RE: Questions regarding the security mechanisms//RE: CRH and RH0

Ron Bonica <rbonica@juniper.net> Sat, 16 May 2020 15:10 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 481BF3A0746 for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 08:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=JG1qPhCy; dkim=pass (1024-bit key) header.d=juniper.net header.b=UHqmLqxd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sa43konY4epC for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 08:10:23 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BA773A073D for <6man@ietf.org>; Sat, 16 May 2020 08:10:23 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04GF8S9r006805; Sat, 16 May 2020 08:09:47 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=5knxLYyj6+L/gWOKOnitHUxciMSEiTPKvsUxWWtUR10=; b=JG1qPhCyxV9d3aeSOro7/PKuT/QcGZjRFTiqpzlJM+GFR7Xy6e84Hsjyau+iwJ8gA+/N tseRuvlNvx4Lg+x+21Wp796R+KNJ2hSOaZ/TZTJnD2Gnae4JDHkOVRQo2qRNQzoHXXBa mz00O/WAf4YZ4aZuLJPcOw+x0gjIMrYrfhi/HSI5e1idk89nmwbFrIEik1MLJNGEUHoo gogUUnB9BBZJc4q9EGPe/m0oKd9RX+3fnYe9yMX931+AtisnRoQdJd86WqV8dmQ7k+LR rnzsV2uNIQ8zqZDDBGPzE848GW3pWagERFaW3y8CJlHUc96ltlRkbg8nPlDVhmyDqFLh 5Q==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2052.outbound.protection.outlook.com [104.47.44.52]) by mx0a-00273201.pphosted.com with ESMTP id 312bvvgh5x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 16 May 2020 08:09:47 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dDbZeJU6k55//9LYggQsmNUPlZefEotVOGYsLiKkxw8miouOsIfxoXyJ3rsf7YNwDPRTrCDpU/nCPiWQvfz+Q+dmc7Bp3Rwgji9/fory6nUuUpAU3vxl4rtkk2q/84UGTQ3w2+7XiXyybSRofDrMN92fbszBwlrjK5h3AZ8v+k7JBAmNTS1FfLUxfUMSGWwYB7yW2ndcMqLTUhxYvfSuqEIIM267jwqa9GRpnE7UH8dzZAXcGq8uuPH1W84Sv+A5xMaR4vGA2euTPrQ2rUrWD63u6/6Wb77iqiOT9RxF4FvnWaOGFhr7s/wKacURybrAg0AApjW6Eisa/jNQ0zaG8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5knxLYyj6+L/gWOKOnitHUxciMSEiTPKvsUxWWtUR10=; b=M1TXdU/ikvgf/nj4zsWB9FeQlu0jFG9lQ+khnUbN+SBfX5EO7WCVA+d9FIj62SXA8C8++ESaVytDv8oBpQel9wAS58D9WueWvoQ6dzNppnswJcWX8GhF9Ne4GtdJuanr7/u60cs1V/pabW0L20F4XHWdmq2F3zPJ4tH2ll+JLu3sDKTeJf6QhxB5VopH6sj/i6b/srzXVas12hgXTINotQAydYvPc5djHAgsTwp6EplfN+SmsHruJVAU9cuhk04pTKTTyDRJrN+bFI5DREnSz67MX5z3h+xfXQnrTsOMDjhdYAHlGbtzCA/5BCB8UQqjAjy2y3iD6OuMlUb8aspJwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5knxLYyj6+L/gWOKOnitHUxciMSEiTPKvsUxWWtUR10=; b=UHqmLqxdxgmzkCLL/pf6jrWS7aBn83MoNO6nXMCyCMTy4K2oZfW7fpyJNc2Ek0lZU+FwdQLsLIy6TAYRu3iP87XdFrIg7DhVKvBBO1UR2fG/9uGRioQkvKUiC2MHWOZHZTKs3DYuB/MDgkGJMRDdNwnYcUB5rH2RWUwmU/LNAEs=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB4729.namprd05.prod.outlook.com (2603:10b6:5:18::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.15; Sat, 16 May 2020 15:09:45 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3021.010; Sat, 16 May 2020 15:09:45 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, Tom Herbert <tom@herbertland.com>
CC: qinfengwei <qinfengwei@chinamobile.com>, Bob Hinden <bob.hinden@gmail.com>, "Darren Dukes (ddukes)" <ddukes@cisco.com>, 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAATfhkAABDtNEA=
Date: Sat, 16 May 2020 15:09:45 +0000
Message-ID: <DM6PR05MB6348648F1BAF44E736E99E4CAEBA0@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com> <891ccad03b484c7386ab527d89143f8c@huawei.com>
In-Reply-To: <891ccad03b484c7386ab527d89143f8c@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-16T15:09:43Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=59917911-5235-4755-9f3c-4d13f58f486b; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b7bd4d7d-1e64-4847-daf3-08d7f9ab2b5b
x-ms-traffictypediagnostic: DM6PR05MB4729:
x-microsoft-antispam-prvs: <DM6PR05MB4729757A0D98B15BBA14BAE2AEBA0@DM6PR05MB4729.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 040513D301
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y7rdTMLQd5nr+dmwAz9fFOZHOo4u0bcTtsFYXDUvLoPKudGOXyl43NDsQUnjZ+eznRdqGFfUE0prt66xTAbna4B2tlPMJ/HQ5NDfp4y/orpz+0Qja4gdX5zuiajZFg3WbieRC/alzb07l5EvfG6vbmOkG2XdhL/3/PeFmdVSISGSs/DZE9qYJ99Nmt99iPeVn6u9uhcSU3Tshgrr79ITfv6zX5a18bXfE2oK1v8y9jfjYDd/nc+0Zq9QNoGJfLOz4ellRcZYg7giyB8vLHzjAtik7iqlRm0ziSa8FSZMjeGB/6Tj9pS80pQTTYkjvQ36aDqR6vovh7zX2PEdksgsVbh4B9ysdPJ+CHaVLsWP7sWuAEz2wROXH3RATe6odna7DSsWnZdNFjnLgxPRbyZ34gpyPGmbHqO6SCscJVh13fG/z+Phw9Zo//yE7ePgx8ke
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(136003)(376002)(396003)(39860400002)(86362001)(52536014)(26005)(55016002)(5660300002)(9686003)(316002)(53546011)(186003)(66574014)(6506007)(66476007)(66556008)(64756008)(76116006)(66946007)(110136005)(54906003)(66446008)(71200400001)(7696005)(478600001)(4326008)(8936002)(15650500001)(2906002)(33656002)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: JAQFnMSb6/FXDZPx4a4Rpi/2CSZe3jfWeGgqXRh8cPoYY7gZtCgvS+6RbEv7dX3IK/VlE7L70pF0y1e9Tufgfs5Ldqf5/QmazKN7q20mjpFLQ0V9PG/PJnFeKfWf1xo31i/XIoTGeOD4d7qpDKRd+wA2LAG7VQVlf9gP7Q8IAspPgxK5VDPvbucUuXBce0y3LrIE/X3LhZ4YMBN8xFEBSG8IfS3+ea/gxCD5m60Asy6B+2FUG3g1nXSV9rTNnaYMicFeHOxjNeiny1b+W4sIYg87k9xEmm/rOPvMERCdtUjICooRRMhVsn4O4GHq5Nmgze2TdVGP8DpTcaKjjn49YgeOOw/NwAxe8LalI7AKvbts1yjUq6BeDZF+Z/8Oa91zRJJ0022lwCXfWuQTLUQR/C6HrHHTdj03v9npmfqo4GQNYxmRGvsH4ORKeiQzKMgMbRhTGS03Zt+2vgjf7i5HbhzPzp8Gmn2HbAXwRlfZQfCP8uc+KMvMeQ1OjbMudrfU
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b7bd4d7d-1e64-4847-daf3-08d7f9ab2b5b
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2020 15:09:45.6939 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5VX8ELfyCH4KiBd0RN98R9olTjzGfpJyQ3CgpiQKWvYRKjFKIZdxwmi2Bb0JTZm98ZeU5QyisXy9zjXN3NV0Ag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4729
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-16_09:2020-05-15, 2020-05-16 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 adultscore=0 mlxscore=0 clxscore=1015 bulkscore=0 mlxlogscore=999 malwarescore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 phishscore=0 spamscore=0 cotscore=-2147483648 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005160134
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/4lyIiyKJBdn_sJTL8tLqlgJCVio>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 15:10:25 -0000

Jingrong,

The following comments are applicable to all Routing headers, not just the SRH and CRH.

As we learned in RFC 5095, a Routing header can be used as an attack vector. Therefore, a node should not process a Routing header without some assurance that the Routing header came from a trusted source. AFAICS, there are only two ways to achieve this assurance:

	- With ACLs at the network edge
	- With cryptographic protection

Cryptographic protection at each and every segment endpoint is impractical. Therefore, we have only two choices:

	- Deploy ACLs at the network edge
	- Give up on Routing headers. Deprecate all existing Routing headers, for the same reason that we deprecated RH0. Never specify another Routing header.

                                                                  Ron



Juniper Business Use Only

-----Original Message-----
From: Xiejingrong (Jingrong) <xiejingrong@huawei.com> 
Sent: Saturday, May 16, 2020 2:36 AM
To: Tom Herbert <tom@herbertland.com>om>; Ron Bonica <rbonica@juniper.net>
Cc: qinfengwei <qinfengwei@chinamobile.com>om>; Bob Hinden <bob.hinden@gmail.com>om>; Darren Dukes (ddukes) <ddukes@cisco.com>om>; 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0

[External Email. Be cautious of content]


<...snip the redundant text, see the in-line reply marked with [XJR]> Hi!

That raises an interesting question. Can a protocol specification have a normative MUST requirement for correctness or security that is dependent on completely external properties? If this is saying that the ACLs are implemented as part of the CRH datapath then tht might be reasonable, but if this is saying that ACLs must be deployed at every possible edge node outside of the CRH processing that doesn't seem like it could be a MUST in a protocol specification (and this might be coming close to the general but effectively useless requirement that the underlying network MUST be secure and correct for the protocol to be secure and correct).

[XJR] Good catch that "ACLs must be deployed at every possible edge node outside of the CRH processing" makes it difficult to deployable.
[XJR] But If this "MUST" is weaken to any extent, I am afraid the said RFC5095 attack could be from Internet.

Also, I think you might want to mention that AH should be used to protect the routing header when security is a concern. AH is part of the protocol suite and doesn't depend on external factors other than what's happening at the end points. Normative requirements are appropriate for security via AH.

[XJR] Agreed that AH could help to ensure the Source is from a legitimate source as RFC8754 HMAC does. But there is no mandatory AH/HMAC in this draft.
[XJR] Once an attack packet pass through the border router, there is no additional protection like the "complemented per-node protection" in RFC8754 section 5.1.

Thanks
Jingrong

Tom