated "Fri, 11 Oct 2013 20:08:58 +0100."
Date: Tue, 15 Oct 2013 09:46:28 -0400
From: Thomas Narten <narten@us.ibm.com>
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13101513-0928-0000-0000-0000028E8F24
Cc: Benoit Claise <bclaise@cisco.com>, Jari Arkko <jari.arkko@piuha.net>, "status@ietf.org" <status@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [Status] SPRING Charter
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2013 13:46:45 -0000

Looking at the most recent charter proposal (-15), I have the
following questions/observations:

> The SPRING working group will define procedures that 
> will allow a node to steer a packet along an explicit 
> route using information attached to the packet and
> without the need for per-path state information to be
> held at transit nodes.

Who adds these "segment routes" (or whatever we call them -- I'll call
the SRs in this message)? Can an originating end node add them, or is
their an assumption that only network nodes add them?

My assumption is that it is network nodes (not the originating hosts)
that do that. Certainly, that is the case in MPLS and for many of the
use cases (as I understand them).

When it comes to IPv6, however, the question of who is capable of
adding these "segment routes" becomes very significant. If the
originating end node can add SRs, the attack surface for exploiting
SRs becomes much more complicated and hard to defend against. And if
end nodes can add these SRs, its hard for me not to see this problem
as equivalent to source routes as IPv6 originally had them and then
deprecated. Also, architecturally, having middle boxes (including for
SR purposes) add/modify/remove headers raises pretty significant
architectural issues. IPv6 had generally not done this and frowned on
doing so. Having network nodes *add* SRs would raise questions in this
regard.

On the other hand, if only network nodes can add SRs, it also raises
the question of whether the right way to do this is by adding SRs to
the *original* packet as originated by an end host, or whether a new
outer header should be added, in which case we are tunneling within a
region where SRs are in use. A tunneling approach changes the attack
surface considerably, and probably makes it much easier to ensure that
SRs can only be originated within the domain in which they are used.

I think it would be good to clarify this in the charter, given that
the IPv6 and MPLS assumptions are so different.

Also, this item:

>  Definition of requirements and/or any new data plane 
>    encodings and procedures, required to implement 
>    the use cases. Such procedures must include the 
>    necessary security considerations.

Suggests to me that SPRING is being given the go ahead to define IPv6
mechanisms to do SR. IMO, any IPv6 protocol work should be done in
6MAN. SPRING should do requirements, etc., but IMO IPv6 protocol work
needs to be done where the IPv6 expertise is. Or at the very least
with very close coordination.

Thomas

v2.23.0 | Report a Bug | By Email