I think it’s only fair to clarify my remarks – again – speaking entirely as a
contributor.
Let’s be clear – the middlware boxes will work in most cases – except when
there is no SRH.
The problem here is that if you apply a Micro-SID – which is imposed by
originating system – and have no SRH – the DA of the packet is changing along
the way – and the L4 checksum will be broken. There is no way to actually
calculate the correct L4 checksum in flight – and in reality the originating
system will now need to impose a checksum that is invalid at the start for it
to be correct at the end – breaking end to end check summing. This is a
problem.
Let’s look at what 8200 says:
o If the IPv6 packet contains a Routing header, the Destination
Address used in the pseudo-header is that of the final
destination. At the originating node, that address will be in
the last element of the Routing header; at the recipient(s),
that address will be in the Destination Address field of the
IPv6 header.
Now, in the case of no SRH – the DA address placed by the originating host – is
*NOT* the final DA – because of the manipulation in the middle.
The reality is that middleware boxes are (unfortunately) common – especially in
this part of the world – they are used by state and other entities for DPI and
traffic control etc – and they are used for IDS purposes etc – and breaking the
L4 checksum in flight with no way for these boxes to calculate the correct
checksum – will break existing deployments – that – is a problem and it needs
to be addressed. I would be quite fine if there was explicit text detailing
this that was explicitly approved by 6man as the originators of 8200 (and a
clear indication that this document updates 8200) – or alternatively a -BIS to
8200. Either way – if you break the checksum – this needs explanatory text and
it needs approval for 6man via a 6man Last call as far as I am concerned.
Thanks
Andrew
Internal All Employees
From: Antoine FRESSANCOURT <antoine.fressancourt=40huawei....@dmarc.ietf.org>
Date: Tuesday, 6 February 2024 at 12:16
To: Andrew Alston - IETF <andrew-i...@liquid.tech>, Robert Raszuk
<rob...@raszuk.net>, Ron Bonica <rbon...@juniper.net>
Cc: spring@ietf.org <spring@ietf.org>
Subject: RE: [spring] draft-ietf-spring-srv6-srh-compression
Hello,
I tend to agree with Andrew that the fact that the verification of a L4
checksum by a middlebox breaks is a problem. But I think this is a huge problem
with the middleboxes, not with SRv6.
According to me, reading RFC 8200 gives rather clear guidelines with regards to
the computation of the L4 checksum. This checksum should be computed using the
destination address seen by the destination verifying the checksum. As L4
protocols are end to end protocols, the checksum verifier is the end point
destination of the packet, and not a middlebox on the path. If a middlebox
breaks the communication by looking at fields it should not look at, then the
problem is the intervention of the middlebox.
Best,
Antoine
From: spring <spring-boun...@ietf.org> On Behalf Of Andrew Alston - IETF
Sent: lundi 5 février 2024 20:32
To: Robert Raszuk <rob...@raszuk.net>; Ron Bonica <rbon...@juniper.net>
Cc: spring@ietf.org
Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
I call breaking any middleware that does checksum validation a problem - and a
big one
Andrew Alston
Internal All Employees
________________________________
From: Robert Raszuk <rob...@raszuk.net<mailto:rob...@raszuk.net>>
Sent: Monday, February 5, 2024 7:16:23 PM
To: Ron Bonica <rbon...@juniper.net<mailto:rbon...@juniper.net>>
Cc: Andrew Alston - IETF
<andrew-i...@liquid.tech<mailto:andrew-i...@liquid.tech>>;
spring@ietf.org<mailto:spring@ietf.org>
<spring@ietf.org<mailto:spring@ietf.org>>
Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
Hi Ron,
Is there a problem ?
If I read RFC8200 L4 checksum is computed by the packet originator and
validated by the packet's ultimate receiver.
In all SPRING work to the best of my knowledge the vast majority of packets are
only encapsulated by transit nodes.
Is there any formal mandate in any of the RFCs that an encapsulating node must
mangle the inner packet's L4 checksum ? I don't think so but stand open to get
my understanding corrected.
Cheers,
Robert
On Mon, Feb 5, 2024 at 5:04 PM Ron Bonica
<rbonica=40juniper....@dmarc.ietf.org<mailto:40juniper....@dmarc.ietf.org>>
wrote:
Folks,
Has anyone proposed a solution to the L4 checksum problem that Andrew talks
about?
Ron
Juniper Business Use Only
________________________________
From: spring <spring-boun...@ietf.org<mailto:spring-boun...@ietf.org>> on
behalf of Andrew Alston - IETF
<andrew-ietf=40liquid.t...@dmarc.ietf.org<mailto:40liquid.t...@dmarc.ietf.org>>
Sent: Monday, February 5, 2024 5:21 AM
To: spring@ietf.org<mailto:spring@ietf.org>
<spring@ietf.org<mailto:spring@ietf.org>>
Subject: [spring] draft-ietf-spring-srv6-srh-compression
[External Email. Be cautious of content]
Hi All,
(In capacity as a contributor and wearing no other hats)
At this point I cannot support progression of this document until the issues
around the L4 Checksum have been resolved. It’s been clearly stated in other
emails on the list that in certain circumstances the behavior described in this
document break the L4 checksum as defined in RFC8200. This requires an update
to RFC8200 to fix it – and I’m not sure that spring can update 8200 absent the
consent of 6man, which I’m not sure has been asked for, nor am I sure that a
spring document can update something like 8200 in an area so fundamental as the
checksum without a -BIS, which would have to be done via 6man. The L4 checksum
issue though is real – and it cannot simply be ignored.
I also have deep concerns that the compression document creates something that
(in a similar way to SRv6) creates something that is completely non-conformant
with RFC4291. There are multiple references to this in draft-6man-sids, and
should draft-6man-sids become an RFC I would argue that it should probably be a
normative reference in this document – on the logic that this document relies
on similar RFC4291 violations that srv6 itself does (and for the record, just
because SRv6 itself violates RFC4291 as is clearly documented in
draft-6man-sids – does not make it acceptable to do so in yet another draft
without clear and unambiguously stating the deviations and ideally updating
RFC4291 to allow for said deviations)
I believe these two issues alone are sufficient that to pass this document
would create still further tensions about the relationship between SRv6 and
IPv6 and lead to confusion. As such – I believe these issues need to be
adequately dealt with – and the solutions to them need to be approved by 6man
as the working group that holds responsibility for ipv6 maintenance.
Thanks
Andrew Alston
Internal All Employees
_______________________________________________
spring mailing list
spring@ietf.org<mailto:spring@ietf.org>
https://www.ietf.org/mailman/listinfo/spring
_______________________________________________
spring mailing list
spring@ietf.org
https://www.ietf.org/mailman/listinfo/spring
