IETF Logo Mail Archive

Re: draft-ietf-6man-segment-routing-header-14

"Darren Dukes (ddukes)" <ddukes@cisco.com> Thu, 12 July 2018 19:21 UTC

Return-Path: <ddukes@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9D67130E2A for <ipv6@ietfa.amsl.com>; Thu, 12 Jul 2018 12:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.52
X-Spam-Level:
X-Spam-Status: No, score=-12.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nbHVcOxnbLR for <ipv6@ietfa.amsl.com>; Thu, 12 Jul 2018 12:20:57 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E89130E40 for <ipv6@ietf.org>; Thu, 12 Jul 2018 12:20:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=38891; q=dns/txt; s=iport; t=1531423257; x=1532632857; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=EwzSjaSvW6i545Dfi7O6jBmx8t7g/IXnciLA4hYwhp4=; b=Z24trLB7O9qY75TLfE3nOIz4fwA0VxRCMOTC/mVNs3iYYKEHPcb9Ap49 coYRqerp0iKj6X9wBd7r1pO/p2gD+/hu+NNYbfegINgcoH96RV+GrErn1 UAPM/nWFnEbWvgdR3gdqNx0uQkoIc7nDGhiG0t8k77V6GujdmutlAAyfA s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C1AQCPqEdb/5FdJa1cGQEBAQEBAQEBAQEBAQcBAQEBAYJTTCpjfygKmCiBZySVMxSBZgsYAQkKhEACgkkhNhYBAgEBAgEBAm0cDIU2AQEBAQMBAWwLEAIBCA4DBAEBIQEGBycLFAkIAQEEDgWDIAGBG2QPq1OEW4VjiH6BVz+BECcMgl6DGQEBAhiBEwESAQcIRgiCdIIkAodkigKHcwkChgiJHYIGhy6ELYo5hzQCERSBJCQLJmFxcBU7KgGCPgmBbDAXegEJgkGFFIU+bwEBgROIaA0XB4EBAYEZAQE
X-IronPort-AV: E=Sophos;i="5.51,344,1526342400"; d="scan'208,217";a="419780860"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Jul 2018 19:20:56 +0000
Received: from XCH-RCD-018.cisco.com (xch-rcd-018.cisco.com [173.37.102.28]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id w6CJKuOa003500 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Jul 2018 19:20:56 GMT
Received: from xch-aln-017.cisco.com (173.36.7.27) by XCH-RCD-018.cisco.com (173.37.102.28) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 12 Jul 2018 14:20:55 -0500
Received: from xch-aln-017.cisco.com ([173.36.7.27]) by XCH-ALN-017.cisco.com ([173.36.7.27]) with mapi id 15.00.1320.000; Thu, 12 Jul 2018 14:20:55 -0500
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: Ron Bonica <rbonica@juniper.net>
CC: Tom Herbert <tom@herbertland.com>, 6man <ipv6@ietf.org>
Subject: Re: draft-ietf-6man-segment-routing-header-14
Thread-Topic: draft-ietf-6man-segment-routing-header-14
Thread-Index: AdQXwZ0K9FnfEd8fTwSpGj8VsNgprwA8SdsAACu9eoAAN2iRAA==
Date: Thu, 12 Jul 2018 19:20:55 +0000
Message-ID: <0B793C54-8901-4A96-A30E-9652E03F6E01@cisco.com>
References: <CO1PR05MB443B0AB8109F350A23FFBDBAE440@CO1PR05MB443.namprd05.prod.outlook.com> <CALx6S347fAqHAkgCPUfBHnua1DJ+-bJDDma20RHo+LMeTsu9=Q@mail.gmail.com> <CO1PR05MB44344B3E9107C29FD5FA8F9AE5A0@CO1PR05MB443.namprd05.prod.outlook.com>
In-Reply-To: <CO1PR05MB44344B3E9107C29FD5FA8F9AE5A0@CO1PR05MB443.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [161.44.212.161]
Content-Type: multipart/alternative; boundary="_000_0B793C5489014A96A30E9652E03F6E01ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/efZogIGd-LlWBaYc9HsGtA2aCxg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 19:21:02 -0000

Hi Ron, the beneficial properties of SRH TLVs are:
1 - srh tlvs may be added/deleted at each segment.
2 - srh tlvs need not be parsed at each segment (dependent on local policy per active segment).

Darren

On Jul 11, 2018, at 12:54 PM, Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:

Hi Tom,

Your email reflects the issue that I raised in https://trac.ietf.org/trac/6man/ticket/38. Since we both raised the issue, it probably deserves some discussion.

In SRv6, we have optional information (OI) that needs to be propagated downstream. IPv6 provides the following propagation mechanisms:

-          The HBH header propagates OI to every downstream node including the destination [1]
-          The DO header that precedes the RH propagates OI to every segment endpoint, including the ultimate destination
-          The DO header that follows the RH propagates OI to the  ultimate destination only

The SRH TLV is unlike any of these. It propagates OI to every segment endpoint, except for the ultimate destination.

So, before we begin the analysis, we can say that any OI that needs to be propagated to every segment endpoint except for the ultimate destination should be encoded in an SRH TLV. I am not sure that any such OI exists, but maybe Clarence and Darren can fill in the blanks.

The following analysis applies to other SRv6 OI:

The following are benefits of encoding in the Destination Option:
-          The OI may be generalizable. Or, said another way, the OI may be useful in packets that contain a different RH Type (e.g., the IP Mobility type or another RH type that might be specified in the future).
-          The Act and Chg bit semantics are already defined and can be leveraged.

The following are the benefits of encoding in SRH TLVs:
-          Conservation of space in the HBH and Destination Option type registry
-          Reduces effort required by those who have already deployed TLVs [2]

Clarence, Darren, can you think of any other benefits?

                                                         Ron

[1] The HBH is not really an option because so many network block it
[2] According to Section 8 of this document, there is only one pre-standard implementation of the TLV.



From: Tom Herbert <tom@herbertland.com<mailto:tom@herbertland.com>>
Sent: Tuesday, July 10, 2018 4:02 PM
To: Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>>
Cc: 6man <ipv6@ietf.org<mailto:ipv6@ietf.org>>
Subject: Re: draft-ietf-6man-segment-routing-header-14


On Mon, Jul 9, 2018, 3:21 PM Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
Clarence,

For the purposes of this draft, I suggest that we remove the HMAC TLV and restrict SRv6 deployment to  walled-gardens. This will allow us to progress the current draft quickly, without working through the security issues associated with routing headers on the global internet.

If this is the case, maybe TLVs can also be removed from the protocol (AFAIK HMAC is only one defined). This would be a big simplication. Subsequently, if HMAC TLV is needed maybe it could be in a destination option before routing header (so it can be processed by each hop in a routing header and such options could marked as modifiable in flight).

Tom



Soon, we will want to address the security issues associated with routing headers on the global Internet and we may want to re-introduce the HMAC TLV then. But it is unlikely that we can address this issues in the next few weeks. This issue, and the HMAC TLV, might better be left for another draft.

The following are security issues:

1) Section 6.2.2 (Performance Impact of HMAC) says, "when present, the HMAC field need only be checked and validated by the first router of the segment routing domain, this router is named 'validating SR router'.  This leads us to ask:

- How does the validating router know that it is the validating router?
- How does a non-validating router know that a packet has already been validated?

The draft is silent regarding these questions. One possibility is that every router on the edge of the segment routing domain:

- Is a validating router
- Maintains an ACL blocking all packets that attempt to circumvent validation by it

This raises the following security issues:

- An attacker can DoS a validating router by sending it a large stream of packets with an invalid MAC. The validating router will discard all of the packets that do not pass validation, but will consume inordinate resources validating the packets.
- Given the HMAC processing procedures specified in the draft, the above mentioned ACL may be computationally expensive and may be impossible to deploy on many existing ASICs
-The HMAC processing procedures specified in version 14 may be incomplete

I think that the above-mentioned ACL looks like this:

If (the packet arrives on an untrusted interface) {
        If (the DA is a SID advertised by any node in the SR domain) {
                If (the packet includes an SRH ) {
                        If (the DA is a SID advertised by the local node) {
                                If (the SRH contains an HMAC TLV) {
                                        ProcessNextACL
                                } else {
                                        Discard
                                }
                        } else {
                                Discard
                        }
                } else {
                        Discard
                }
        } else {
                ProcessNextACL
        }
} else {
        ProcessNextACL
}

Furthermore, before validating the MAC, the validating router MUST verify that Segment List[SL+1] is equal to the IP destination address. This means that the reduced notation described in Section 4.1.1 cannot be used in some cases when the packet originates outside of the SR domain.

You may want to moves some of the functionality from the ACL into HMAC processing. But if you do that, you should describe the HMAC processing completely in the document.

                                                                  Ron

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_ipv6&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=7pfDdFr9x4UVZOuyO9BDLzCBts8K3jKCR0o_gOH7tuI&s=RPO1ugMdF986DV5TCBs5b3ZTQzljRJ5FV_HrFl94ku0&e=>
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email