Re: [bess] Erik Kline's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS)
Ketan Talaulikar <ketant.ietf@gmail.com> Thu, 17 February 2022 16:47 UTC
Return-Path: <ketant.ietf@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B73DC3A0C1B; Thu, 17 Feb 2022 08:47:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XbdWjBJjdzpk; Thu, 17 Feb 2022 08:47:43 -0800 (PST)
Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5653A0C06; Thu, 17 Feb 2022 08:47:42 -0800 (PST)
Received: by mail-vk1-xa2a.google.com with SMTP id n14so3362640vkk.6; Thu, 17 Feb 2022 08:47:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K3xRtuC+GD21n9olNxGq6UgGbdY9PkCnq8YfS5WYHP4=; b=l3C8b9yLAsPUanG9OxnuqkDQHZhqNG5KGOVLjdkdUgcag4T2W4ZPE6+rUVn092yzTy Oaw4oN71R/AzAIC7guLYn3VF006goCabTy8FPp57nT0JWjbU4JStOWWDa1qd8ULCb2/h T2MOYK+Aow9QhxYWlb0K1i6zBaRYuJqSVp6rMw/pdhgCMZUMLv1aNZv318OOtwdBDVRY pT7LQXq6ZzgpsBpohXa2dHIJ7qBwPjpz2KH0TacHSJ3g1BcP19hWCNU2tgposSqi6Ek5 t+fFRDn+zhZiEUZDFYCKO5mxLhgODDwg3mWHUSYbEWGekA6K84YEd+oins980DnT/+iz gxdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K3xRtuC+GD21n9olNxGq6UgGbdY9PkCnq8YfS5WYHP4=; b=7Zz9fLxNbekskzgHvhFnpgObFuZfctlJug0DAU5t9suPFVv0Ih59aigu9XQshjI/LB Pt8Iu5FN1rGZ49Nn8YTK4ns+15YhoBpFoLkQJhxseLW8Jw0wmEmTqkC8Jef3BlU82TJY +OHbJqGk6DerR6WpLL3yihrvFOfV3qdJ8XacMG2LaQtriukedmrks06JV2LDmotlYmVQ GcnYFBPv8aawRHhYWqWK9wKjMDGjRUbTKAA7roGGH2JkNCqY+OvNh3NqVv/vdTf6p3Ld K35gpxCMheWFsqUwkq+yXAaVWodpcoEhUVwRFbofUKTpGtp1Nf4FlwaGC0gXb5vF7d/l H6ng==
X-Gm-Message-State: AOAM530vVdnt/CNDEiXsuxqOd7Gx0dkm1o/zSYoJ6UkLquxoaEeWCy70 it1nKr7eFH8mUa1XGlVEE4Y6lsW+56LsJcU9S08=
X-Google-Smtp-Source: ABdhPJzkB8XVMV8HM/rwgh5ytAjteZrBjGWZ9Tt8eoXgI9nYSitOn+Aea/kky/DefTjWaxJdsWXCPDoSC4JQFK6nTj8=
X-Received: by 2002:a05:6122:a1f:b0:32d:a4a4:6c27 with SMTP id 31-20020a0561220a1f00b0032da4a46c27mr1561173vkn.14.1645116459868; Thu, 17 Feb 2022 08:47:39 -0800 (PST)
MIME-Version: 1.0
References: <164507779493.12793.548337102165449445@ietfa.amsl.com> <CAH6gdPyK=BjqwdkK8-GF6HOr6ubC7CocED5bTFBDPOB4zV-JRA@mail.gmail.com> <CA+wi2hNcAsoJOrPmHavbPEeGsNY6TKx7OFSq7B8jWdSXnXQWPA@mail.gmail.com> <CAH6gdPx-YBks3GNsueJA3-tFoCuKvQpyhK_3_+j-L098M=kW3w@mail.gmail.com> <CA+wi2hO_7LyxyeOwUYe+XV3t64_nQudDqQENsjxJOi77qwOY0g@mail.gmail.com>
In-Reply-To: <CA+wi2hO_7LyxyeOwUYe+XV3t64_nQudDqQENsjxJOi77qwOY0g@mail.gmail.com>
From: Ketan Talaulikar <ketant.ietf@gmail.com>
Date: Thu, 17 Feb 2022 22:17:27 +0530
Message-ID: <CAH6gdPz7sL4_RAphLQhu7q5ompvLazzHZXUub4e3W6GgEkYpFQ@mail.gmail.com>
To: Tony Przygienda <tonysietf@gmail.com>
Cc: Erik Kline <ek.ietf@gmail.com>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, draft-ietf-bess-srv6-services@ietf.org, bess-chairs@ietf.org, The IESG <iesg@ietf.org>, BESS <bess@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000034646805d8398667"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/V6R2ETppqShvdYISb8RsHEI_77s>
Subject: Re: [bess] Erik Kline's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2022 16:47:49 -0000
Hi Tony,
Indeed, perhaps you might have lost the thread here ;-)
Things are pretty simple (unless one wants to over-complicate) and covered
in the base SRv6 standards-track RFC8754. Let me put it down here:
1. Any packet entering the SR domain and destined to a SID within
the SR domain is dropped. This may be realized with the
following logic. Other methods with equivalent outcome are
considered compliant:
* Allocate all the SIDs from a block S/s
* Configure each external interface of each edge node of the
domain with an inbound infrastructure access list (IACL) that
drops any incoming packet with a destination address in S/s
* Failure to implement this method of ingress filtering exposes
the SR domain to source-routing attacks, as described and
referenced in [RFC5095
<https://datatracker.ietf.org/doc/html/rfc5095>]
I can understand the argument that someone that is doing this manually on
router CLIs today could miss this on some interface. But with the
templates, automation, and other tools available today, I find it hard to
agree when this filtering is called "complex", "not possible" and
"handwaving". Especially, when operators have already done this in their
deployments.
@Erik Kline <ek.ietf@gmail.com>
In any case, none of this is being newly introduced in the document under
discussion nor changed by it.
Thanks,
Ketan
On Thu, Feb 17, 2022 at 4:19 PM Tony Przygienda <tonysietf@gmail.com> wrote:
> Ketan, yepp, 5.1.2 is roughly the CUG via ACL, add to it per service
> protection (as in some external A can talk to service X but external B
> cannot which now starts to push you into fragment the SRv6 "prefix" into
> "per service space" if you want to aggregate), multiply that by the
> downstream-upstream if you want to cross providers AFAIS (as in BGP
> flowspec up/down shorewalling) and you have a pretty nice combinatorial
> space. And BTW, source address is easily spoofed given the lack of BCP
> implementations in the real world and with source routing technology one
> can land those packets in unexpected places via unexpected routes. All that
> looks to me like nothing comparable to a leaked internal loopback today
> which was my whole point as in fallacy by faulty analogy.
>
> Unless I lost the thread completely which, given the amount of machinery
> fielded by now ;-) could be excusable ...
>
> -- tony
>
>
> On Thu, Feb 17, 2022 at 11:37 AM Ketan Talaulikar <ketant.ietf@gmail.com>
> wrote:
>
>> Hi Tony,
>>
>> My apologies, but I am not able to understand your emails entirely. I
>> wonder if this text below helps explain:
>> https://datatracker.ietf.org/doc/html/rfc8754#section-5.1
>>
>> Thanks,
>> Ketan
>>
>>
>> On Thu, Feb 17, 2022 at 3:40 PM Tony Przygienda <tonysietf@gmail.com>
>> wrote:
>>
>>>
>>>
>>>
>>>>
>>>>> But I'm prepared to learn why this wouldn't work or would be somehow
>>>>> worse.
>>>>>
>>>>
>>>> KT> It isn't necessary nor required because SRv6 locators are just IPv6
>>>> prefixes that are already covered by IGP/BGP extensions for IPv6 routing. A
>>>> provider that uses global IPv6 addresses in their infrastructure (e.g. for
>>>> their BGP and other routing sessions, on their router links and loopback,
>>>> for DHCP, AAA, etc.) already do routing for those prefixes via IGP/BGP.
>>>> These are not advertised (nor leaked) out into the Internet since doing so
>>>> can result in attacks on their internal network and infrastructure. They
>>>> are protected via BGP configuration to stop leaks and then again by ACLs at
>>>> Internet Border Routers to prevent attacks via the data path. This still
>>>> remains the case to be done for SRv6 locators - they are similarly the
>>>> service provider's "internal" infrastructure.
>>>>
>>>>
>>> I'm confounded by the recent line of reasoning of SRv6 proponents. An
>>> IPv6 address is NOT a service access point, it's a routable address,
>>> history shows us that we can protect against services on the device being
>>> attacked through that (though it took some work like proper ICMP handling).
>>> SRv6 endpoints here are really service endpoints, unless we have a CUG
>>> security architecture in place, how do we protect services here without
>>> having CUG style filters on the whole edge? with SRv6 services giving
>>> people a service access point and a tunneling technology where someone via
>>> v6 routing can built a tunnel to hit the service is a different beast
>>> altogether than protecting reachability (routable addresses) and I fear
>>> pretty soon we're looking @ routers going very, very deep into the "IPv6"
>>> packet to make sure there aren't some magic options on the packet
>>> source-routing it in funky ways towards service endpoints that will accept
>>> the packet.
>>>
>>> --- tony
>>>
>>
- [bess] Erik Kline's Discuss on draft-ietf-bess-sr… Erik Kline via Datatracker
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Tony Przygienda
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Tony Przygienda
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar