IETF Logo Mail Archive

Re: draft-ietf-6man-segment-routing-header-14

"Darren Dukes (ddukes)" <ddukes@cisco.com> Thu, 12 July 2018 19:00 UTC

Return-Path: <ddukes@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D91D31311E0 for <ipv6@ietfa.amsl.com>; Thu, 12 Jul 2018 12:00:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5eyp7elRD47 for <ipv6@ietfa.amsl.com>; Thu, 12 Jul 2018 12:00:47 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA71513120C for <ipv6@ietf.org>; Thu, 12 Jul 2018 12:00:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17342; q=dns/txt; s=iport; t=1531422036; x=1532631636; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=b5HKguICxuDq9yHg1TUEhTARRYTWwMS7TEWsXmotToo=; b=VAh/3k/hTFwk6FpTzYYZgmeFvZYxzR/BpKRsrdUZ7Q6fdAARc256Jp6I xkzrGhzviux8hnWAzeiVG5ulAlo9l14ZCquwnG595n8stOHiaN3wPEBKK LmNqNEpxYmlVLgn/xbIBxXIfJC77M98wyv9eywCQ4VkmOMQCXm8RCiH7b M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CzAQC5pEdb/4kNJK1cGQEBAQEBAQEBAQEBAQcBAQEBAYMfKmN/KAqYKJIwhQ4UgWYLGAEMB4RAAoJJITYWAQIBAQIBAQJtHAyFNwIBAwEBbAsQAgEIPwcnCxQRAQEEDgWDIAGBG2QPq1iEW4VeBYh+gVc/gRAngmqDGQEBAgGBRYNKgiQCh2SKAodzCQKGCIkdgUOED4NihC2KOYc0AhETAYEkJAUsgVJwFTsqAYI+giUXegEJh1WFPm8BgRSIaCuBAQGBGQEB
X-IronPort-AV: E=Sophos;i="5.51,344,1526342400"; d="scan'208,217";a="142545319"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Jul 2018 19:00:35 +0000
Received: from XCH-RCD-018.cisco.com (xch-rcd-018.cisco.com [173.37.102.28]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id w6CJ0YYL014726 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Jul 2018 19:00:34 GMT
Received: from xch-aln-017.cisco.com (173.36.7.27) by XCH-RCD-018.cisco.com (173.37.102.28) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 12 Jul 2018 14:00:34 -0500
Received: from xch-aln-017.cisco.com ([173.36.7.27]) by XCH-ALN-017.cisco.com ([173.36.7.27]) with mapi id 15.00.1320.000; Thu, 12 Jul 2018 14:00:34 -0500
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: Tom Herbert <tom@herbertland.com>
CC: Ronald Bonica <rbonica@juniper.net>, 6man <ipv6@ietf.org>
Subject: Re: draft-ietf-6man-segment-routing-header-14
Thread-Topic: draft-ietf-6man-segment-routing-header-14
Thread-Index: AdQXwZ0K9FnfEd8fTwSpGj8VsNgprwA8SdsAAAdYhwAAG9+SAAA/OACA
Date: Thu, 12 Jul 2018 19:00:34 +0000
Message-ID: <7B502C84-3D25-4C4C-B80A-45028375A0E4@cisco.com>
References: <CO1PR05MB443B0AB8109F350A23FFBDBAE440@CO1PR05MB443.namprd05.prod.outlook.com> <CALx6S347fAqHAkgCPUfBHnua1DJ+-bJDDma20RHo+LMeTsu9=Q@mail.gmail.com> <560FC347-49B2-4C9B-8910-009185C37485@cisco.com> <CALx6S37s0kHGRup4veOEovPnfa4p=DOU74kc2SO+KEjUG8bAZw@mail.gmail.com>
In-Reply-To: <CALx6S37s0kHGRup4veOEovPnfa4p=DOU74kc2SO+KEjUG8bAZw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [161.44.212.161]
Content-Type: multipart/alternative; boundary="_000_7B502C843D254C4CB80A45028375A0E4ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/c6YNdyaBt6bxemRyr5mgzZVET8I>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 19:00:56 -0000

Hi Tom,

https://tools.ietf.org/html/draft-ali-spring-srv6-pm-02#section-3.2
Defines a Delay Measurement SRH TLV that is only used by a specific SID Type.
https://tools.ietf.org/html/draft-li-spring-passive-pm-for-srv6-np-00#section-5.3
Similar to above, I expect there would be some merging in their future.

https://tools.ietf.org/html/draft-ali-spring-srv6-oam-01(section4.4)
https://tools.ietf.org/html/draft-brockners-inband-oam-transport-05#section-7.1
Defines a Proof of Transit TLV for SRH.

Darren

On Jul 11, 2018, at 8:50 AM, Tom Herbert <tom@herbertland.com<mailto:tom@herbertland.com>> wrote:

On Tue, Jul 10, 2018 at 4:32 PM, Darren Dukes (ddukes) <ddukes@cisco.com<mailto:ddukes@cisco.com>> wrote:
In this draft HMAC is the only one, but others are being defined for OAM,
SFC and other use cases.


Darren,

Please provide references to those. For OAM at least, I believe that
Hop-by-hop and Destination options are being defined to handle that.
What would be the need for defining options like this in a router
header also?

Thanks,
Tom


Darren


On Jul 10, 2018, at 4:01 PM, Tom Herbert <tom@herbertland.com<mailto:tom@herbertland.com>> wrote:



On Mon, Jul 9, 2018, 3:21 PM Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:

Clarence,

For the purposes of this draft, I suggest that we remove the HMAC TLV and
restrict SRv6 deployment to  walled-gardens. This will allow us to progress
the current draft quickly, without working through the security issues
associated with routing headers on the global internet.


If this is the case, maybe TLVs can also be removed from the protocol (AFAIK
HMAC is only one defined). This would be a big simplication. Subsequently,
if HMAC TLV is needed maybe it could be in a destination option before
routing header (so it can be processed by each hop in a routing header and
such options could marked as modifiable in flight).

Tom



Soon, we will want to address the security issues associated with routing
headers on the global Internet and we may want to re-introduce the HMAC TLV
then. But it is unlikely that we can address this issues in the next few
weeks. This issue, and the HMAC TLV, might better be left for another draft.

The following are security issues:

1) Section 6.2.2 (Performance Impact of HMAC) says, "when present, the
HMAC field need only be checked and validated by the first router of the
segment routing domain, this router is named 'validating SR router'.  This
leads us to ask:

- How does the validating router know that it is the validating router?
- How does a non-validating router know that a packet has already been
validated?

The draft is silent regarding these questions. One possibility is that
every router on the edge of the segment routing domain:

- Is a validating router
- Maintains an ACL blocking all packets that attempt to circumvent
validation by it

This raises the following security issues:

- An attacker can DoS a validating router by sending it a large stream of
packets with an invalid MAC. The validating router will discard all of the
packets that do not pass validation, but will consume inordinate resources
validating the packets.
- Given the HMAC processing procedures specified in the draft, the above
mentioned ACL may be computationally expensive and may be impossible to
deploy on many existing ASICs
-The HMAC processing procedures specified in version 14 may be incomplete

I think that the above-mentioned ACL looks like this:

If (the packet arrives on an untrusted interface) {
       If (the DA is a SID advertised by any node in the SR domain) {
               If (the packet includes an SRH ) {
                       If (the DA is a SID advertised by the local node)
{
                               If (the SRH contains an HMAC TLV) {
                                       ProcessNextACL
                               } else {
                                       Discard
                               }
                       } else {
                               Discard
                       }
               } else {
                       Discard
               }
       } else {
               ProcessNextACL
       }
} else {
       ProcessNextACL
}

Furthermore, before validating the MAC, the validating router MUST verify
that Segment List[SL+1] is equal to the IP destination address. This means
that the reduced notation described in Section 4.1.1 cannot be used in some
cases when the packet originates outside of the SR domain.

You may want to moves some of the functionality from the ACL into HMAC
processing. But if you do that, you should describe the HMAC processing
completely in the document.

                                                                 Ron

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email