IETF Logo Mail Archive

RE: Questions regarding the security mechanisms//RE: CRH and RH0

"Xiejingrong (Jingrong)" <xiejingrong@huawei.com> Fri, 22 May 2020 15:36 UTC

Return-Path: <xiejingrong@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0CD13A0AE5 for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 08:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8haryks0GNPV for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 08:36:48 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD4C93A0C36 for <6man@ietf.org>; Fri, 22 May 2020 08:36:43 -0700 (PDT)
Received: from lhreml732-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id A33D54C27632EE85A532; Fri, 22 May 2020 16:36:42 +0100 (IST)
Received: from nkgeml706-chm.china.huawei.com (10.98.57.153) by lhreml732-chm.china.huawei.com (10.201.108.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 22 May 2020 16:36:41 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml706-chm.china.huawei.com (10.98.57.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 22 May 2020 23:36:39 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Fri, 22 May 2020 23:36:39 +0800
From: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
To: Ron Bonica <rbonica@juniper.net>, Tom Herbert <tom@herbertland.com>
CC: qinfengwei <qinfengwei@chinamobile.com>, Bob Hinden <bob.hinden@gmail.com>, "Darren Dukes (ddukes)" <ddukes@cisco.com>, 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4D//5diAP/+48oAgAJHkoD/9gXv8A==
Date: Fri, 22 May 2020 15:36:39 +0000
Message-ID: <b5bb9c6a394f48a8a465da79b3cccae7@huawei.com>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com> <891ccad03b484c7386ab527d89143f8c@huawei.com> <DM6PR05MB6348648F1BAF44E736E99E4CAEBA0@DM6PR05MB6348.namprd05.prod.outlook.com>
In-Reply-To: <DM6PR05MB6348648F1BAF44E736E99E4CAEBA0@DM6PR05MB6348.namprd05.prod.outlook.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.45.189.60]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FR5sCflamfgyMxYY2e6pXeO0Jow>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 15:36:53 -0000

Hi Ron,

Basically I agree with your analysis. The question is:
(1) Deploy ACLs at the network edge ---- The ACL currently specified in CRH draft is NOT widely available for network edge, thus left the CRH facing almost the same security threats as RH0.
(2) Give up on Routing headers ---- Not necessary, because the RFC8754 has setup the paradigm of RH with solid security mechanism.

More detailed questions below are still unanswered [[Q1, Q2, Q3, Additional thoughts to Q1, Additional thoughts to Q2]]:
https://mailarchive.ietf.org/arch/msg/ipv6/03xzpXXRQFn0G2reYf1SS3c0208/

Frankly, I think this could be solved if you think about the security mechanism from RFC8754.
That's what I learned carefully after there were concerns about the security deployment of BIERv6:
https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06#section-5.1

Thanks
Jingrong

-----Original Message-----
From: Ron Bonica [mailto:rbonica@juniper.net] 
Sent: Saturday, May 16, 2020 11:10 PM
To: Xiejingrong (Jingrong) <xiejingrong@huawei.com>; Tom Herbert <tom@herbertland.com>
Cc: qinfengwei <qinfengwei@chinamobile.com>; Bob Hinden <bob.hinden@gmail.com>; Darren Dukes (ddukes) <ddukes@cisco.com>; 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0

Jingrong,

The following comments are applicable to all Routing headers, not just the SRH and CRH.

As we learned in RFC 5095, a Routing header can be used as an attack vector. Therefore, a node should not process a Routing header without some assurance that the Routing header came from a trusted source. AFAICS, there are only two ways to achieve this assurance:

	- With ACLs at the network edge
	- With cryptographic protection

Cryptographic protection at each and every segment endpoint is impractical. Therefore, we have only two choices:

	- Deploy ACLs at the network edge
	- Give up on Routing headers. Deprecate all existing Routing headers, for the same reason that we deprecated RH0. Never specify another Routing header.

                                                                  Ron



Juniper Business Use Only

-----Original Message-----
From: Xiejingrong (Jingrong) <xiejingrong@huawei.com> 
Sent: Saturday, May 16, 2020 2:36 AM
To: Tom Herbert <tom@herbertland.com>; Ron Bonica <rbonica@juniper.net>
Cc: qinfengwei <qinfengwei@chinamobile.com>; Bob Hinden <bob.hinden@gmail.com>; Darren Dukes (ddukes) <ddukes@cisco.com>; 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0

[External Email. Be cautious of content]


<...snip the redundant text, see the in-line reply marked with [XJR]> Hi!

That raises an interesting question. Can a protocol specification have a normative MUST requirement for correctness or security that is dependent on completely external properties? If this is saying that the ACLs are implemented as part of the CRH datapath then tht might be reasonable, but if this is saying that ACLs must be deployed at every possible edge node outside of the CRH processing that doesn't seem like it could be a MUST in a protocol specification (and this might be coming close to the general but effectively useless requirement that the underlying network MUST be secure and correct for the protocol to be secure and correct).

[XJR] Good catch that "ACLs must be deployed at every possible edge node outside of the CRH processing" makes it difficult to deployable.
[XJR] But If this "MUST" is weaken to any extent, I am afraid the said RFC5095 attack could be from Internet.

Also, I think you might want to mention that AH should be used to protect the routing header when security is a concern. AH is part of the protocol suite and doesn't depend on external factors other than what's happening at the end points. Normative requirements are appropriate for security via AH.

[XJR] Agreed that AH could help to ensure the Source is from a legitimate source as RFC8754 HMAC does. But there is no mandatory AH/HMAC in this draft.
[XJR] Once an attack packet pass through the border router, there is no additional protection like the "complemented per-node protection" in RFC8754 section 5.1.

Thanks
Jingrong

Tom

v2.23.0 | Report a Bug | By Email