[Idr] Re: Secdir early review of draft-ietf-idr-cpr-03
"Dongjie (Jimmy)" <jie.dong@huawei.com> Mon, 17 June 2024 03:22 UTC
Return-Path: <jie.dong@huawei.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C38C18DBAC; Sun, 16 Jun 2024 20:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4s1Q52NY5Et; Sun, 16 Jun 2024 20:22:31 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CD6AC14F69D; Sun, 16 Jun 2024 20:22:31 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.18.186.31]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4W2Ztw1S6hz6K5nF; Mon, 17 Jun 2024 11:22:16 +0800 (CST)
Received: from lhrpeml500001.china.huawei.com (unknown [7.191.163.213]) by mail.maildlp.com (Postfix) with ESMTPS id A6957140B2F; Mon, 17 Jun 2024 11:22:28 +0800 (CST)
Received: from dggpemf100009.china.huawei.com (7.185.36.128) by lhrpeml500001.china.huawei.com (7.191.163.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Mon, 17 Jun 2024 04:22:27 +0100
Received: from kwepemf100006.china.huawei.com (7.202.181.220) by dggpemf100009.china.huawei.com (7.185.36.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 17 Jun 2024 11:22:25 +0800
Received: from kwepemf100006.china.huawei.com ([7.202.181.220]) by kwepemf100006.china.huawei.com ([7.202.181.220]) with mapi id 15.02.1544.011; Mon, 17 Jun 2024 11:22:25 +0800
From: "Dongjie (Jimmy)" <jie.dong@huawei.com>
To: Brian Weis <bew.stds@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir early review of draft-ietf-idr-cpr-03
Thread-Index: AQHavSY4bkU0EOGz1U6OdeoAGt4UXLHLR5uw
Date: Mon, 17 Jun 2024 03:22:24 +0000
Message-ID: <eb3ba7d38c46423fbd63b741283219b8@huawei.com>
References: <171823746660.6417.16481661290070415097@ietfa.amsl.com>
In-Reply-To: <171823746660.6417.16481661290070415097@ietfa.amsl.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.66]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: JVDPLJV7TGKGN5N6HA4RIOHYBJVM2M4M
X-Message-ID-Hash: JVDPLJV7TGKGN5N6HA4RIOHYBJVM2M4M
X-MailFrom: jie.dong@huawei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-idr-cpr.all@ietf.org" <draft-ietf-idr-cpr.all@ietf.org>, "idr@ietf.org" <idr@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Idr] Re: Secdir early review of draft-ietf-idr-cpr-03
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/0s-TPjb1-ZNqKRf8hDHLKqZGsIg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>
Hi Brian, Thanks for your review and comments. Please see some replies inline: > -----Original Message----- > From: Brian Weis via Datatracker [mailto:noreply@ietf.org] > Sent: Thursday, June 13, 2024 8:11 AM > To: secdir@ietf.org > Cc: draft-ietf-idr-cpr.all@ietf.org; idr@ietf.org > Subject: Secdir early review of draft-ietf-idr-cpr-03 > > Reviewer: Brian Weis > Review result: Has Issues > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > The summary of the review is Has Issues. > > This document introduces Colored Prefix Routing (CPR), which allows > cooperating IPv6 domains to implement a common “intent” policy for > handling particular IPv6 packets. Examples of “intent” policy are low-delay > or high-bandwidth. IPv6 segment routing is a key part of the solution, and > “intent” is declared by choosing a particular > IPv6 address for each intent, where the per-intent addresses are defined > within a a subnet associated with a Provider Edge (PE) node. > Thus when a packet is to be routed to that PE using a particular intent, the > initial PE encapsulates that packet in a Segment Header where the final IPv6 > address in the Segment Header is the “intent” > address advertised by the domain containing the destination. It seems to be > expected that each domain in between has a mapping of the “intent” > address and the “intent” and will treat it accordingly. > And if not, then the packet will still be routed properly. (I believe this is a > accurate summary, but apologies if I’ve used imprecise > language.) > > Existing BGP and Segment Header definitions are used; this document > proposes no new packet formats or attributes. > > One threat is considered in the Security Considerations section, which is the > the fact that routes to the “intent” IPv6 addresses will add to the size of the > routing table, which typically has an upper bound of routes that can be > maintained. This is a valid Availability issue. The text concludes the impact of > adding routes to the additional IPv6 addresses is acceptable, and I don’t > have any reason to believe otherwise. > > There is a potential Privacy issue associated with marking “intent” > using IP addresses. Consider a man-in-the-middle attacker between domains > who ascertains the mapping between “intent” and its IPv6 address. They can > then accurately target flows matching that intent to/from that PE router. By > way of example, assume the attacker is targeting voice calls for a particular > domain and the domain shares an “intent” for telephony (e.g.., “low-delay”). > The attacker could then easily target those phone calls for surveillance > and/or extracting copies of the packet flow for offline analysis. I would > suggest adding a new paragraph to Security Considerations describing the > attack as something like: “Because there is a mapping between intent and an > SRv6 identifier, and the SRv6 identifier is observable within the inter-domain > path, it is possible for a man-in-the-middle attacker to identify packets > associated with a particular intent.” > > I don’t have a suggestion for how to mitigate the attack as I don’t believe > the Segment Header can be encrypted. Thanks for pointing out this. I agree that the mapping relationship between the intent and the IPv6 prefix are observable since the BGP messages are not encrypted, thus there is risk with the man-in-the-middle attack. We will add a new paragraph as you suggested. While this is similar to other intent-based routing mechanisms, such as BGP CAR/CT and or inter-domain SR Policy, since the packets will also be encapsulated with an SRH to fulfil the intent. > The Security Considerations section suggests that it “does not introduce any > additional security considerations than those described in [RFC4271] and > [RFC4272]”. If the issue mentioned above is addressed it won't be true that > the document doesn't introduce any additional security considerations. I > would suggest changing the sentence to something like “Security > Considerations described in [RFC4271] and [RFC4272] apply.” Also consider > adding RFC 8754 (IPv6 Segment Routing > Header) to the list. Thanks for the suggestion, I agree with the proposed change and will update the draft accordingly. Best regards, Jie >
- [Idr] Secdir early review of draft-ietf-idr-cpr-03 Brian Weis via Datatracker
- [Idr] Re: Secdir early review of draft-ietf-idr-c… Dongjie (Jimmy)