IETF Logo Mail Archive

Re: Questions regarding the security mechanisms//RE: CRH and RH0

Ole Troan <otroan@employees.org> Fri, 22 May 2020 17:48 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12D3E3A0CA3 for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOxZ36Waq72u for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:48:44 -0700 (PDT)
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16A523A0CCE for <6man@ietf.org>; Fri, 22 May 2020 10:48:44 -0700 (PDT)
Received: from [IPv6:2a02:20c8:5921:100:50c5:ec9e:9587:eb35] (unknown [IPv6:2a02:20c8:5921:100:50c5:ec9e:9587:eb35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 560E74E11B81; Fri, 22 May 2020 17:48:43 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ole Troan <otroan@employees.org>
Mime-Version: 1.0 (1.0)
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0
Date: Fri, 22 May 2020 19:48:39 +0200
Message-Id: <1AB6B3B0-70C8-411C-9ADF-583B2F6F217E@employees.org>
References: <DM6PR05MB6348DE694BE49FCADE97DE69AEB40@DM6PR05MB6348.namprd05.prod.outlook.com>
Cc: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, Tom Herbert <tom@herbertland.com>, 6man <6man@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <DM6PR05MB6348DE694BE49FCADE97DE69AEB40@DM6PR05MB6348.namprd05.prod.outlook.com>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
X-Mailer: iPhone Mail (17F5065a)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/VU6cTnYye4V4r7ekYKhqUQCpFKs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 17:48:47 -0000


> On 22 May 2020, at 19:40, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> 
> Jingrong,
> 
> Fair enough. In the next draft version, I will adopt Nick Hilliard's suggestion. Any node processing the CRH will drop the packet:
> 
> - If it cannot resolve the SID
> - If the source address represents a node outside of the network.

Or a destination address outside the controlled domain unless it’s the last hop. 
And also with a caveat that CRH does not resolve the attack described in rfc5095 and all nodes being allowed to insert the RH must be trusted.
Or something along those lines. 

Cheers 
Ole

> 
>                            Ron
> 
> 
> 
> Juniper Business Use Only
> 
> -----Original Message-----
> From: Xiejingrong (Jingrong) <xiejingrong@huawei.com> 
> Sent: Friday, May 22, 2020 11:40 AM
> To: Joel M. Halpern <jmh@joelhalpern.com>; Tom Herbert <tom@herbertland.com>; Ron Bonica <rbonica@juniper.net>
> Cc: 6man <6man@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
> Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
> 
> [External Email. Be cautious of content]
> 
> 
> Hi Joel,
> 
> "The CRH security requirements are almost the same security criteria we accepted (and the Security ADs accepted) for SRH."
> No, they are different completely.
> The ACL currently specified in CRH draft is NOT widely available for network edge, thus left the CRH facing almost the same security threats as RH0.
> 
> Thanks
> Jingrong
> 
> -----Original Message-----
> From: Joel M. Halpern [mailto:jmh@joelhalpern.com]
> Sent: Saturday, May 16, 2020 11:41 PM
> To: Xiejingrong (Jingrong) <xiejingrong@huawei.com>; Tom Herbert <tom@herbertland.com>; Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
> Cc: 6man <6man@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
> Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0
> 
> Maybe I am confused, but theCRH security requirements are almost the same security criteria we accepted (and the Security ADs accepted) for SRH.  These objections would apply equally to SRH.
> 
> Yours,
> Joel
> 
>> On 5/16/2020 2:36 AM, Xiejingrong (Jingrong) wrote:
>> <...snip the redundant text, see the in-line reply marked with [XJR]> 
>> Hi!
>> 
>> That raises an interesting question. Can a protocol specification have a normative MUST requirement for correctness or security that is dependent on completely external properties? If this is saying that the ACLs are implemented as part of the CRH datapath then tht might be reasonable, but if this is saying that ACLs must be deployed at every possible edge node outside of the CRH processing that doesn't seem like it could be a MUST in a protocol specification (and this might be coming close to the general but effectively useless requirement that the underlying network MUST be secure and correct for the protocol to be secure and correct).
>> 
>> [XJR] Good catch that "ACLs must be deployed at every possible edge node outside of the CRH processing" makes it difficult to deployable.
>> [XJR] But If this "MUST" is weaken to any extent, I am afraid the said RFC5095 attack could be from Internet.
>> 
>> Also, I think you might want to mention that AH should be used to protect the routing header when security is a concern. AH is part of the protocol suite and doesn't depend on external factors other than what's happening at the end points. Normative requirements are appropriate for security via AH.
>> 
>> [XJR] Agreed that AH could help to ensure the Source is from a legitimate source as RFC8754 HMAC does. But there is no mandatory AH/HMAC in this draft.
>> [XJR] Once an attack packet pass through the border router, there is no additional protection like the "complemented per-node protection" in RFC8754 section 5.1.
>> 
>> Thanks
>> Jingrong
>> 
>> Tom
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: 
>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
>> __;!!NEt6yMaO-gk!URSWFP3xKE9y07e2TJimSiBPJAq93q1iVHIIADPk_7peHqYHCgf2X
>> 7la814ur3WJ$
>> --------------------------------------------------------------------
>> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email