IETF Logo Mail Archive

Re: [bess] Erik Kline's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS)

Tony Przygienda <tonysietf@gmail.com> Thu, 17 February 2022 10:49 UTC

Return-Path: <tonysietf@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F8EB3A0AA1; Thu, 17 Feb 2022 02:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAmogo1lXJFB; Thu, 17 Feb 2022 02:49:01 -0800 (PST)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B3E03A0AA4; Thu, 17 Feb 2022 02:49:01 -0800 (PST)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-2d66f95f1d1so27112927b3.0; Thu, 17 Feb 2022 02:49:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Son2AFdnEBSOLRAIWfj02PBHoN71fKwu9wJErv6MoeQ=; b=Mkp3sJCLtktzgOI7epR9SHbSI3dLMhU7YwmbDTb2OjRHvl9p6e7ILBz+nbe76D0lRY 2V/9kIvXGORCrcgLvycCd7FpCyZKg8tnM5FJ5XuPJdIgqurkePds2GsijR1h2zmIRzRY 6BnkHeAgQ8DobGpM9HiwkAbilDuVQ3BPLWL7FQaOpB/f86ylWhIbaEGAq4hX5URQKPvD u+9wZOF6C+sG9S7Hgm0DouoFvMPRNrIEMlgQhOQVXYlZnaoP3oXSLBtuwVf5T1JtES0q b3/17rsAd8qbGneHcVkdqCD/vXMMG0sNJ3Jjis4fKcuzmJv0d3ZbMz60nAOc3oo5zVSu fqYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Son2AFdnEBSOLRAIWfj02PBHoN71fKwu9wJErv6MoeQ=; b=A7c/MTMFNMjUUaG648oZA0LGaakM2m4XelUewJp41D1ch49gYaxlUn0g1dxSvLPgI/ IcRs1dZI1KFAsU7qKSq+EmxU1JCQphKe+qMGGEGrieJTb5emM5x3ZO+bkdaoTTVnXspZ 1RTzx3zLWhpyaNNjD9Ux90qu3kZPNjjp1gfcoM/Fo0uY4UYGtbyvmSoMsUO2RNNTyk/Q YUBtFp9NMxbRv+i6pWXNoiRqN0iYdr3G4/GdNtC9LpcQ4Cs7UbjVp0F3DVm0draywy6C 7PjesEcaN1yGUg/TaERKPWNnoLlADUSRTgwC73J3b1FkEZ2oGZ1xsYNcFpljoBigVJNK de1A==
X-Gm-Message-State: AOAM533cV0bgUcOy9z7xf/2d9wLbcXzu+CxedYt6os4TC3sbwh6MXyV1 kCAAi+698awXe7ZQEspbmlMnGX2TvDolFWCv+jf786F9Mi0=
X-Google-Smtp-Source: ABdhPJy/3n54PXJLRkctno2gkVNE88QxQkj4oGm8P6iV8DAPz64q/8MsmU7+hZTrbVv3xTG4x6fGRL1Z5z2uG0ilT4c=
X-Received: by 2002:a81:1803:0:b0:2ca:287c:6caa with SMTP id 3-20020a811803000000b002ca287c6caamr1947904ywy.335.1645094939895; Thu, 17 Feb 2022 02:48:59 -0800 (PST)
MIME-Version: 1.0
References: <164507779493.12793.548337102165449445@ietfa.amsl.com> <CAH6gdPyK=BjqwdkK8-GF6HOr6ubC7CocED5bTFBDPOB4zV-JRA@mail.gmail.com> <CA+wi2hNcAsoJOrPmHavbPEeGsNY6TKx7OFSq7B8jWdSXnXQWPA@mail.gmail.com> <CAH6gdPx-YBks3GNsueJA3-tFoCuKvQpyhK_3_+j-L098M=kW3w@mail.gmail.com>
In-Reply-To: <CAH6gdPx-YBks3GNsueJA3-tFoCuKvQpyhK_3_+j-L098M=kW3w@mail.gmail.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Thu, 17 Feb 2022 11:48:23 +0100
Message-ID: <CA+wi2hO_7LyxyeOwUYe+XV3t64_nQudDqQENsjxJOi77qwOY0g@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: Erik Kline <ek.ietf@gmail.com>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, draft-ietf-bess-srv6-services@ietf.org, bess-chairs@ietf.org, The IESG <iesg@ietf.org>, BESS <bess@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000083ae9f05d8348376"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/A7L3S16gkC2wt0yOR7V2PCV6d4Q>
Subject: Re: [bess] Erik Kline's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2022 10:49:04 -0000

Ketan, yepp, 5.1.2 is roughly the CUG via ACL, add to it per service
protection (as in some external A can talk to service X but external B
cannot which now starts to push you into fragment the SRv6 "prefix" into
"per service space" if you want to aggregate), multiply that by the
downstream-upstream if you want to cross providers AFAIS (as in BGP
flowspec up/down shorewalling) and you have a pretty nice combinatorial
space. And BTW, source address is easily spoofed given the lack of BCP
implementations in the real world and with source routing technology one
can land those packets in unexpected places via unexpected routes. All that
looks to me like nothing comparable to a leaked internal loopback today
which was my whole point as in fallacy by  faulty analogy.

Unless I lost the thread completely which, given the amount of machinery
fielded by now ;-) could be excusable ...

-- tony


On Thu, Feb 17, 2022 at 11:37 AM Ketan Talaulikar <ketant.ietf@gmail.com>
wrote:

> Hi Tony,
>
> My apologies, but I am not able to understand your emails entirely. I
> wonder if this text below helps explain:
> https://datatracker.ietf.org/doc/html/rfc8754#section-5.1
>
> Thanks,
> Ketan
>
>
> On Thu, Feb 17, 2022 at 3:40 PM Tony Przygienda <tonysietf@gmail.com>
> wrote:
>
>>
>>
>>
>>>
>>>> But I'm prepared to learn why this wouldn't work or would be somehow
>>>> worse.
>>>>
>>>
>>> KT> It isn't necessary nor required because SRv6 locators are just IPv6
>>> prefixes that are already covered by IGP/BGP extensions for IPv6 routing. A
>>> provider that uses global IPv6 addresses in their infrastructure (e.g. for
>>> their BGP and other routing sessions, on their router links and loopback,
>>> for DHCP, AAA, etc.) already do routing for those prefixes via IGP/BGP.
>>> These are not advertised (nor leaked) out into the Internet since doing so
>>> can result in attacks on their internal network and infrastructure. They
>>> are protected via BGP configuration to stop leaks and then again by ACLs at
>>> Internet Border Routers to prevent attacks via the data path. This still
>>> remains the case to be done for SRv6 locators - they are similarly the
>>> service provider's "internal" infrastructure.
>>>
>>>
>> I'm confounded by the recent line of reasoning  of SRv6 proponents.  An
>> IPv6 address is NOT a service access point, it's a routable address,
>> history shows us that we can protect against services on the device being
>> attacked through that (though it took some work like proper ICMP handling).
>> SRv6 endpoints here are really service endpoints, unless we have a CUG
>> security architecture in place, how do we protect services here without
>> having CUG style filters on the whole edge?  with SRv6 services giving
>> people a service access point and a tunneling technology where someone via
>> v6 routing can built a tunnel to hit the service is a different beast
>> altogether than protecting reachability (routable addresses) and I fear
>> pretty soon we're looking @ routers going very, very deep into the "IPv6"
>> packet to make sure there aren't some magic options on the packet
>> source-routing it in funky ways towards service endpoints that will accept
>> the packet.
>>
>> --- tony
>>
>

v2.31.3 | Report a Bug | By Email | System Status