IETF Logo Mail Archive

RE: Questions regarding the security mechanisms//RE: CRH and RH0

Ron Bonica <rbonica@juniper.net> Fri, 22 May 2020 17:40 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4743A0C1F for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=Ka0y8t89; dkim=pass (1024-bit key) header.d=juniper.net header.b=BzWCu/bo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YVDvUgkSIiwD for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:39:58 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E3A23A09F5 for <6man@ietf.org>; Fri, 22 May 2020 10:39:58 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04MHbego017416; Fri, 22 May 2020 10:39:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=4sQPrlWlQHMZmvZ+Qgzq5xLb6O0Gtp9HfxDOFcqTQ3g=; b=Ka0y8t89b2GYQ4pEJVoVtA7qK3nQ3rb+LXvBGGKfRY0xvPaDN4sxIQW1veiBAOkdokyS vmktBqvUk8vEUSvdeNCZVC7m66XnrtgNb+eWmhCc9oIbK163hoeq69/ygDLtv9oakbBC ERb6cJuvFFINKKf2xtndMUrH7PY3Fbb34bXFxepjz9Nud3VfooBN3vjetOxh1Pn/+Uox Z/httmCqItU+eNrgOoiDeoelTN6hvFpI5AhhCBOgpWBtx0XT1jacTnLfGCDhhxFvPsKH Xt5pJ3tT1vURsbvNCU7VHy6ZUY/uYn/lcjbP2pjo/xNpNVX938s5m8WD8fu0PxqFNMsD 0A==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2104.outbound.protection.outlook.com [104.47.55.104]) by mx0b-00273201.pphosted.com with ESMTP id 316ave8uy2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 May 2020 10:39:48 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TuqRqk9FgQkNSQRWKenM6T/m6H/P9U0HA6US/64zyGphTgaRMIy/ThGJeqYDEKZXrjCuUCKTPlvHCJ9u86VBXeHOzd6RA0zDn9ioCliSlI0UvKD+o1MBxQJPKH9ktBzBF9NE0VHsQgxelsGGzrgBV2PNcTA+wC2Jq7On2779BWjFF9O58ssIXpcuZ/QHRs8QN5qsQoNjiQs7kK2+gmr9HEauIH4Qr///BSxtu6XohSr8L/x0ZF1/Jl6w+Smh9cy1DGoBkp9538axmUgk2LSDCg+IdcXlXqbkyQZwh6sqbr8bhulHTmZvvY3UPmkv1iTA3MOidI6qGYGO+tipqMVrTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4sQPrlWlQHMZmvZ+Qgzq5xLb6O0Gtp9HfxDOFcqTQ3g=; b=O2SwGa59vbp+qbaeqZ06/mISQb5Y0+j3CNcutOPFqAPsdCXmQhIu7I7ZDvNTX6UTUzWjkwB2X1qHxkMJrhEF3romMx28c0jkeQQpe/o3KALX/B8O7h0oA33iDF3WhGbv7RM7rXaK9euxI8ScBoonf/GfBnLlbGDp86c+JDeTpNTv7cOXMxhg3C54C5QCqKIb9y/GrkseVf5/ZsJZL3E/S93LObXc4BbOA9CkrroqxiPEpiBXng5USaqLIAITX9l6SuDRjT8k+mHGPS7kqzJ6Rrn7ePH3LOH9rcpcgQkUE/BxTO5YAkvNCi2UsgE/As4/eh6iBZQtUIN7YzBYUNqWyQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4sQPrlWlQHMZmvZ+Qgzq5xLb6O0Gtp9HfxDOFcqTQ3g=; b=BzWCu/boUkSqPsMdnON8Dn1LKTjwstPK9EzGvjn9X+niw1XzVTnCwtzL27Ir6ku0wFkdkHRzMsWf/DbB2YE2/sss7z9v+NTX2UhixjxZ5nH4efv/HqWYlUxSKslqlduxkV+qX6UrUUL+wwXuOd0XrRG8lTAEDQS5dRXUc3dJjGk=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB5996.namprd05.prod.outlook.com (2603:10b6:5:116::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.9; Fri, 22 May 2020 17:39:45 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3021.019; Fri, 22 May 2020 17:39:45 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, Tom Herbert <tom@herbertland.com>
CC: 6man <6man@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAATfhkAABMBYYABLbnPAAAEExng
Date: Fri, 22 May 2020 17:39:45 +0000
Message-ID: <DM6PR05MB6348DE694BE49FCADE97DE69AEB40@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com> <891ccad03b484c7386ab527d89143f8c@huawei.com> <f4316f15-496b-718f-2ea6-f2630eec2a8d@joelhalpern.com> <0435985056bd421f8fbdb71de86b5b0e@huawei.com>
In-Reply-To: <0435985056bd421f8fbdb71de86b5b0e@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-22T17:39:43Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=806f44f1-eee7-4dcd-8be3-b2e3452bc93f; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 00127e08-397c-4009-54c0-08d7fe771e01
x-ms-traffictypediagnostic: DM6PR05MB5996:
x-microsoft-antispam-prvs: <DM6PR05MB599650EDB65D56D40A14100EAEB40@DM6PR05MB5996.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04111BAC64
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Lqn5JFWcK9uw6SNtrCdMSqlTBeA4qWC/P2I1F5C4bdQg6Aku+/7HzYBS9f1yQ6N0p9WhD3lzz8+w7iz5LWGxdg4EUf5M//y95UhoPK3etOSCA8KTbt0kp/kbmlehxcsg2wZ0bxDuimhfJI+6dDdC+m0B2LKf8BLu1bL1gxDX5rbgUZgepLItR9zH/HuvJSKmdbtuHx2m48RNC5QEWcY06efawG61u4O21skpe7iBoSqiBE+ZrePF886lnEaFELepQZ41KWN05nxqntaOax6ifW+/MAHl465idCBcjW906iigrVa9HqIALEs2cIpO0yeO3NnHK+YtCAGgM7ZkEMPBr08wS+USPeYIU+Jm1TAuC+qErK9/wxhMNAb1pQ6kzh4l1kNqDVV5IpXRhsjSbpnvtA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(396003)(39860400002)(346002)(366004)(136003)(55016002)(15650500001)(5660300002)(9686003)(52536014)(64756008)(4326008)(66446008)(66556008)(33656002)(66476007)(66574014)(2906002)(8676002)(8936002)(110136005)(316002)(53546011)(966005)(6506007)(7696005)(54906003)(66946007)(186003)(86362001)(71200400001)(26005)(478600001)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: l1HEi4oX9RLjq1rcaZX0ypKDIJ3uJDTR1zV8YG0A2xLBl4v4gBcAngTUnoEghi6Jg1L72G7xdDufOT266GkUUFw1X7aJefhjnnIO5eTY+hDukg3pextl4bKt0oJlMBptzqWD7meZPJr2T8INfak9FT/BUNIBIFLHkhCGaZhmBQvDexA8sDw2nbZl9NxO79PR9c2LtebTToIf2XaHnX6IsuJn9aN4qkNxWUCwWzVgmn5JGEnMcjSLR4zZuTG8Dsk2rCFkq7yBCNEuCh9Ex+VsKZ7E3YtDpiGdE7O0Nr9KXCTgoDdKod4XIz+5grk6tewfbSk/RLtFvZXVK2udhEU+DJBPXC7MM4Pbx5d7FnRw8hSeNbiJJ/IsoaY9FN6Zd/43piNbnpuhQYgdAyXQ2LqjowxKB0zIsyD3fLLg5ze0nmLoy/DI7uNyaA8MImhd8fGt89H9p40kMyCggdb0/wly+rCYjS+e4/dc2tw6hFAdwFPV1CPOdQ35tQIHCIH9dku/
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 00127e08-397c-4009-54c0-08d7fe771e01
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2020 17:39:45.3052 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 17PUY7i34mfYseBWIoiCrdb1hiK6bAC2wmetsslhsbdt5O7JOlFmT8NyGsqrCuMa3klY2hCC156I3sUpqo4bLA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB5996
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-22_06:2020-05-22, 2020-05-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 clxscore=1015 mlxscore=0 impostorscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 adultscore=0 suspectscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 cotscore=-2147483648 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005220141
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5gtUtRKVzzj-V_ejsUSNRHa-Buo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 17:40:01 -0000

Jingrong,

Fair enough. In the next draft version, I will adopt Nick Hilliard's suggestion. Any node processing the CRH will drop the packet:

- If it cannot resolve the SID
- If the source address represents a node outside of the network.

                            Ron



Juniper Business Use Only

-----Original Message-----
From: Xiejingrong (Jingrong) <xiejingrong@huawei.com> 
Sent: Friday, May 22, 2020 11:40 AM
To: Joel M. Halpern <jmh@joelhalpern.com>; Tom Herbert <tom@herbertland.com>; Ron Bonica <rbonica@juniper.net>
Cc: 6man <6man@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0

[External Email. Be cautious of content]


Hi Joel,

"The CRH security requirements are almost the same security criteria we accepted (and the Security ADs accepted) for SRH."
No, they are different completely.
The ACL currently specified in CRH draft is NOT widely available for network edge, thus left the CRH facing almost the same security threats as RH0.

Thanks
Jingrong

-----Original Message-----
From: Joel M. Halpern [mailto:jmh@joelhalpern.com]
Sent: Saturday, May 16, 2020 11:41 PM
To: Xiejingrong (Jingrong) <xiejingrong@huawei.com>; Tom Herbert <tom@herbertland.com>; Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Cc: 6man <6man@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0

Maybe I am confused, but theCRH security requirements are almost the same security criteria we accepted (and the Security ADs accepted) for SRH.  These objections would apply equally to SRH.

Yours,
Joel

On 5/16/2020 2:36 AM, Xiejingrong (Jingrong) wrote:
> <...snip the redundant text, see the in-line reply marked with [XJR]> 
> Hi!
>
> That raises an interesting question. Can a protocol specification have a normative MUST requirement for correctness or security that is dependent on completely external properties? If this is saying that the ACLs are implemented as part of the CRH datapath then tht might be reasonable, but if this is saying that ACLs must be deployed at every possible edge node outside of the CRH processing that doesn't seem like it could be a MUST in a protocol specification (and this might be coming close to the general but effectively useless requirement that the underlying network MUST be secure and correct for the protocol to be secure and correct).
>
> [XJR] Good catch that "ACLs must be deployed at every possible edge node outside of the CRH processing" makes it difficult to deployable.
> [XJR] But If this "MUST" is weaken to any extent, I am afraid the said RFC5095 attack could be from Internet.
>
> Also, I think you might want to mention that AH should be used to protect the routing header when security is a concern. AH is part of the protocol suite and doesn't depend on external factors other than what's happening at the end points. Normative requirements are appropriate for security via AH.
>
> [XJR] Agreed that AH could help to ensure the Source is from a legitimate source as RFC8754 HMAC does. But there is no mandatory AH/HMAC in this draft.
> [XJR] Once an attack packet pass through the border router, there is no additional protection like the "complemented per-node protection" in RFC8754 section 5.1.
>
> Thanks
> Jingrong
>
> Tom
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: 
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
> __;!!NEt6yMaO-gk!URSWFP3xKE9y07e2TJimSiBPJAq93q1iVHIIADPk_7peHqYHCgf2X
> 7la814ur3WJ$
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email