Hello,
I realised this has been raised before and I'd been asked to write to
the list, but I would appreciate some discussion on this point.
In Section 7.1.3, Address Range Filtering, there is a list of example
infrastructure address ranges to be used for SRv6 SIDs.
--
Some examples of an infrastructure address range for SIDs are:
1. ULA addresses
2. The prefix defined in [RFC9602]
3. GUA addresses
--
I have questions over the format, first and foremost; is this meant to
be an ordered list? Previous feedback was no, but this format has
persisted into the latest revision.
If it isn't intended to be ordered, then it must be unordered to prevent
the same ambiguity.
If it is intended to be ordered, I am concerned with ULA being preferred
over the purposely defined prefix in RFC9602. I do not feel that
recommending ULA is preferable to the use of a prefix defined
specifically for this use, which we now have (thank you Suresh).
--
Regardless of ordering, it is also very concerning that we include GUA
addressing in the list. I realise these are examples of what might be
done today, and that it might be "valid" for an operator to do (I would
disagree vehemently) but when discussing Security Considerations I
believe that we have a duty to represent such prefix ranges as something
other than equals -- they are not equal in respect of their use.
Replacing the text above, a suggestion for S7.1.3 might be as follows:
"Implementations of SRv6 should number SIDs within their trusted domain
from the reserved prefix as defined within RFC9602."
The prefix defined in RFC9602 is explicitly required to be filtered from
the Internet, and it is far less complex to filter when an organisation
is also utilising ULA or GUA in other networks adjacent to that of their
SRv6 domain. RFC9602 should be considered as 'the' prefix range to
utilise for these networks.
--
Tom
_______________________________________________
spring mailing list -- spring@ietf.org
To unsubscribe send an email to spring-le...@ietf.org
