[WG chair hat off] Tom:
Hi! If I understand your proposal correctly, you're suggesting the following: s/ Some examples of an infrastructure address range for SIDs are: 1. ULA addresses 2. The prefix defined in [RFC9602] 3. GUA addresses / Implementations of SRv6 should number SIDs within their trusted domain from the reserved prefix as defined within RFC9602. Is that it? I agree with the premise that all prefix ranges are not equal. However, I disagree with not mentioning ULA/GUA (which is the result of replacing the text above). As you suggest, if "we have a duty to represent such prefix ranges as something other than equals", the document should explicitly point at the risks of using them. Note that even rfc9602 contains some text (in the Security Considerations) about the case of not using the range defined there. My 2c. Alvaro. On August 26, 2025 at 10:54:13 AM, Tom Hill (t...@ninjabadger.net) wrote: Hello, I realised this has been raised before and I'd been asked to write to the list, but I would appreciate some discussion on this point. In Section 7.1.3, Address Range Filtering, there is a list of example infrastructure address ranges to be used for SRv6 SIDs. -- Some examples of an infrastructure address range for SIDs are: 1. ULA addresses 2. The prefix defined in [RFC9602] 3. GUA addresses -- I have questions over the format, first and foremost; is this meant to be an ordered list? Previous feedback was no, but this format has persisted into the latest revision. If it isn't intended to be ordered, then it must be unordered to prevent the same ambiguity. If it is intended to be ordered, I am concerned with ULA being preferred over the purposely defined prefix in RFC9602. I do not feel that recommending ULA is preferable to the use of a prefix defined specifically for this use, which we now have (thank you Suresh). -- Regardless of ordering, it is also very concerning that we include GUA addressing in the list. I realise these are examples of what might be done today, and that it might be "valid" for an operator to do (I would disagree vehemently) but when discussing Security Considerations I believe that we have a duty to represent such prefix ranges as something other than equals -- they are not equal in respect of their use. Replacing the text above, a suggestion for S7.1.3 might be as follows: "Implementations of SRv6 should number SIDs within their trusted domain from the reserved prefix as defined within RFC9602." The prefix defined in RFC9602 is explicitly required to be filtered from the Internet, and it is far less complex to filter when an organisation is also utilising ULA or GUA in other networks adjacent to that of their SRv6 domain. RFC9602 should be considered as 'the' prefix range to utilise for these networks. -- Tom _______________________________________________ spring mailing list -- spring@ietf.org To unsubscribe send an email to spring-le...@ietf.org
_______________________________________________ spring mailing list -- spring@ietf.org To unsubscribe send an email to spring-le...@ietf.org
