Re: Applicability of AH in draft-ietf-6man-segment-routing-header-19
"Darren Dukes (ddukes)" <ddukes@cisco.com> Mon, 27 May 2019 17:40 UTC
Return-Path: <ddukes@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B031200C4 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 10:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UBC2+8Se; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=nK0r20qA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlRZwBVA5KCP for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 10:40:30 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B541120043 for <ipv6@ietf.org>; Mon, 27 May 2019 10:40:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2415; q=dns/txt; s=iport; t=1558978830; x=1560188430; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=V5VBlj0kls4VelzXvnIiybi58pqU9coBIg82qmd2/WM=; b=UBC2+8SeAYgBM7rN0DMYuZ2JJyFZIoVqPTP319XKTrQagNx6b7VbnOVa QGNvdHg1MPwmMhd8PKjPk3yHvFOg+a2B+cEneohD5pIfRIw3jLddpLk8G 1aXZ46DFgC19i+Ez+l7w5RcyeZlFxr6TJzdxUckBAwSzDSoMfOBo1HuS8 o=;
IronPort-PHdr: 9a23:QWvdjhBUyhj3smJxLi4nUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuIPL3bCEhNM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIAABcIOxc/5xdJa1lHAEBAQQBAQcEAQGBUQcBAQsBgT1QA2lVIAQLKAqHUAOEUoongjIllyuBLoEkA1QJAQEBDAEBGAsKAgEBhEACglYjNAkOAQMBAQQBAQIBBG0cDIVKAQEBAwEBARAoBgEBLAsBBAsCAQgYHhAnCyUCBA4FIoMAAYFqAw4PAQIMnQcCgTiIX4IggnkBAQWCR4I0GIIPAwaBNAGEaIZqF4FAP4E4DBOCTD6CYQEBgWGDPIImi0idDwkCgg2TFRuWSaJmAgQCBAUCDgEBBYFPOIFXcBU7KgGCQYIPg3CFFIU/coEpjFsBgSABAQ
X-IronPort-AV: E=Sophos;i="5.60,520,1549929600"; d="scan'208";a="565552267"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 May 2019 17:40:29 +0000
Received: from XCH-RCD-013.cisco.com (xch-rcd-013.cisco.com [173.37.102.23]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x4RHeTHM023745 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 27 May 2019 17:40:29 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-013.cisco.com (173.37.102.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 27 May 2019 12:40:28 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 27 May 2019 13:40:27 -0400
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 27 May 2019 12:40:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bDw7dUQXuCK3/AaqpXasr/qhqwS8Vrot6+zoPfkCy1E=; b=nK0r20qAZsEoB0aVGRySUOHkqEUp7C3c64wJwiqGtS2NFL89ikOQqxf0ucskHFKUcyUGBOlXVUeroPoyVZKPk/mXLy8+AxB7b0qwHbBE+GZqK41dSy5Uoo72sBe7Lv3t1G+w76YQ5XbrUbzKCIakJlFwx+32n5zRnYSRB8nw1E4=
Received: from DM6PR11MB3516.namprd11.prod.outlook.com (20.177.220.141) by DM6PR11MB3545.namprd11.prod.outlook.com (20.178.229.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.17; Mon, 27 May 2019 17:40:26 +0000
Received: from DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::d59f:9fbe:1f8b:bac7]) by DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::d59f:9fbe:1f8b:bac7%7]) with mapi id 15.20.1922.021; Mon, 27 May 2019 17:40:26 +0000
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: Tom Herbert <tom@herbertland.com>
CC: 6man <ipv6@ietf.org>
Subject: Re: Applicability of AH in draft-ietf-6man-segment-routing-header-19
Thread-Topic: Applicability of AH in draft-ietf-6man-segment-routing-header-19
Thread-Index: AQHVEkmpKegMeBjxOkWHtvptWgPQNaZ/QfSA
Date: Mon, 27 May 2019 17:40:26 +0000
Message-ID: <7F90FE0E-3983-42DC-87E7-7C580C92A05D@cisco.com>
References: <CALx6S35sMsiCD-YiTZBZzXDHKsNfVmWuR-YFVDZwgwc4rNit=g@mail.gmail.com>
In-Reply-To: <CALx6S35sMsiCD-YiTZBZzXDHKsNfVmWuR-YFVDZwgwc4rNit=g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ddukes@cisco.com;
x-originating-ip: [161.44.192.53]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0be7dfd2-86e3-4d2b-aee2-08d6e2ca6755
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB3545;
x-ms-traffictypediagnostic: DM6PR11MB3545:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DM6PR11MB35452143AB000FAE3C895C7CC81D0@DM6PR11MB3545.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0050CEFE70
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(39860400002)(376002)(136003)(366004)(189003)(199004)(186003)(486006)(2616005)(476003)(446003)(11346002)(26005)(76116006)(91956017)(66446008)(3846002)(53936002)(256004)(14444005)(6246003)(6116002)(2906002)(73956011)(66946007)(66476007)(66556008)(64756008)(83716004)(71190400001)(71200400001)(102836004)(53546011)(6506007)(76176011)(99286004)(6916009)(966005)(7736002)(4326008)(33656002)(36756003)(82746002)(316002)(66066001)(25786009)(229853002)(478600001)(14454004)(6486002)(8936002)(81166006)(81156014)(6436002)(8676002)(5660300002)(305945005)(68736007)(6512007)(86362001)(6306002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3545; H:DM6PR11MB3516.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: bCh3GErJ84GvSjCBKzX/XtiIcwiL0uWytgi3IyS5m5mT/n/S7ggQ7kD4uqSil+wi9JxBzH3tTBV3uID3B1hO9OHqX3KJjI9z8uwZqst/zgDP+x73hwU6TTjAnTdoxyHfDS8cguih4Xhjs/+qEqC7DcJc8qW3DWamtlJ0qMJlmHO8PR5WlCfJ67iaF8ry68vtlKOuw6CW/CRLihK8+lfEfC+etLsgaE4uiVQswM4EJzr/k/eY1WI4d113lujtL5yk6rSb/uQ7lmWjgqFzRKIvTT+OtBEViDxxCuVQcEqWjpq1Ahi44W+YZ7AszrZw6+I9XuC2IvObD7XECSb7Ot1upJnge2TBZLPkCze0yUYJ18O7C1Aep3AIG+BFOnZp15Jx18fYR7vc4NyI39STTMfCAI7PCs1QBVbz3+Lfna6DphI=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <160A72204874C742825357040A829A94@namprd11.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0be7dfd2-86e3-4d2b-aee2-08d6e2ca6755
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2019 17:40:26.3114 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ddukes@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3545
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.23, xch-rcd-013.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/lT8n21aOtrTLO6RqZnjJGJ06eUU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 17:40:33 -0000
This text was sent to the list and had support in April. It's part of the consensus reached around not defining AH processing in the draft. Darren > On May 24, 2019, at 11:58 AM, Tom Herbert <tom@herbertland.com> wrote: > > Hello, > >> From section 7.5: > "The SR Domain is a trusted domain, as defined in [RFC8402] Section 2 > and Section 8.2. The SR Source is trusted to add an SRH (optionally > verified via the HMAC TLV in this document), and segments advertised > within the domain are trusted to be accurate and advertised by trusted > sources via a secure control plane. As such the SR Domain does not > rely on the Authentication Header (AH) as defined in [RFC4302] to > secure the SRH." > > This is misleading on several fronts. > > First, this equates a trusted SR Domain as being a guaranteed secured > domain. It's not. Even RFC8402 says: "The use of best practice to > reduce the risk of tampering within the trusted domain is important.". > So security mechanisms within the IP protocols are still required. > > Secondly, this seems to somehow equate HMAC TLV functionality with AH. > They are not equivalent. AH is end-to-end authentication and covers > all extension headers and the IP header, HMAC TLV only covers select > fields in SRH and is end-to-something where there is no guidance > offered as to what that "something" is supposed to be (this is > precarious in itself since it allows valid configurations where > sources are setting HMAC TLV, but nobody in the path actually is > verifying it leading to a false sense of security). If anything, AH is > a superset of HMAC TLV. > > So, I don't see any argument here that AH is any more unneeded in an > SR domain versus any other network, nor any argument that HMAC TLV is > somehow superior to AH for security in an SR domain. I suggest to > remove this whole paragraph and just keep the next paragraph that AH > will be defined in other documents. Let users decide what security > measures (AH, HMAC TLV, edge filtering, etc.) are appropriate for > their paritcular network... > > Tom > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- Applicability of AH in draft-ietf-6man-segment-ro… Tom Herbert
- Re: Applicability of AH in draft-ietf-6man-segmen… Darren Dukes (ddukes)
- Re: Applicability of AH in draft-ietf-6man-segmen… Tom Herbert
- Re: Applicability of AH in draft-ietf-6man-segmen… Ole Troan
- Re: Applicability of AH in draft-ietf-6man-segmen… Joel M. Halpern
- Re: Applicability of AH in draft-ietf-6man-segmen… Tom Herbert
- Re: Applicability of AH in draft-ietf-6man-segmen… Ole Troan
- Re: Applicability of AH in draft-ietf-6man-segmen… Ole Troan
- Re: Applicability of AH in draft-ietf-6man-segmen… Tom Herbert