6MAN Working Group - Beijing IETF Meeting Tuesday,0900-1130, November 9, 2010, Valley Ballroom B Chairs: Bob Hinden, Brian Haberman (didn't attend IETF79) Jabber Room: 6man@jabber.ietf.org Minutes taken by Suresh Krishnan and Ed Jankiewicz ============================================================ Agenda: Introduction, Agenda Bashing, Document Status, Chairs, 10 min. An uniform format for IPv6 extension headers, draft-ietf-6man-exthdr-00.txt, Suresh Krishnan, 10 min. The IPv6 UDP Zero Checksum, draft-ietf-6man-udpzero-02.txt, draft-eubanks-chimento-6man-00.txt, Magnus Westerlund & Marshall Eubanks, 25 min. Update to RFC 3484 Default Address Selection for IPv6, draft-ietf-6man-RFC3484-revise-01.txt, Arifumi Matsumoto, 15 min. Using 127-bit IPv6 Prefixes on Inter-Router Links, draft-ietf-6man-prefixlen-p2p-00.txt, Miya Kohno, 10 min. Duplicate Address Detection Proxy, draft-costa-6man-dad-proxy-01.txt, Jean-Michael Combes, 15 min. Requirements for Addresses Registration, draft-jiang-6man-addr-registration-req-01.txt, Sheng Jaing, 15 min. Update to the IPv6 flow label specification, draft-carpenter-6man-flow-update-04.txt, draft-carpenter-flow-ecmp-03.txt, Brian Carpenter, 30 min. Security Assessment of the IPv6 Flow Label, draft-gont-6man-flowlabel-security-00.txt, Ferando Gont, 5 min. Moving the Endpoint Identifier (EID) Option to Obsolete Status draft-gont-6man-obsolete-eid-option-00.txt, Ferando Gont, 5 min. Mitigating Teredo Rooting Loop Attacks, draft-gont-6man-teredo-loops-00.txt, Ferando Gont, 5 min. ============================================================ Agenda bashing: There were no changes to the proposed agenda. ============================================================ Document status: Bob Hinden presented the working group document status. Wojciech Dec objected to the adoption of the line identification draft as working group item, since he believes it has technical issues and the Standards process was not followed. Brian Carpenter stated that Wojciech was inflating the issue since this draft has only been accepted as a wg item and any issues that come up could be fixed before being approved for publication. ============================================================ Suresh Krishnan presented An uniform format for IPv6 extension headers Draft: draft-ietf-6man-exthdr-00 Most issues in this draft have been resolved, but there was a new request by Manav Bhatia to add an options field to help intermediate nodes know what to do when handling unknown headers. Dave Thaler thought that it would be useful to add bits for specifying drop/pass through error behavior into the generic extension headers. Shin Miyakawa agreed with Dave. Bob wanted this change to be made to the document, and will start a working group last call once the new version is available. ============================================================ Magnus presented IPv6 UDP Checksum Considerations Draft: draft-ietf-6man-udpzero-02 The draft was significantly changed and restructured in this revision. The authors believe that the draft will be ready for WGLC after the next revision. The chairs will start a working group last call when the new draft is available ------ Marshall Eubanks presented UDP Checksums for Tunneled Packets Draft: draft-eubanks-chimento-6man-00 The authors requested the adoption of the draft as WG item. Dave thaler supported doing so. He had a concern about the use of the port range to signal udp zero checksum packets. Jari Arkko agreed with Dave. Tony Hain believed that end-points need to negotiate the use of this anyway and does not believe spec change is required. Magnus responded that an IETF specification cannot be approved while violating RFC2460. Marshall also agreed that this is an explicit change to RFC2460 and cannot be sneaked through the IETF. Tony mentioned that ignoring the value set in this field on the receiver does not constitute a violation of RFC2460. Bob Hinden thought that it is an update to RFC2460 and is fair to discuss it at 6man. Jari Arkko wanted the default behavior to be the one specified in RFC2460 and the UDP zero checksum behavior is to be used only between consenting parties. Tero Kiviven stated that UDP zero checksums are also useful for IPsec NAT traversal and believes that it has already been widely implemented. Jari wanted Tero to write up a separated draft on the IPsec use of this. Dave believed that the use of this needs to be opt-in and no ports should be exempted by default due to behaviors caused by intervening NATs. There were no objections to adopt this draft as a 6man WG document. ============================================================ Arifumi Matsumoto presented the Update to RFC 3484 Default Address Selection for IPv6 Draft draft-ietf-6man-rfc3484-revise-01 RFC 3484 describes algorithms for source address selection and for destination address selection. This document specifies a set of updates that modify the algorithms and fix the known defects.The authors believe that the document is ready for WGLC after the next revision He also presented draft-fujisaki-6man-addr-select-opt-00 and draft-hain-ipv6-rpf-icmp-00 Mark Andrews believed that ULAs inside the same /48 prefix to be preferred, but did not want communication between different ULA prefixes to be prioritized over non-ULA prefixes. ULAs will leak and hosts should not use ULAs in this case. Dave Thaler agreed with Mark. Suresh Krishnan agreed with Mark that this is a good idea but he saw no way to fix it in this document. A default policy cannot anticipate what ULA /48 addresses will be seen by a specific implementation. Mark wanted to de-preference ULAs completely. He did not want implementations to use an ULA as source address for anything. Dave Thaler believed that Mark's concerns could be addressed by Rule 1 - "avoid unusable destinations", if there was a way to figure out not to use a given ULA prefix. Erik Nordmark wanted to know how the prefix length will be used for Rule 3. He wanted to limit the longest match to not go beyond subnet prefix length and not assume /64 to be the prefix length. He wanted further discussion on this. Request for Adoption of draft-fujisaki Satoru Matsushima believed that the document is ready to adopt and any open issues could be addressed later. Bob wanted to get the feel of the room to adopt this draft. There were 40 hands for and none against. The document will become a 6man working group document. ============================================================ Miya Kohno presented Using 127-bit IPv6 Prefixes on Inter-Router Links Draft: draft-ietf-6man-prefixlen-p2p-00 The authors believed that the document is ready for WGLC, but the authors wanted to know if any prefix longer than /64 (and not just /127) was acceptable. Remi Despres believed that the arguments apply equally to other prefix lengths as well, but the users of such prefix lengths are not currently identified. He would like to add the other prefix lengths longer than /64 as well. Randy Bush believes that this is limited to router-to-router links, and wanted to know how many people would make an issue of the discussion about shorter prefixes. Suresh Krishnan mentioned that some of the arguments in the draft don't hold up well for shorter than /127 prefixes and hence the draft would need more work and discussion. Wes George and Suresh Krishnan believed that it would be best to go forward without changes to accomodate shorter prefixes. Randy agreed. The chairs will start a working group call after IETF79. ============================================================ Hongyu Li presented a proposal for Duplicate Address Detection Proxy Draft: draft-costa-6man-dad-proxy-01 Dave Thaler wanted to know how the DAD proxy learns the addresses. He was concerned that the proposal required the link to be always fully reliable. Hongyu believed that the entry can be also learnt from source addresses of data packets and not just by the DAD process. Dave wanted this issue to be addressed along with all associated issues with a network node being authoritative for DAD. Shreenivas Joshi wanted to know to which BBF deployment model this proposal applied to. Hongyu clarified that this applied only to the n:1 VLAN model. Erik Nordmark wanted to know how liveness was checked in order to allow for nomadicity. He thinks that this issue needs to be fixed. Suresh Krishnan believed that there was a generic issue with RFC4862 that needs to get fixed. This issue was that a DAD failure does not result in retrying. Wojciech Dec believes there is a wider problem in shared VLAN scenarios. David Allan thinks that the n:1 vlan model exists in non-BBF networks (e.g. MEF, ethernet aggregation etc.) as well and needs to be addressed in the IETF. Bob Hinden wanted to get the feel of the room to adopt as WG item. There were 8 hands for and 2 against. Bob saw enough interest in this draft for adoption as WG item. ============================================================ Sheng Jiang presented Requirements for Addresses Registration Draft: draft-jiang-6man-addr-registration-req-01 This document discusses the requirements for the registration of self generated addresses in order to prevent conflicts with network managed addresses. Erik Nordmark believed that the 6man wg should not go into access control territory. Ralph Droms wanted more details about the DHCPv6 work. Jari Arkko wanted to know what exactly what additional work was required. He believed that it was already possible to request a specific address from the DHCPv6 server. Sheng mentioned that this information needs to be propagated past the DHCPv6 server e.g. to the DNS server for registration . Ralph mentioned that this was also already solved by dynamic DNS. He agreed with Erik Nordmark and did not want to get into access control territory. Based on the discussion, Bob felt that this draft required more work before it could be adopted. ============================================================ Brian Carpenter presented an Update to the IPv6 flow label specification Drafts: draft-carpenter-6man-flow-update-04 draft-carpenter-flow-ecmp-03 draft-carpenter-flow-ecmp-03 describes how the restrictions on the use of the flow label field apply while using it for load balancing by equal cost multipath routing, and for link aggregation, particularly for tunneled traffic. Bob asked for the feel of the room to adopt . There were about 10 hands in favor and none against Bob saw support for adoption of this draft as a 6man WG document. draft-carpenter-6man-flow-update-04 This draft had changed considerably since the last revision. Tony Hain wanted to know how to determine if the flow label has been set pseudo-randomly. He believed that having a rule for checking that did not make any sense. He also wanted the flow label should be protected by AH. Shane Amante wanted to mention that end-to-end integrity checks would fail with a mutable flow label. He thought that intermediate nodes did not perform integrity checks on the flow label using AH and a proposal such as ECMP would work fine. Dave Thaler wanted to clarify the cases where the "MUST not change flow label" applies since the term "generally" was too vague. Joel Halpern did not want the document to recommend changing the flow label and believed that the draft must strongly caution against changing the flow label in transit. Shane believed that enterprise edge nodes already scrub the flow label and set it to 0 at ingress points. Pascal Thubert wanted to know why the draft allowed the flow label to be changed only once. Brian Carpenter did not see the point in resetting a pseudo-random value to another one. Joel believed that the network nodes should not change already set pseudo-random values as the information that was used to determine such value may no longer be available further downstream. Remi Despres wanted to know about the effects on flow ordering. Brian Carpenter was fine with making it a desired property but believed that making it necessary is not compatible with the principles of the Internet (datagram oriented). Chris Donley supported this approach, but wanted the usage to be open to other things than ECMP, Greg Lebovitz (working on Juniper firewalls) talked about scrubbing flow labels to eliminate covert channels. He believed that using a "MUST NOT change" would not stop enterprises and firewall vendors from continuing to do the same. He believes that having a "MUST NOT" would cause issues with certification and RFPs. Bob Hinden agreed that it is hard enough to specify what implementations need to do without trying to specify all the things they must not do. Bob asked for the feel of the room to adopt . There were about 30 hands in favor and none against Bob saw support for adoption of this draft as a 6man WG document. Brian Carpenter mentioned that he would work on a RFC3697bis document separately. ============================================================ Fernando Gont presented a Security Assessment of the IPv6 Flow Label Draft: draft-gont-6man-flowlabel-security-00 This document discusses the security implications of the IPv6 flow label and analyzes possible schemes for selecting the flow label value of IPv6 packets. Shane Amante was concerned about the algorithm not being able to use the 5-tuple (including the protocol and port numbers) into the flow label calculations. He thought that the inclusion of the 5-tuple could be used to simplify routing. He was also concerned that flow labels for different flows may collide due to this. Fernando believed that the algorithm already includes time and a counter into the calculation and already changes the flow label. Suresh Krishnan wanted to how the algorithm knew when to increment the counter since the transport port numbers were not part of the calculation. ???: was concerned about on-path attackers able to guess the number of flows. Fernando believed that this was not possible. Based on the discussion, Bob Hinden believed that this document required more discussion and needs to go to the mailing list. ============================================================ Fernando Gont presented Mitigating Teredo Rooting Loop Attacks Draft: draft-gont-6man-teredo-loops-00 Dave Thaler and Suresh Krishnan are fine with this draft proceeding further but would prefer an AD sponsored document after being reviewed by v6ops. Bob requested Fernando to talk to the ADs offline since they had already left the room about best place to work on this document. ============================================================ Fernando Gont presented Moving the Endpoint Identifier (EID) Option to Obsolete Status Draft: draft-gont-6man-obsolete-eid-option-00 The working group was out of time to discuss this. Discussion will be taken up on the mailing list. ============================================================