IETF Logo Mail Archive

RE: Questions regarding the security mechanisms//RE: CRH and RH0

Ron Bonica <rbonica@juniper.net> Fri, 22 May 2020 17:35 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F1543A0B8E for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:35:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=HH70q2E1; dkim=pass (1024-bit key) header.d=juniper.net header.b=OospDeWC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpSK_Q3bV0QW for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:35:18 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23C83A0AB2 for <6man@ietf.org>; Fri, 22 May 2020 10:35:17 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04MHShg6014430; Fri, 22 May 2020 10:35:05 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=fOqugU4Q2/u4Zx+6PJK+itbHFbFKZdFUuUsdxaHByOk=; b=HH70q2E1NJs3ApIjnR+Wt2dZYcdOhhgsun4g+2j/wJcNpMmpMazAoOz+aq9P/wv/Oazx UoJD+MqW4UeJgTHA/BsS7jAcVllNzSgygsY1AGkWArje7K0Dc0szAonpxWxfPhcv1EzT l7bSq83dwCJ/hTZ8u1EXn0+bZoQCJDU+Hp27BdVk/usmduXv8hsmQUI/c15y/JGLjiVW 9PXDM7jseIA5B8I7lDfM0EmJpde+mvQk37ytd6NUq1UORSeoT7dY07tVQPHxZDzH6P6N XcB3rMY8/TSeTvH2oJ6YWfBJK7r76K6cmGM0B2brd/IJ54D3inQwtJlsxpol0pKO/PS5 NA==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2041.outbound.protection.outlook.com [104.47.66.41]) by mx0a-00273201.pphosted.com with ESMTP id 312e50mets-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 May 2020 10:35:05 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OBUOhdhSy7sqFNxOHcmf10uw4iqqXFjHlffaAPZ2F4TdQxzBOZ7Vez/mR/gaxEPvbkw6x714Xu5bGSAVH1PSJwqXj/2j8t4hqg7dEJSdOpKdC3ih5sB80E3D7hNq/7a/ObR+/0mQhEHUyqb3JD+FoKSOxEHYUNc0IoxE6d1jA+zLWlXMifj/cIFtN7bOZJMXCz980UIMwmRRzRaaJ6lFryaftBYaANNEdg383U+T3NrSkEXnBIkBOyCBz/Y8LY83B8XLNlIRKdx/PVzFlRmVTt/H0JZ+W0RdqGZLkhxqvZSSRdO/iTmCvJ7Bf4P5KLIkqljOcpgK9PjTdyzCMl2dzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fOqugU4Q2/u4Zx+6PJK+itbHFbFKZdFUuUsdxaHByOk=; b=QMJjagrd7rNgRYC3Jnp2kO3FoVK6F9XSbg7I8KJMNyFt3MEMpzy1u5N27mM93f3ZnJRRlCLV8kuP9DirwTeJJ/P9E1nd2WOmDoX1LUxBBumFX2n4uy5dAWRP8skRHjiBfdoQTgJ7aVKM/r59CdnnMmW5WLAgz2jj6oFJRmjFYB9nl3HqLk379w00Bh0NX1BB9Ud2n74BCsD/lh2/B1GbCJGmrFR9zmOn4MikTFFHggbQOhBbCLjjp5X+6YBtG07r4+rDo0hE6WvfZThzpKRrndXLv1VU0C2df1dCJEc8c7mHumWkGxjFsEqdBn7qX0Jly1uAd+lHxNAaKZJH/pHgkA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fOqugU4Q2/u4Zx+6PJK+itbHFbFKZdFUuUsdxaHByOk=; b=OospDeWCDk2GPvoVYz3MKkV1KRkx6QttYd0EpqwSnBfqB2blhTUq2XjwuO0d1qwZokURLsnnQ8nxsYi2j49Q/UxadE8xE0CPwNMAF07plhV9VBlxviY15OUYwoDIm3WLJTysUbbzRgtYOJ1Q6XAoPLvz6ZiIjCUewtEsWz/q5so=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB7197.namprd05.prod.outlook.com (2603:10b6:5:20b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.8; Fri, 22 May 2020 17:35:03 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3021.019; Fri, 22 May 2020 17:35:03 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Nick Hilliard <nick@foobar.org>, "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
CC: 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAATfhkAABqdDHIBJoB9AAAAWAzYAACMsIAAAZ1bgAABHIzA
Date: Fri, 22 May 2020 17:35:03 +0000
Message-ID: <DM6PR05MB6348703C3DCF5653B607A3C5AEB40@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com> <891ccad03b484c7386ab527d89143f8c@huawei.com> <87E86EE4-7D6C-49A3-A965-317C3F95A346@juniper.net> <ab0b9d67d294464fb886b9cb5e7639a5@huawei.com> <592214BF-5340-40A6-86C8-430C87AC0171@juniper.net> <8a1355937f024458b7be31d7d64ca060@huawei.com> <34df057e-18c4-567c-9ec0-477b31621d4a@foobar.org>
In-Reply-To: <34df057e-18c4-567c-9ec0-477b31621d4a@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-22T17:35:01Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=ff99f434-2702-4a63-8505-3ef88fe78c0d; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: foobar.org; dkim=none (message not signed) header.d=none;foobar.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: dd5e93fc-7936-4159-8175-08d7fe7675ef
x-ms-traffictypediagnostic: DM6PR05MB7197:
x-microsoft-antispam-prvs: <DM6PR05MB7197566A8A8EFB4603210D50AEB40@DM6PR05MB7197.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 04111BAC64
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 89BgWFmM/yIB6P/e0i+QJ9MZBPycmh1lHpJWHpzUXL+WDb6cqFMvwFWfdNVLJMr3uRbFx7US3uvNI4cogrM9CB5XV66Mp4KPdGw0LqzWGXEvhLxJcNa4Q6fZh05rVBvDaSFsuuQAoXRO8IE3wcVbbPv2bXfEbpfvhcJqQ5kBwB2IBD7hRR4tzvxe2qiHGDn2lCgE0iFu8choyGfoWISEJAYqlOqFNVjJJtdzeKUSCyLERKp9Q8u9oLYie7oHS8eV99DoFe5gH0HKO+FtG40Ra6gT2J0aVPLDP2RxXjCTD0Vu+chNLiATy0luDHLUxBml0PhFpR65pdmoi7GMZ8hGJjsvHGoApUWx8dH6gQzemYKD+98LJ/6GMZTY+8M5L+b3HLn+KAu9T8DESUeAGocv/g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(376002)(346002)(39860400002)(366004)(5660300002)(26005)(8936002)(316002)(186003)(15650500001)(33656002)(8676002)(53546011)(76116006)(52536014)(478600001)(4326008)(66446008)(64756008)(66556008)(6506007)(110136005)(966005)(9686003)(66476007)(2906002)(7696005)(66574014)(86362001)(55016002)(66946007)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: FGYnUfDHUYmW0HW3HkGn6ByL73P6WIEybl7YqZneoEIJbFK7koMz71bjJe18IrMGm+OyDtA8MCzMLiBVOoftg1h2vc/crC/gB2h4qWCaclp4yPKv1fNkM04viqFYqGQtqPle+RxbvWk1srD6RBNY2zJLpFoPFB9EubrnsGYlpfjXd9jIy86fVopu+NtBYjmz9EMs7pTh2YXIappVd51QtmSIIVkao99bp1uvhUVJDGHgVlpyKk2Lvxu4jZN6hYcrFqrqA4O8LYhmB9qTG/vZrEvG3J5gOEi9LyAf7OdOm5aTfAMa7RWO0Mwd83f7fqFaLdlRoay2TERzGg+8jyTZiXMPDCPOsT8SAxrEFkhYfEaJQlPsUqxN5JKrTSmpfXlVnTstVrCmn86f0si/KsuPtsVybNCz9q0PofI+3fddSYfOYvgMPiVb5hQmmgG3gNVxEIjxq+0/SB3Qqm+v76AwElLd+YMsppgVfxdsgPJqCP4Al3ExE39hVH+s+kGqqBZg
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: dd5e93fc-7936-4159-8175-08d7fe7675ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2020 17:35:03.3271 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6vAt8aZlLhBLGKvA/WzUOxr2maznli01hBrSEoOjdBFCl865F5qu/kbs6rV0An5ThY7kWAqCv3e5aD1acm9CvQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB7197
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-22_06:2020-05-22, 2020-05-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 malwarescore=0 bulkscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 adultscore=0 cotscore=-2147483648 lowpriorityscore=0 priorityscore=1501 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005220140
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/nWIP8AqPDyuRWlzD-fM_cVxSHKI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 17:35:21 -0000

Nick,

Good point. I will add this to the next draft version.

                                  Ron



Juniper Business Use Only

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Nick Hilliard
Sent: Friday, May 22, 2020 1:03 PM
To: Xiejingrong (Jingrong) <xiejingrong@huawei.com>
Cc: 6man <6man@ietf.org>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0

[External Email. Be cautious of content]


Xiejingrong (Jingrong) wrote on 22/05/2020 17:16:
> Hi John,
> I have read the analysis you provided in previous message.
> The "very helpful" is to the layered security mode: 
> https://urldefense.com/v3/__https://en.wikipedia.org/wiki/Layered_secu
> rity__;!!NEt6yMaO-gk!U7r698BGtT7V-dwYc4_wiOxZBaUqgjesOlTUO5zqAP8X_Z_Mo
> 2xxz_LARBbvG53J$ To the RH security problem we are discussing:
> (1) the border ACLs may fail to deploy. For example, there may be 1 border router (among 1000) is not configured correctly.
> (2) a border router may be compromised (RFC8279 "If a BFIR is compromised"), the ACLs on the border router may be modified.

a useful second line on defence would be to recommend that all crh-capable nodes to drop packets containing CRHs if either the SID is unknown or if it comes from a source IP address outside the CRH domain.
The perimeter of the domain will presumably already use regular iACLs to protect the internal infrastructure from spoofing attacks.  If your iACLs fail, you have bigger problems.

Good point though - something like this should go into the security considerations section.

Nick

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!U7r698BGtT7V-dwYc4_wiOxZBaUqgjesOlTUO5zqAP8X_Z_Mo2xxz_LARCViItFM$
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email