On Sat, Apr 1, 2023 at 10:29 PM Brian E Carpenter <
brian.e.carpen...@gmail.com> wrote:

> Tony,
>
> On 02-Apr-23 05:53, Tony Przygienda wrote:
> > ?
> >
> > I heard the argument that IPv6 address space is large and "easy to carve
> up to mean other things" since about as long IPv6 started to gain traction.
> The wisdom of that has been thankfully so far questioned. BIER was also
> approached by people who hoped we would create a precedent by taking a /8
> or /16 or something and use the rest of bits to stick bitmasks in.
> Expediency overriding architecture and all that usual jazz ...
>
> I have all kinds of angst about using magic bit patterns in IPv6 addresses
> to convey semantics. Addresses are for getting packets from one end to
> other, period. However, my main interest is to prevent SRV6 SIDs doing any
> kind of damage to the universal deployment of IPv6. From that point of
> view, a new Ethertype would be great because it automatically prevents SRV6
> SIDs deployment on the Internet rather than within limited domains.
>
> But that doesn't affect what I said: *deploying* a new Ethertype is much,
> much harder than deploying draft-ietf-6man-sids.
>

we kind in sync. I think we saw many ethertypes deployed and it's not as
dramatic as it sounds and best route if justified IME. As Andrew says, it's
complementary anyway in the sense that it doesn't force e'one to move to it
(at least not at once though if security stuff turns interesting I don't
exclude a stampede ;-)


>
> >
> > Yes, it's easy to "quickly deploy" and taken to the bitter conclusion
> we'll stop having a decently economic, secure and debuggable IP forwarding
> path, instead we end up building IP host address firewall scanning things
> into layer 4 to find violations in complex constructs masquerading under
> addresses and IP "extension headers" and build lots of "kind of limited but
> not so limited and kind of secur'ish domains". Firewalls have their place
> but routers are not firewalls.
>
> I don't see where layer 4 comes in. SRV6 adds semantics to layer 3. Layer
> 3 ACLs have existed much longer than firewalls. draft-ietf-6man-sids
> enables the non-SRV6 Internet to drop SRV6 SIDs traffic without any kind of
> DPI, exactly as a new Ethertype would.
>

well, I'm overdramatizing a bit ;-) Nothing prevents abusing more bits in
L3 and L4 once an address is "just a bit of bits you can put any semantics
on" and not only a strict indication of *where* stuff is.  architectural
shortcuts for expediency and performance tend mostly to be precedence cases
for further misemploy IMBE (B for bitter ;-).

-- tony

> >
>
_______________________________________________
spring mailing list
spring@ietf.org
https://www.ietf.org/mailman/listinfo/spring

Reply via email to