[v6ops] Further feedback to the quesions of Erik Kline in v6ops session
Chongfeng Xie <chongfeng.xie@foxmail.com> Sat, 30 March 2024 05:25 UTC
Return-Path: <chongfeng.xie@foxmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDA62C14F601 for <v6ops@ietfa.amsl.com>; Fri, 29 Mar 2024 22:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.838
X-Spam-Level:
X-Spam-Status: No, score=0.838 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HELO_DYNAMIC_IPADDR=1.951, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=foxmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUG_732tqgX9 for <v6ops@ietfa.amsl.com>; Fri, 29 Mar 2024 22:25:33 -0700 (PDT)
Received: from out203-205-251-53.mail.qq.com (out203-205-251-53.mail.qq.com [203.205.251.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5692C14F60A for <v6ops@ietf.org>; Fri, 29 Mar 2024 22:25:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com; s=s201512; t=1711776328; bh=ZC2NzTk6IWRDko4drR5UeTzYFYkEfuaOoRpHvuAvz2A=; h=Date:From:To:Subject; b=Uh18MZX5O5u/C19/0OZlVeSTkOFJ3iKglqZfNbVpV9/yBaWQlHT5sfCrnHkAcZ4XO afhea5s0mLv15+Po9OB8mdJNCcvVUmwgUYhaPvSSVqnHOld8AFQKGbjI9Zx7r/eSkQ 8aOf+mVJ/Vuo3tzoaBQGnh9gvA2uHQ6yQR0lCYBc=
Received: from DESKTOP-48H476U ([114.250.177.15]) by newxmesmtplogicsvrszb9-0.qq.com (NewEsmtp) with SMTP id 65B1D8DA; Sat, 30 Mar 2024 13:25:27 +0800
X-QQ-mid: xmsmtpt1711776327t4h01uped
Message-ID: <tencent_19446C46E575A1703EC77500A01647925906@qq.com>
X-QQ-XMAILINFO: MyIXMys/8kCtWl9GEkWfk7hS+94zDmnfhXYe0piSj9SVyy/wcm+kpQDdNx9WF/ HvkfciutdGNMV43XD6gEzfAvzOPRWeZiO125DlaYZuBMEdMu/fkFj8EEKvwb4IB0TPeFeL0Q4D8R 1L7FsC476YwFin8Bkr2d1ZPL+q9CaBh4TsviTBMBziYgpJOaOOE8Nx7nE/w9eTe+LTQ4RFf1L/3l UgfZtTUam3r2zN0jStI3JEvXEyreX6GR9TmTFwuoijjGS5rcmCYuz0YpXLXwpTkjFA9wL5at6I5E RuBCcO7YptyDm8sI66cNj7tCVrC1s842RP+yesmTP/8gpf7AbUna92HWrG/KBctf7Q14fBkS7stM A15z0NaBmfrpWSPT1FwbYOjU5fRsqqbhzS5T7fRgrYZ0o/UIpBQOkQdOajdq8ScsdEr/dsYDlsQk ddCHflPNfwCBzrP3Dm9b9i1Yz5LCh36d15WEkcod7tuyLopbEZNgwfUghyB6EceFSIqGDM9QRI/a LXh2SBKxXmQx8eazPfnJOQOji0dUhjTcq6E5QlAnioA6ABbl88tbvT/NGmzVm9wdUlkCl/Ai8rVA WOBvyGhXYKE+ms17hy8WBPqdgzcMkpTaQFjGY4fgAUFq5ZbgdV3CT2WOQRW9SduK0v86SI/847qS B+3+pdDuPswoM1fcoITyPlE2nVMlqYH39sP9jasMNNPEnAHePlwlwNnpmhOzD0XBJkpm90ECVldW HYWXg606TWS0YIy71DFh/Gd11JhYlnYiLt56mTX7oQjTNCxqIDtMoAdXmZ7IBQc7FWp51dg0XmBa KGM4BRDAMipfnvlvjOcUzVB8myw3/jTJIIrxx803aA6RxJsJdByuctI/jGRWrBo1dP3piXl1HRSz G+AysZlKdXgibkS+blfBl4jnODy3C6V+eAtRvHftuoGMgKYngWshAGDSjfsTO/k6wAEUbA1FDM4O NA7tqN9JgbXnuvaREv7Kmhbc8eoKnmExqSutRYduYLqnGoFmTjP6Us9+XgPLcnsCjiXW7JODgsGw eLq5bCdZcN9E2wM5jC
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
Date: Sat, 30 Mar 2024 13:25:29 +0800
From: Chongfeng Xie <chongfeng.xie@foxmail.com>
To: list <v6ops@ietf.org>, Erik Kline <ek.ietf@gmail.com>
X-Priority: 3
X-GUID: 657F4803-2B46-42E6-8EB7-09E82E5BE2F1
X-Has-Attach: no
X-Mailer: Foxmail 7.2.25.243[cn]
Mime-Version: 1.0
X-OQ-MSGID: <202403301325293310795@foxmail.com>
Content-Type: multipart/alternative; boundary="----=_001_NextPart660707147488_=----"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/QdRW2PQIBn2rFnp-He-xqmT55hk>
Subject: [v6ops] Further feedback to the quesions of Erik Kline in v6ops session
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 05:25:37 -0000
Hi Eric Kline,
Thank you very much for your questions to EVN6 during v6ops meeting in Brisbane. Due to time factor , I did not give a detailed feedback to you then. More responses are as follows tagged as [Chongfeng]:
Q1. There are SRv6 and BGP doing the same thing. The principle and advantage is just the lack of addition encapsulation?
[Chongfeng]: EVN6 exploits the inherent capabilities of IPv6 for ethernet virtual network, besides removing of additional encapsulation, several other advantages can be provided as below,
-Service can be provisioned by PE as long as its access to lPv6 Internet is available. There is no constraint to it from the underlying network which exits in other approaches.
-There is no specific requirement to the interworking interface of ISPs, so it can be easily implemented in multi-operator environment.
- Instead of being statically, pre-configured in PE, the tunnel end point address is generated based on dynamic mapping from MAC address to IPv6 address, so the risk of DDOS attack can be reduced.
-For different hosts within the same site have different outer IPv6 addresses, load balancing in IPv6 network can be implemented based on the source IPv6 addresses.
Q2: I am wondering how to defend traffic ejection, If I can guess MAC address and VEI, I can send traffic to send traffic to someone else's network?
[Chongfeng]: Illegal traffic ejection can be defended by egress checking the source prefix of the incoming packet. When an attacker guesses MAC address/VEI and send traffic to someone else’s network, the egress PE can check the packets in the traffic and will find that the source prefix (i.e. source mapping prefix of the IPv6 source address) does not belong to the VEN6 instance identified by the VEI value, the packets will be considered as abnormal and discarded. Other security means, such as source address verification, can also be used to further enhance defending capability.
Q3. VEI is the same to VXLAN?
[Chongfeng]: Logically, VEI in is same to the VNI ID of VXLAN, however, it has more bits and can identify more instances of virtual network than VNI of VXLAN.
I hope that the feedback above can clarify your concerns. If you have more questions, please feel free to raise them.
Best regards
Chongfeng
- [v6ops] Further feedback to the quesions of Erik … Chongfeng Xie