On 10-Oct-22 11:49, Robert Raszuk wrote:
Hi Brian,
Easily avoided by another layer of encapsulation, surely? Personally I
would want to do that, and to use an encrypted encapsulation, to make sure that
the SR domain is not penetrated.
I am not even sure what you call SR domain ... In the old days, slides showed
the domain as a little cloud or circle. Well times have changed.
What I call an SR domain is defined in RFC8402:
"Segment Routing domain (SR domain): the set of nodes participating in
the source-based routing model. These nodes may be connected to the
same physical infrastructure (e.g., a Service Provider's network).
They may as well be remotely connected to each other (e.g., an
enterprise VPN or an overlay)."
Today your domain may be using AWS internal links for interconnect shared with
other users. Is this still limited domain buzz ?
Yes, according to the way we defined it in RFC8799 (which is not an IETF
document):
"In other cases, it may refer to a defined set of users or nodes distributed over a
much wider area, but drawn together by a single virtual network over the Internet, or a
single physical network running in parallel with the Internet."
Then we have a concept of DMZs. Are those part of a limited domain or not ?
Note that DMZs are usually open to the Internet (perhaps with few ACls
protection and often IPS systems).
In other words, they are not completely open. We didn't cite them in RFC8799,
but they are a pretty good example. They are a bit complicated, because the
trust models are different at the boundary between the DMZ and the Internet,
and at the boundary between the DMZ and the inner enterprise or DC network.
Life is not as simple as RFCs to say "limited domain" and move on when you are
dealing with Internet accepted ethertype.
Nobody said it was simple. In my view the IETF has largely ignored this issue, because it
goes against the naive view of "end to end". That's why RFC8799 is not an IETF
document, but is cited in ~35 IETF drafts.
Brian
It doesn't, IMHO, belong in this draft. It really looks like an update to
8402: how to build a distributed SR domain.
Well if you recall during those discussions I illustrated this use case. It was
not taken into consideration.
And my overall point here - let's be a bit closer to reality. Sure some IETF
WGs could work completely detached and produce RFCs which not many will follow
- but is this really a good thing ?
Best,
R.
_______________________________________________
spring mailing list
spring@ietf.org
https://www.ietf.org/mailman/listinfo/spring
