IETF Logo Mail Archive

Re: [bess] Warren Kumari's Discuss on draft-ietf-bess-srv6-services-10: (with DISCUSS and COMMENT)

Gyan Mishra <hayabusagsm@gmail.com> Mon, 14 February 2022 07:47 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB4A43A0B47; Sun, 13 Feb 2022 23:47:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPIjQJInB3Sm; Sun, 13 Feb 2022 23:47:30 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B448D3A088F; Sun, 13 Feb 2022 23:47:30 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id y18so9876954plb.11; Sun, 13 Feb 2022 23:47:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2bgRSeSpMm4uZkWi7SFtoB/Hz38hsw2mjeB88bC2FZw=; b=pzk/Gu/aK8Z4E3yGdox2cdqSTyKClIZlssNI7msjtLp7Kl7VOGlpl7kAcxqBBCbW9V yO+ULZwDarIpwKN0PxrROT4ClsLr6s9pG0+E7oA/800eIukgk38d7gQNdXSfu27n+MrK 58P2k0tL5DmGgtnoXdng7EFQu2EooUqSHd5bnNN47vXr3I2kFaC1bkwCo7oBcdPD1wBw CG9XVz/qSfcjeNKpQRwMWEujAHijZdLzfdBSYdx+kvA/JHnRvaiTutA48/h3++0XegqG n8P/ufWo+XKEN3TeazfS1rXinl4DnQvEim4E/PClNw+9t6rEU1tcDKzyQF2qLmo3erHF v/oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2bgRSeSpMm4uZkWi7SFtoB/Hz38hsw2mjeB88bC2FZw=; b=I5py+m14rLt71V2rSY2rUbT0GHV7ENpDaDkY+Ja2QrikZ9M5BvYTI/uG/vnx55Wcpc vJaLBI8x3BMcDKNTvn1hVT/b8B23sJnRTis4vUDvtCbMr9D3blH6zukL9/Lj1L5i5YbO 5LMmIgNj8dAVnFs+Z5p2o3Y15vcH+TWQtSZLoaQCu1TN0EkMvcGtNWz+Nc7Zvga4Yd55 GW60IxEKa0piQxZ+RjGrWzaIlAu/jr9KEyx5lwm3chZxzJk5ofH1nF7Hr/FV6O3YeaqQ ORHszvVZk+VF1IYOeQcUrIV652t5NDS8wh7eN5e4W1i7LcX/CmUlKd57t6DP0wSgXFII KlQg==
X-Gm-Message-State: AOAM530CXbeQOZThqI9SBCgoXqpPMAN9Mbi9wcfy+J8sGMnxA8FgTbjY 6QI4UVlgAkPk6/S4y71FLObMaNd7Yrh/iZ/RufikgzZU
X-Google-Smtp-Source: ABdhPJyHvAB8RbNJxb9pa0c8+qJav0jq2ta/NILufmltiUQZ/l0GK2nNtiS4hT4xp2bSAe/2SLxCya+ASBHJEDp51do=
X-Received: by 2002:a17:902:8f94:: with SMTP id z20mr1356765plo.100.1644824848859; Sun, 13 Feb 2022 23:47:28 -0800 (PST)
MIME-Version: 1.0
References: <164462070317.8057.6829026572175337017@ietfa.amsl.com> <CAOj+MMFtGVoaoj-L5Wv2yZz+HpQ3JLehvtBHtxrfG0-wCfko8g@mail.gmail.com> <AM7PR03MB64511292D62F62956411ED67EE319@AM7PR03MB6451.eurprd03.prod.outlook.com> <CAOj+MMFA3jq7XOB4nB8A2t+A2iuty25NMB+9x5NTHTeVdcz9+Q@mail.gmail.com> <AM7PR03MB64515E34B0CD23E44D7EB83BEE319@AM7PR03MB6451.eurprd03.prod.outlook.com> <CAH6gdPwgkfGHJyD9p4tAzGTTy4-vNRhNdzgTA=LgzxzPbZp7zw@mail.gmail.com>
In-Reply-To: <CAH6gdPwgkfGHJyD9p4tAzGTTy4-vNRhNdzgTA=LgzxzPbZp7zw@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Mon, 14 Feb 2022 02:47:18 -0500
Message-ID: <CABNhwV06gwPBy-32PHaJbY+adEjeP1x4UtGQiYrBW4gWa_s2Cw@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: Andrew - IETF <andrew-ietf@liquid.tech>, BESS <bess@ietf.org>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, Robert Raszuk <robert@raszuk.net>, The IESG <iesg@ietf.org>, Warren Kumari <warren@kumari.net>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "draft-ietf-bess-srv6-services@ietf.org" <draft-ietf-bess-srv6-services@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d5865d05d7f5a0aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/gRkaUJcFAq1B22dvrVgACh2lGNM>
Subject: Re: [bess] Warren Kumari's Discuss on draft-ietf-bess-srv6-services-10: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2022 07:47:36 -0000

Hi Ketan

I agree with you that for B section 5.3 and 5.4  IPv4 and IPv6 global table
over SRv6 core does bring filtering aspects to the security considerations
to ensure that the operators SRv6 infrastructure block does not get leaked
from the global table to the internet over eBGP peer as well as
infrastructure ACLs to prevent access to SRv6 infrastructure IPs per RFC
8402 section 8.2.

I don’t see any other security issues other than what is described in RFC
8402 section 8.2.

I agree as well that this security consideration is no different then
precautions taken today on an operators network.

Kind Regards

Gyan

On Mon, Feb 14, 2022 at 12:55 AM Ketan Talaulikar <ketant.ietf@gmail.com>
wrote:

> Hi Warren/All,
>
> This draft specifies broadly two types of BGP Services over SRv6:
>
> A) VPN Services (L3VPN & EVPN) - Sec 5.1, 5.2 & 6
> B) Global Internet Services - Sec 5.3, 5.4
>
> As explained by my co-author Robert, the operations and mechanisms for VPN
> services are similar to what we've had with MPLS. I believe we are all on
> the same page on this one based on the discussions between Andrew and
> Robert and that there is no new concern as far as (A).
>
> Now (B) does bring in filtering aspects (as mentioned in the security
> considerations) to ensure that the SRv6 block that is meant for use
> internal to the operator's network (i.e. SR domain) does not get
> leaked/advertised out from the default table on the Internet Border Router
> (IBR) over to an eBGP peer. This is similar to the precautions that
> operators take today to prevent their infrastructure addresses from being
> leaked to the Internet. The filters in BGP are also accompanied by ACLs at
> the IBRs to prevent traffic destined for those infrastructure IPs from
> entering into the operator network. This is the same in the case of SRv6 as
> well.
>
> I hope that clarifies and we can update the text to convey these aspects
> better.
>
> Thanks,
> Ketan
>
>
> On Sun, Feb 13, 2022 at 12:21 AM Andrew - IETF <andrew-ietf@liquid.tech>
> wrote:
>
>> Hi Robert,
>>
>>
>>
>> 5.3 Also opens the door to SAFI 1 – since you can v6 over v4 using AFI  1
>>  / SAFI 1 using what is defined in RFC8950, in fact, it is explicit.
>>
>>
>>
>> Section 5.3 is titled Global IPv4 over SRv6 core – this correlates with
>> the example in section 6.1 of RFC8950 – which states:
>>
>>
>>
>>
>>
>>    The extensions defined in this document may be used as discussed in
>>
>>    [RFC5565 <https://datatracker.ietf.org/doc/html/rfc5565>] for the interconnection of IPv4 islands over an IPv6
>>
>>    backbone.  In this application, Address Family Border Routers (AFBRs;
>>
>>    as defined in [RFC4925 <https://datatracker.ietf.org/doc/html/rfc4925>]) advertise IPv4 NLRI in the MP_REACH_NLRI
>>
>>    along with an IPv6 next hop.
>>
>>
>>
>>    The MP_REACH_NLRI is encoded with:
>>
>>
>>
>>    *  AFI = 1
>>
>>
>>
>>    *  SAFI = 1
>>
>>
>>
>>    *  Length of Next Hop Address field = 16 (or 32)
>>
>>
>>
>>    *  Next Hop Address = IPv6 address of the next hop
>>
>>
>>
>>    *  NLRI = IPv4 routes
>>
>>
>>
>>    During BGP Capability Advertisement, the PE routers would include the
>>
>>    following fields in the Capabilities Optional Parameter:
>>
>>
>>
>>    *  Capability Code set to "Extended Next Hop Encoding"
>>
>>
>>
>>    *  Capability Value containing <NLRI AFI=1, NLRI SAFI=1, Nexthop
>>
>>       AFI=2>
>>
>>
>>
>> As I say, if you were to remove the references to global and 5.3/5.4
>> which explicitly reference it and bring SAFI 1 into play – there would be
>> far less concern from my side, I can’t speak for anyone else, but that
>> would be my feeling
>>
>>
>>
>> Thanks
>>
>>
>>
>> Andrew
>>
>>
>>
>>
>>
>>
>>
>> *From:* Robert Raszuk <robert@raszuk.net>
>> *Sent:* Saturday, February 12, 2022 9:37 PM
>> *To:* Andrew - IETF <andrew-ietf@liquid.tech>
>> *Cc:* Warren Kumari <warren@kumari.net>; Bocci, Matthew (Nokia - GB) <
>> matthew.bocci@nokia.com>; draft-ietf-bess-srv6-services@ietf.org;
>> bess-chairs@ietf.org; The IESG <iesg@ietf.org>; BESS <bess@ietf.org>
>> *Subject:* Re: Warren Kumari's Discuss on
>> draft-ietf-bess-srv6-services-10: (with DISCUSS and COMMENT)
>>
>>
>>
>> Hi Andrew,
>>
>>
>>
>> When I read Warren's note Iooked at this text from section 2 which says:
>>
>>
>>
>> - - -
>>
>>
>>
>>    The SRv6 Service TLVs are defined as two new TLVs of the BGP Prefix-
>>    SID Attribute to achieve signaling of SRv6 SIDs for L3 and L2
>>    services.
>>
>>    o  SRv6 L3 Service TLV: This TLV encodes Service SID information for
>>       SRv6 based L3 services.  It corresponds to the equivalent
>>       functionality provided by an MPLS Label when received with a Layer
>>       3 service route as defined in [RFC4364] [RFC4659] [RFC8950]
>>       [RFC9136].  Some SRv6 Endpoint behaviors which MAY be encoded, but
>>       not limited to, are End.DX4, End.DT4, End.DX6, End.DT6, etc.
>>
>>    o  SRv6 L2 Service TLV: This TLV encodes Service SID information for
>>       SRv6 based L2 services.  It corresponds to the equivalent
>>       functionality provided by an MPLS Label1 for Ethernet VPN (EVPN)
>>       Route-Types as defined in [RFC7432].  Some SRv6 Endpoint behaviors
>>       which MAY be encoded, but not limited to, are End.DX2, End.DX2V,
>>       End.DT2U, End.DT2M etc.
>>
>>    When an egress PE is enabled for BGP Services over SRv6 data-plane,
>>    it signals one or more SRv6 Service SIDs enclosed in SRv6 Service
>>    TLV(s) within the BGP Prefix-SID Attribute attached to MP-BGP NLRIs
>>    defined in [RFC4760] [RFC4659] [RFC8950] [RFC7432] [RFC4364]
>>    [RFC9136] where applicable as described in Section 5 and Section 6.
>>
>>    The support for BGP Multicast VPN (MVPN) Services [RFC6513] with SRv6
>>    is outside the scope of this document.
>>
>>
>>
>> - - -
>>
>>
>>
>> This limits the overlay signalling to non global SAFIs mainly SAFI 128
>> and SAFI 70.
>>
>>
>>
>> To your note SAFI 4 is private and never exchanged in the wild. Also SAFI
>> 2 is multicast which is out of scope of this draft.
>>
>>
>>
>> The only thing which we need to sync on is indeed section 5.4 and use of
>> global IPv6 AFI 2 & SAFI 1
>>
>>
>>
>> Many thx,
>>
>> R.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Feb 12, 2022 at 7:11 PM Andrew - IETF <andrew-ietf@liquid.tech>
>> wrote:
>>
>> Robert,
>>
>>
>>
>> I have to say that I have very similar readings on parts of the draft.
>>
>>
>>
>> Let’s look at it –
>>
>>
>>
>> 5.1 uses the IPv4-VPN NLRI – That would seem to indicate AFI 1 / SAFI 4
>>
>> 5.2 – Uses AFI 2 / SAFI 4 from my reading
>>
>> 5.3 – According to RFC8950 – allows advertisement over SAFI 1, 2 or 4
>>
>> 5.4 – To my reading – very much refers to AFI 2 / SAFI 1.
>>
>>
>>
>> I would agree if this document limited itself to 5.1 and 5.2 – it doesn’t
>> – and therefore I have to agree with the thoughts expressed in Warrens
>> Discuss.  If I am wrong about 5.3 and 5.4, let’s chat and help me
>> understand this better, and then lets potentially see if we can work up
>> some wording that would clarify this if that is what is required.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Andrew
>>
>>
>>
>>
>>
>> *From:* iesg <iesg-bounces@ietf.org> *On Behalf Of *Robert Raszuk
>> *Sent:* Saturday, February 12, 2022 8:26 PM
>> *To:* Warren Kumari <warren@kumari.net>
>> *Cc:* Bocci, Matthew (Nokia - GB) <matthew.bocci@nokia.com>;
>> draft-ietf-bess-srv6-services@ietf.org; bess-chairs@ietf.org; The IESG <
>> iesg@ietf.org>; BESS <bess@ietf.org>
>> *Subject:* Re: Warren Kumari's Discuss on
>> draft-ietf-bess-srv6-services-10: (with DISCUSS and COMMENT)
>>
>>
>>
>> Hi Warren,
>>
>>
>>
>> Thank you for your Discuss. But before we start discussing it perhaps it
>> would be good to align on what this document really defines as I am sensing
>> from your description there can be some disconnect (modulo some text may be
>> indeed misleading in the draft).
>>
>>
>>
>> You said:
>>
>>
>>
>> > However, we all know that BGP leaks happen -- and when they do, the
>> SID’s
>> > contained in the leak will be logged by various systems and hence
>> available to
>> > the public into perpetuity.
>>
>>
>>
>> I think the term BGP is used here a bit too broadly.
>>
>>
>>
>> Leaks do happen but only within global AFI/SAFIs. This draft defines
>> extensions for L3VPN and L2VPNs SAFIs which are not used to peer outside of
>> a domain, collection of domains under same administration +
>> of course inter-as also could happen.
>>
>>
>>
>> With that being said I do not see risk that due to leaking there could be
>> a situation where customer networks are exposed in any way externally -
>> leaving alone that to even get at the transport level to the customer
>> facing PE is also filtered and never allowed from outside. But this is out
>> of scope of this document as here the focus is not on underlay but overlay.
>>
>>
>>
>> Now when I re-read this I see why there is a little piece perhaps
>> misleading. The draft makes a claim that it is applicable to RFC8950 which
>> defines use of NHv6 with both unicast and VPN AFs. That needs to be made
>> clear that it is applicable to the latter only. If other co-authors believe
>> this is applicable to the former your DISCUSS section would indeed be
>> valid.
>>
>>
>>
>> Many thx,
>>
>> R.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Feb 12, 2022 at 12:05 AM Warren Kumari via Datatracker <
>> noreply@ietf.org> wrote:
>>
>> Warren Kumari has entered the following ballot position for
>> draft-ietf-bess-srv6-services-10: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-bess-srv6-services/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> The Security Considerations section says: "The service flows between PE
>> routers
>> using SRv6 SIDs advertised via BGP are expected to be limited within the
>> trusted SR domain (e.g., within a single AS or between multiple ASes
>> within a
>> single provider network).  Precaution should be taken to ensure that the
>> BGP
>> service information (including associated SRv6 SID) advertised via BGP
>> sessions
>> are limited to peers within this trusted SR domain." This is related to
>> (from
>> RFC8402): "Therefore, by default, the explicit routing information MUST
>> NOT be
>> leaked through the boundaries of the administered domain."
>>
>> However, we all know that BGP leaks happen -- and when they do, the SID’s
>> contained in the leak will be logged by various systems and hence
>> available to
>> the public into perpetuity.
>>
>> While the document states that border filtering should protect against
>> traffic
>> injection, this does not cover the case of internal compromise. Sure,
>> there is
>> the argument that once there is an internally compromised system, all
>> bets are
>> off -- but with this, an attacker that knows the SIDs in e.g inject
>> traffic
>> into a VPN. This seems to me to significantly expand the attack surface to
>> include the customer's networks too.
>>
>> Not only does an operator have to ensure that BGP leaks never occur, they
>> have
>> to then ensure that at no point can there be any filter lapses at any
>> border
>> node, and be able to guarantee the security of every device, server and
>> machine
>> within the domain in order for a secure posture to be maintained. Simply
>> saying
>> that precautions should be taken to make sure that route leak don't
>> occur, when
>> the consequences of doing so are a: severe and b: hard to recover from
>> seems to
>> not really cover it. In addition, it seems that the blast radius from a
>> missing
>> ACL seems much larger if it allows injections.
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> I'm still reviewing the document, but wanted to get an initial ballot in,
>> so
>> that we could start discussing it. Hopefully someone can help my
>> understand how
>> this doesn't expand the consequences of a BGP leak.
>>
>> _______________________________________________
> BESS mailing list
> BESS@ietf.org
> https://www.ietf.org/mailman/listinfo/bess
>
-- 

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*

v2.23.0 | Report a Bug | By Email