Re: Applicability of AH in draft-ietf-6man-segment-routing-header-19
Tom Herbert <tom@herbertland.com> Mon, 27 May 2019 19:00 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A7B1201F3 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 12:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yIyYkhhNZF4 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 12:00:48 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65263120219 for <ipv6@ietf.org>; Mon, 27 May 2019 12:00:48 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id w187so8913611qkb.11 for <ipv6@ietf.org>; Mon, 27 May 2019 12:00:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4r26arjjzrIv0NzQQl58fBiWihHp+55r1yRPLfqNllY=; b=PbezLljTb3RKhzUDYMV/2L5rUhKByeucY3spgDfM3F74RwkGo0o2h2yDaFIBBPKXzN c/6Q7+Iu2i3eQWz7851++XckbopnhDIR4OZOgOu8l/5xbfjYR0rwf2vXjtawvFZik5nz jjLCgvf/yQPje8AOz1CPAFtstyYmOS8p0NVVXpy1tkeqeU3wmkG92jNJXwUMvIt7iNjc /d2jXWZZc9AGtoP3tqa7rTtyoaVDn8rssPPKfvgyEwQQh0iRDiU+jp/g+8okyEUZzu32 1Smu49DO0R8EV26egV+W9iY3LryuQyHPvAdEuoK+dNU4Jh2pgOdaAOlhq1GqgPTAln4U bW1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4r26arjjzrIv0NzQQl58fBiWihHp+55r1yRPLfqNllY=; b=Xxz0dQ6nih9c7gxj12h+Noe0j/cNK+mtgJSGUspkUD9Ge36vn3jrhm/wx9wdL7B43m NMO5iaBkcForPYZaTjzqZ5AcT8T7D9OU9vwJxXbId8LU4pG7KjmhIZEzIBAZOtsZbxXt dSzhDjEdrxBE5Axe4r+g/FK1PjU1OZMGswe+JbY/zqwpO6bwtGSXxkOqf6mIrn/tjomC QkqQO12mK3qAvBaFiil9Aq8P4HAnXGcn30YWpbALcIa+SNhP+Lou9vPf8nmeCxce8rzU 6wJDcLR+LzhetXVgrTOJ9Mv6Aczb+TLR7FSrxhpCunErTcgo5UvkA7u0CdL3HL1+vKqF 7VKg==
X-Gm-Message-State: APjAAAVrmNX0llYbLUHKuz7Fofzn8QxhjoOPQofuh/cevISkaWTvt1XS qF08SHCjEDKU1WhreStd3zPUWd9UOFMNohVgL8oBBQ==
X-Google-Smtp-Source: APXvYqw9dU+AKm9bZ0xZGYQivavp8lelxuYXhR53ndDK2eX8Y+GXA5Oa3Ja8rFJZbz+C3wdbFrt0GainRcHW9EROhp8=
X-Received: by 2002:ac8:100c:: with SMTP id z12mr8938611qti.96.1558983647269; Mon, 27 May 2019 12:00:47 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S35sMsiCD-YiTZBZzXDHKsNfVmWuR-YFVDZwgwc4rNit=g@mail.gmail.com> <7F90FE0E-3983-42DC-87E7-7C580C92A05D@cisco.com>
In-Reply-To: <7F90FE0E-3983-42DC-87E7-7C580C92A05D@cisco.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 27 May 2019 12:00:36 -0700
Message-ID: <CALx6S34G1+sZjDJXUjvdMuKTst4TqyncxeJCeytbos-VFWzm4Q@mail.gmail.com>
Subject: Re: Applicability of AH in draft-ietf-6man-segment-routing-header-19
To: "Darren Dukes (ddukes)" <ddukes@cisco.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ECTeoxFAk0-CQqpTEw-bO1_EllM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 19:01:00 -0000
On Mon, May 27, 2019 at 10:40 AM Darren Dukes (ddukes) <ddukes@cisco.com> wrote: > > This text was sent to the list and had support in April. > It's part of the consensus reached around not defining AH processing in the draft. > Darnen, Nevertheless, it is still misleading and not relevant to the normative requirements of the document. I believe this paragraph can simply be removed without loss of content or clarity. Tom > Darren > > > > > On May 24, 2019, at 11:58 AM, Tom Herbert <tom@herbertland.com> wrote: > > > > Hello, > > > >> From section 7.5: > > "The SR Domain is a trusted domain, as defined in [RFC8402] Section 2 > > and Section 8.2. The SR Source is trusted to add an SRH (optionally > > verified via the HMAC TLV in this document), and segments advertised > > within the domain are trusted to be accurate and advertised by trusted > > sources via a secure control plane. As such the SR Domain does not > > rely on the Authentication Header (AH) as defined in [RFC4302] to > > secure the SRH." > > > > This is misleading on several fronts. > > > > First, this equates a trusted SR Domain as being a guaranteed secured > > domain. It's not. Even RFC8402 says: "The use of best practice to > > reduce the risk of tampering within the trusted domain is important.". > > So security mechanisms within the IP protocols are still required. > > > > Secondly, this seems to somehow equate HMAC TLV functionality with AH. > > They are not equivalent. AH is end-to-end authentication and covers > > all extension headers and the IP header, HMAC TLV only covers select > > fields in SRH and is end-to-something where there is no guidance > > offered as to what that "something" is supposed to be (this is > > precarious in itself since it allows valid configurations where > > sources are setting HMAC TLV, but nobody in the path actually is > > verifying it leading to a false sense of security). If anything, AH is > > a superset of HMAC TLV. > > > > So, I don't see any argument here that AH is any more unneeded in an > > SR domain versus any other network, nor any argument that HMAC TLV is > > somehow superior to AH for security in an SR domain. I suggest to > > remove this whole paragraph and just keep the next paragraph that AH > > will be defined in other documents. Let users decide what security > > measures (AH, HMAC TLV, edge filtering, etc.) are appropriate for > > their paritcular network... > > > > Tom > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- >
- Applicability of AH in draft-ietf-6man-segment-ro… Tom Herbert
- Re: Applicability of AH in draft-ietf-6man-segmen… Darren Dukes (ddukes)
- Re: Applicability of AH in draft-ietf-6man-segmen… Tom Herbert
- Re: Applicability of AH in draft-ietf-6man-segmen… Ole Troan
- Re: Applicability of AH in draft-ietf-6man-segmen… Joel M. Halpern
- Re: Applicability of AH in draft-ietf-6man-segmen… Tom Herbert
- Re: Applicability of AH in draft-ietf-6man-segmen… Ole Troan
- Re: Applicability of AH in draft-ietf-6man-segmen… Ole Troan
- Re: Applicability of AH in draft-ietf-6man-segmen… Tom Herbert