Re: [Status] Status of Spring
Robert Raszuk <robert@raszuk.net> Thu, 10 October 2013 21:17 UTC
Return-Path: <rraszuk@gmail.com>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8270821F9CB0 for <status@ietfa.amsl.com>; Thu, 10 Oct 2013 14:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CVvFk+7K3N9m for <status@ietfa.amsl.com>; Thu, 10 Oct 2013 14:17:33 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id D751621F9BBD for <status@ietf.org>; Thu, 10 Oct 2013 14:17:32 -0700 (PDT)
Received: by mail-ie0-f182.google.com with SMTP id as1so5066811iec.13 for <status@ietf.org>; Thu, 10 Oct 2013 14:17:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=5UHSBMibCS62QZGI0Ym219sg4ckzx2Ss6BCD8DtuigA=; b=a/ATzwL8OVsPbGoah7+YMCN1BhaH6xxbpPTWVb4VTA3YveMr28Gacq1OJBpXn3N5F9 fX13EB3xOZ/Sh+A2v1Mey9aT8tDmumbLRytFqSzKID1Gy4GW6totOynlVa9oKuibiwM3 zWL1SZw7KxTWra+Vzn35ZdaWR/uVV6J+1D4YaIxfMMQKg24UgCR4PnBpCMaMG/hkLvJ0 1W8xJ8LtgcOiQD39/fa9KXB/DgxTEfImoRbUfbkrYcnpEKiczRzS5/YiKG9mBvgD2GP3 fVnxFFOZIB8xZpPlALsF2U4Rce9w36Aa3PwR03X4QmXbdlpaw0rtFJasARtLhbcSHoe3 mzMA==
MIME-Version: 1.0
X-Received: by 10.42.29.129 with SMTP id r1mr6229746icc.44.1381439852172; Thu, 10 Oct 2013 14:17:32 -0700 (PDT)
Sender: rraszuk@gmail.com
Received: by 10.64.61.129 with HTTP; Thu, 10 Oct 2013 14:17:32 -0700 (PDT)
In-Reply-To: <16DFA9F1-B523-4A14-B270-FC77B0A1DD43@piuha.net>
References: <52569169.20404@cisco.com> <CA+b+ERmj13sz4yi+aQXwGKuu7boOKkz6CbcB9pYXqHV-_FMhSw@mail.gmail.com> <5256F76D.9080905@cisco.com> <16DFA9F1-B523-4A14-B270-FC77B0A1DD43@piuha.net>
Date: Thu, 10 Oct 2013 23:17:32 +0200
X-Google-Sender-Auth: oZMhEvsY8YcEuKWmc7WGsnRqsyo
Message-ID: <CA+b+ERkaDK9zTYpRq4Ncxtg=oWtGPH_MhagTywv0FQ4iSvTF0A@mail.gmail.com>
From: Robert Raszuk <robert@raszuk.net>
To: Jari Arkko <jari.arkko@piuha.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "status@ietf.org" <status@ietf.org>
Subject: Re: [Status] Status of Spring
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2013 21:17:33 -0000
Hi Jari, > As a result of this worry I now have to turn on filtering on the border of my > network for the new routing header. Is there a way around this? Let me clarify my previous message reg such filtering ... The filtering to your infrastructure addresses should be applied for both IPv4 and IPv6 packets. SR v6 header would be a regular v6 header (not new routing header) with perhaps few additional extension headers embedded to indicate the strict or loose transit nodes. So filtering applied on the edge of the network (which should be there regardless of SR or not) would be identical to normal case and would in fact effectively filter out any external attempt to insert SR routed packet into your network just based on the standard v6 header destination IP address. The only price to pay for this is to set bgp next hop to self if you want segment route the transit traffic, but this for one is pretty common today and also same would be required for MPLS encapsulation anyway. Best regards, R. On Thu, Oct 10, 2013 at 11:03 PM, Jari Arkko <jari.arkko@piuha.net> wrote: > Thanks Stewart and others. > > I wanted to add one clarification and some more technical discussion. > >> Jari who is the main discuss holder will work with us over >> the next couple of days to try to get some text that will allow >> us to go forward. > > I would really like to work with you to get this resolved. I see the issue, as I think do others, but I need your help in the WG to figure out what to do about it. I do not currently have a good idea, but I am sure we'll resolve it somehow. Some of you have already offered help - thanks. > > To provide a bit more context why just saying that we'll use it in closed networks is unlikely to work: > > The MPLS case was easy because these networks are naturally restricted to specific areas, and there is no way for a random person in some other part of the Internet to send you packets with MPLS labels. > > The basic problem with IP is that when someone defines a new source-routing header solution and applies it in network X, it does not affect just X. The code will be on various devices - with RH0 we had it on BSD, Linux, various brands of routers, maybe even on hosts, etc. Often turned on by default, leaving vulnerabilities open in many networks. > > We could say that the feature MUST be by default off and can only be enabled upon explicit request from the network manager. However, if I have a thousand devices in my network I start to worry that at least one of them has accidentally enabled the feature. So now that device could potentially reflect traffic sent to it from the outside to an internal destination. This could be used to subvert firewall policies, DoS attacks on nodes not visible from the Internet, etc. As a result of this worry I now have to turn on filtering on the border of my network for the new routing header. Is there a way around this? > > Also, the charter is clear that you are wishing for at least an eventual inter-AS solution. That raises the bar. > > In any case, I could completely off base with the above - I have not read your proposed solutions and maybe you are thinking of something completely different, or have already found the clever solutions to the problem. I'm happy to learn more :-) > > Jari > > _______________________________________________ > status mailing list > status@ietf.org > https://www.ietf.org/mailman/listinfo/status
- [Status] Charter security text Stewart Bryant
- Re: [Status] Charter security text Robert Raszuk
- [Status] Status of Spring Stewart Bryant
- Re: [Status] Status of Spring AshwoodsmithPeter
- Re: [Status] Status of Spring John E Drake
- Re: [Status] Status of Spring Robert Raszuk
- Re: [Status] Status of Spring AshwoodsmithPeter
- Re: [Status] Status of Spring AshwoodsmithPeter
- [Status] Please trim your cc John G. Scudder
- Re: [Status] Status of Spring Robert Raszuk
- Re: [Status] Status of Spring Jari Arkko
- Re: [Status] Status of Spring John G. Scudder
- Re: [Status] Status of Spring Robert Raszuk
- Re: [Status] Status of Spring joel jaeggli
- [Status] 答复: Status of Spring Xuxiaohu
- Re: [Status] 答复: Status of Spring Robert Raszuk
- [Status] 答复: 答复: Status of Spring Xuxiaohu
- [Status] 答复: 答复: Status of Spring Xuxiaohu
- Re: [Status] Status of Spring Hannes Gredler
- Re: [Status] Status of Spring Stewart Bryant
- Re: [Status] Status of Spring Robert Raszuk
- Re: [Status] Status of Spring Hannes Gredler
- [Status] 答复: Status of Spring Xuxiaohu
- Re: [Status] 答复: Status of Spring Robert Raszuk
- Re: [Status] Status of Spring Xuxiaohu
- [Status] 答复: Status of Spring Xuxiaohu
- Re: [Status] Status of Spring Xuxiaohu
- Re: [Status] Status of Spring Robert Raszuk
- Re: [Status] Status of Spring Xuxiaohu