On Thu, Jun 13, 2024 at 1:12 AM Andrew Alston - IETF <andrew-ietf= 40liquid.t...@dmarc.ietf.org> wrote:
> Hi All, > > > > As I have repeatedly stated in spring and will state so again here. In > certain circumstances the use of C-SID breaks the checksums as relates to > transit nodes. RFC8200 lays out specific processing rules for upper-layer > checksums, and expressly deals with scenarios where there is a routing > header (Section 8.1.). RFC8200 in section 8.1. also provides for specific > cases for UDP traffic that is encapsulated. > > > > As the compression draft notes – there are systems that may be in the > transit line that will fail to compute the checksums in the absence of a > routing header. This is in my view a violation of RFC8200. Now, there has > been some discussion about if “middleware” boxes are bad etc – but that’s > entirely beside the point, the fact is that the draft changes the data > plane in such a way as to make it incompatible with existing deployments. > This brings this clearly into the domain of 6man (since the spring charter > stated, explicitly, that modification to existing data planes that make > them incompatible with existing deployments should be avoided) > > > > I do not want to a start a debate about if what operators have deployed – > either because they wished to deploy or were forced to deploy by regulation > – is a good thing – operators are free to run their networks as they see > fit. However, when changing the ipv6 data plane to the point where a new > draft makes said data plane incompatible with existent deployments, at the > very least said draft should update the original draft (and in fact I would > go further and argue that when changing something as fundamental as the > upper-layer checksum, there should be an 8200bis to allow for this). > > > > For far too long we have seen srv6 work violating underlying standards > that are the domain of 6man – yet we still insist on claiming that srv6 is > ipv6. This has led to several issues, including the publication of a draft > like draft-krishnam-6man-sids to clarify things, and a draft in spring to > address significant security considerations with regards to srv6 etc. The > time has come to say, we cannot keep violating the base ipv6 standards > unless we update the original standards – because every time this is > allowed to happen, we drift further from the base standard and introduce > the possibility of further calamity for operators. As such – I do not > believe that this document should be allowed to proceed in the absence of > an update to RFC8200 and preferably a BIS document. Breaking the checksum > is simply not acceptable without the base standard explicitly dealing with > the case in question (as RFC8200 does for other use cases) > Andrew, I agree, but would like to add one point. While RFC82000 may be silent whether the upper layer checksum must be correct on the wire, other RFCs do enforce that. The compressed SID without a routing header would have intermediate nodes change the destination address-- that is a form of Network Address Translation. I believe every NAT RFC specifies how to maintain a correct checksum on the wire, either by fixing the L4 checksum itself or doing a checksum-neutral mapping. I don't see why C-SID shouldn't follow that precedent. Tom > > Thanks > > > > Andrew > > > > > > > Internal All Employees > From: Alvaro Retana <aretana.i...@gmail.com> > *Date: *Monday, 3 June 2024 at 15:00 > *To: *6man <i...@ietf.org> > *Cc: *int-...@ietf.org <int-...@ietf.org>, rtg-...@ietf.org < > rtg-...@ietf.org>, 6man Chairs <6man-cha...@ietf.org>, > spring-cha...@ietf.org <spring-cha...@ietf.org>, SPRING WG List < > spring@ietf.org> > *Subject: *[IPv6]C-SIDs and Upper-Layer Checksums > (draft-ietf-spring-srv6-srh-compression) > > *Caution:* This email has originated from outside the organization. > Further it is from a free email service, attackers can use these as > throwaway accounts. If any doubt, do not reply, click on links, or open > attachments. You can report the email using the Report Phishing button in > your Outlook Toolbar. For guidance on how to spot a phishing email refer to > Protect > yourself from phishing - Microsoft Support > <https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44> > > Dear 6man WG: > > As you may be aware, the spring WG is in the process of advancing > draft-ietf-spring-srv6-srh-compression [1]. The WGLC discussions have > resulted in the need to ask you the following questions (see below) > related to the use/operation of compressed SIDs (C-SIDs). > > Please provide any opinions by June 14, 2024. > > Thanks! > > spring-chairs > > > > §6.5 (Upper-Layer Checksums) explains how to calculate the Upper-Layer > Checksum in the presence of C-SIDs. §9.3 (Upper Layer Checksum > Considerations) discusses the related operational considerations. > For convenience, both sections are reproduced here: > > ===== ===== draft-ietf-spring-srv6-srh-compression-17 ===== ===== > > 6.5. Upper-Layer Checksums > > The Destination Address used in the IPv6 pseudo-header (Section 8.1 > of [RFC8200]) is that of the ultimate destination. > > At the SR source node, that address will be the Destination Address > as it is expected to be received by the ultimate destination. When > the last element in the compressed SID list is a C-SID container, > this address can be obtained from the last element in the > uncompressed SID list or by repeatedly applying the segment behavior > as described in Section 9.2. This applies regardless of whether an > SRH is present in the IPv6 packet or omitted. > > At the ultimate destination(s), that address will be in the > Destination Address field of the IPv6 header. > > ... > > 9.3. Upper Layer Checksum Considerations > > Upper layer checksums are computed by the originator of an IPv6 > packet and verified by the ultimate destination(s) as it processes > the upper layer protocol. > > As specified in Section 6.5, SR source nodes originating TCP/UDP > packets ensure that the upper layer checksum is correctly calculated > based on the ultimate destination of the session, which may be > different from the address placed in the IPv6 destination address. > Such SR source nodes leveraging TCP/UDP offload engines may require > enhancements to convey the ultimate destination address. These > implementation enhancements are outside the scope of this document. > > It was reported that some network node implementations, including > middleboxes such as packet sniffers and one software router > implementation, may attempt to verify the upper layer checksum of > transit IPv6 packets. These nodes, if deployed inside the SR domain, > may fail to verify the upper layer checksum of transit SRv6 traffic, > possibly resulting in dropped packets or in the inability to carry > out their function. Making these implementations SRv6 aware in > general or C-SID aware in particular is out of the scope of this > document. > > ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== > > > Is this text aligned with §8.1/rfc8200 (Upper-Layer Checksums) [2]? > Does anything need to be added, deleted, changed, or clarified? > > Is using C-SIDs in the above scenarios (§9.3) compatible with IPv6 > transit node deployments compliant with rfc8200? > > Does using C-SIDs as specified above represent a modification to the > IPv6 dataplane? If so, is the modification considered acceptable to > the WG? > > > [1] > https://datatracker.ietf.org/doc/html/draft-ietf-spring-srv6-srh-compression > > > [2] https://datatracker.ietf.org/doc/html/rfc8200#autoid-17 > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > i...@ietf.org > Administrative Requests: > -------------------------------------------------------------------- >
_______________________________________________ spring mailing list -- spring@ietf.org To unsubscribe send an email to spring-le...@ietf.org
