RE: CRH Draft Update - Security Considerations Section
"Xiejingrong (Jingrong)" <xiejingrong@huawei.com> Wed, 27 May 2020 14:49 UTC
Return-Path: <xiejingrong@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B9DB3A0E6F for <ipv6@ietfa.amsl.com>; Wed, 27 May 2020 07:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FyDlDCRBptlW for <ipv6@ietfa.amsl.com>; Wed, 27 May 2020 07:49:20 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25A243A0E6E for <6man@ietf.org>; Wed, 27 May 2020 07:49:20 -0700 (PDT)
Received: from lhreml724-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id DA1D7736A88744010964 for <6man@ietf.org>; Wed, 27 May 2020 15:49:17 +0100 (IST)
Received: from nkgeml708-chm.china.huawei.com (10.98.57.160) by lhreml724-chm.china.huawei.com (10.201.108.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 27 May 2020 15:49:17 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml708-chm.china.huawei.com (10.98.57.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 27 May 2020 22:49:14 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Wed, 27 May 2020 22:49:14 +0800
From: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, 6man <6man@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: RE: CRH Draft Update - Security Considerations Section
Thread-Topic: CRH Draft Update - Security Considerations Section
Thread-Index: AdYzpDm5mk94cwa6SjqC/Hej0heh0gAjlKYw
Date: Wed, 27 May 2020 14:49:14 +0000
Message-ID: <79913f262b4e4f8cbac75e74e91bf844@huawei.com>
References: <DM6PR05MB63488B772FA7D035EC028C5CAEB00@DM6PR05MB6348.namprd05.prod.outlook.com>
In-Reply-To: <DM6PR05MB63488B772FA7D035EC028C5CAEB00@DM6PR05MB6348.namprd05.prod.outlook.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.45.162.202]
Content-Type: multipart/alternative; boundary="_000_79913f262b4e4f8cbac75e74e91bf844huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/I0zz5d60P-BKYX9nm-471KpEpYY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 14:49:23 -0000
Hi ! I don't represent 'everyone' but only make some points of my own. Please see inline below marked with [XJR] Thanks Jingrong From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Ron Bonica Sent: Wednesday, May 27, 2020 6:23 AM To: 6man <6man@ietf.org>; Eric Vyncke (evyncke) <evyncke@cisco.com> Subject: CRH Draft Update - Security Considerations Section Folks, During the call for adoption, Eric Vyncke and others suggested that the Security Consideration Section should be reworked. Does the following text work for everyone. Ron Security Considerations -------------------------------- The CRH can be used as an attack vector. Therefore, it is necessary to filter packets: - At the CRH domain ingress. - At the node where the CRH is processed. [XJR] Good to see some of my previous suggestion being considered. At the CRH domain ingress, it is necessary to filter packets that satisfy the following criterion: [XJR] Seems to me more like the "CRH domain ingress" is outside-interface of limited-domain edge node ? I would assume so and please correct me if I am wrong. - The IPv6 Source Address represents an interface inside of the domain. (This source address is likely to be spoofed.) It also is necessary to filter packets that satisfy all of the following criteria: - The IPv6 Destination Address represents an interface inside of the CRH domain. - The packet contains a Routing header. - The Routing header is a CRH. - The Segments Left field has a value greater than 0. [XJR] This does not answer how a "CRH domain ingress" do the filter, especially "the packet contains a Routing Header", as I have raised but haven't see the answer: https://mailarchive.ietf.org/arch/msg/ipv6/QyaRQAjPoRExJGWLXaSXWHcMDdQ/ https://mailarchive.ietf.org/arch/msg/ipv6/03xzpXXRQFn0G2reYf1SS3c0208/ A network operator can implement an Access Control List (ACL) that filters: - The above-mentioned packets only - The above-mentioned packets as well as others [XJR] The 'others' is not clear to me whether it is CRH desired or not. For example, the ACL can filter all packets that satisfy the following criterion: - The IPv6 Destination Address represents an interface inside of the CRH domain. [XJR] If this is a CRH desired example, then I have a further comment: The Destination address represents an interface inside of the CRH domain MAY need to establish PCE/BGP session with an outside controller, will this traffic also be filtered ? At each node where the CRH is processed, it is necessary to filter packets that satisfy the following criterion: [XJR] It's not clear to me whether the filter is an intrinsic part of "CRH processing", or an independent processing module like ACL. - The IPv6 Source Address represents an interface outside of the CRH domain. ACLs are easily supported for small numbers of seldom changing prefixes, [XJR] I don't agree with this assumption. If there is a prefix change, and 1000 "CRH domain ingress" nodes need to add an ACL each, I would not think that easy. making summarization important. [XJR] I agree with this and would prefer to say summarization is super important. [End] Juniper Business Use Only
- CRH Draft Update - Security Considerations Section Ron Bonica
- RE: CRH Draft Update - Security Considerations Se… Xiejingrong (Jingrong)
- RE: CRH Draft Update - Security Considerations Se… Ron Bonica
- Re: CRH Draft Update - Security Considerations Se… John Scudder