IETF Logo Mail Archive

Re: Applicability of AH in draft-ietf-6man-segment-routing-header-19

Tom Herbert <tom@herbertland.com> Tue, 28 May 2019 16:00 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07190120168 for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 09:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWnIpjymQymL for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 09:00:35 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D3B3120155 for <ipv6@ietf.org>; Tue, 28 May 2019 09:00:35 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id a132so23364791qkb.13 for <ipv6@ietf.org>; Tue, 28 May 2019 09:00:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CL0g/DKV+y9hPm/8ratL2FKhCP8jZbpV4/JQPb4l4ko=; b=CUZD2UwYtELt05SGjSQUl68Ygz0PMh8Ryj+sZQlv23gFPKu6hbP6z8oudECuu1cMGm jQAkp6csXmvJabFq51GgEiGuYDIA1wPPTZwVT5HF/i8uSwgj6WY9MyZUIuD70Y5ytFz6 fSSlymk1VCRF4owrRrwSojG6eKlcSgoALnIkO3EnEpNcTsuIyuujcskKpd4xIYSGKFoZ 3f209YN9GaTKfpXTHOQMphxeOnuWGn/vsOHXJpcRbArFZbTfH4SdulTZe7zu3ObuAht7 DjpiOf89AqIcDFIR7AgvN5s2wGRaWgXq0cWkN4W8Bd3cwXhsVpfZX+m39AO4N59Druvo 8r0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CL0g/DKV+y9hPm/8ratL2FKhCP8jZbpV4/JQPb4l4ko=; b=gw7aoLqN6V/Jfqj2iwH4ijYympMOylVOlyOW5CKN/Urcl9qr43LxL6+Ua/bB49uxmR aWzcExWTNm4PLzziIlfF+P7Ua76U6WR+IByKktRkclobs/fmJdueLqundeT/ULL8ImNp V4hiaWkZ1lD4qfAdV2WMeczZlBZrWTDOufPRhbYMFf02LgFFd/6v+ntrwjE+R/P+lDLq qAeG0ZJQB+cEdLnNO7yeHZ7I9UoU0ZOt0SF8PlP+n6sNgLNh9p0bffKXwSn+uDrT6zM+ 57yBmgWNr3O2xNHsdyvH/VpkSCUvZoQjueX5PEX4Z84V1lb4fMdhEucEyDR/ptg8JY05 qehw==
X-Gm-Message-State: APjAAAW8tYUmFUmXeSBhrHzqdhnejdXK9/W1BdMmlfkDWb4OeMdZSPkn 12z8Pygw8hFQakMV/3Hjyx6y/s24aUFTUVvB+O3fYg==
X-Google-Smtp-Source: APXvYqyIfhGHA2aODMgaVHYSNoWC+WG++smqqRedzoUtFrmDWA1N0HWTBKn5VfVqk391UpdYo1ljZ9DQgT1qJSOIiQY=
X-Received: by 2002:aed:3e99:: with SMTP id n25mr6338460qtf.277.1559059233979; Tue, 28 May 2019 09:00:33 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S35sMsiCD-YiTZBZzXDHKsNfVmWuR-YFVDZwgwc4rNit=g@mail.gmail.com> <7F90FE0E-3983-42DC-87E7-7C580C92A05D@cisco.com> <CALx6S34G1+sZjDJXUjvdMuKTst4TqyncxeJCeytbos-VFWzm4Q@mail.gmail.com> <A12A95FA-7177-404B-8C8C-97461A6FF339@employees.org>
In-Reply-To: <A12A95FA-7177-404B-8C8C-97461A6FF339@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 28 May 2019 09:00:23 -0700
Message-ID: <CALx6S350gTigOoeqDkxNj1VQY_7-6uD2-QiaUokQjRR1Rtf4tQ@mail.gmail.com>
Subject: Re: Applicability of AH in draft-ietf-6man-segment-routing-header-19
To: Ole Troan <otroan@employees.org>
Cc: "Darren Dukes (ddukes)" <ddukes@cisco.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/qb_lSkonu9kC82fzsoOhvLJon1U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 16:00:38 -0000

On Tue, May 28, 2019 at 3:33 AM Ole Troan <otroan@employees.org> wrote:
>
> Tom,
>
> >> This text was sent to the list and had support in April.
> >> It's part of the consensus reached around not defining AH processing in the draft.
> >>
> > Darnen,
> >
> > Nevertheless, it is still misleading and not relevant to the normative
> > requirements of the document. I believe this paragraph can simply be
> > removed without loss of content or clarity.
>
> It seems to me, that what the idea and concept of segment routing is that this header is owned by the network.
> Not the node that encapsulated the user's packet and added the SRH.
> "Dear Mr Network here is a header of scratch space that you can manipulate to your heart's content."
>
> We have added some limitations to that, with definitions of mutability.
> But from that perspective, if I am correct, it is quite meaningless to apply AH.
>
Ole,

AH is only meaningless if end to end security is meaningless in these
networks. If one could _prove_ that _every_ network using segment
routing that exists or ever will exist is _perfectly_ secure because
of perfect filtering and other network mechanisms such the network
_cannot_ in anyway be comprised or misconfigured then, yes, I would
agree that AH is meaningless. Also, in that case HMAC TLV is
meaningless for the same reasons, so it could be removed from the SRH
protocol.

Tom

> Cheers,
> Ole
>
>
>
>
>
>
>
> >
> > Tom
> >
> >> Darren
> >>
> >>
> >>
> >>> On May 24, 2019, at 11:58 AM, Tom Herbert <tom@herbertland.com> wrote:
> >>>
> >>> Hello,
> >>>
> >>>> From section 7.5:
> >>> "The SR Domain is a trusted domain, as defined in [RFC8402] Section 2
> >>> and Section 8.2.  The SR Source is trusted to add an SRH (optionally
> >>> verified via the HMAC TLV in this document), and segments advertised
> >>> within the domain are trusted to be accurate and advertised by trusted
> >>> sources via a secure control plane.  As such the SR Domain does not
> >>> rely on the Authentication Header (AH) as defined in [RFC4302] to
> >>> secure the SRH."
> >>>
> >>> This is misleading on several fronts.
> >>>
> >>> First, this equates a trusted SR Domain as being a guaranteed secured
> >>> domain. It's not. Even RFC8402 says: "The use of best practice to
> >>> reduce the risk of tampering within the trusted domain is important.".
> >>> So security mechanisms within the IP protocols are still required.
> >>>
> >>> Secondly, this seems to somehow equate HMAC TLV functionality with AH.
> >>> They are not equivalent. AH is end-to-end authentication and covers
> >>> all extension headers and the IP header, HMAC TLV only covers select
> >>> fields in SRH and is end-to-something where there is no guidance
> >>> offered as to what that "something" is supposed to be (this is
> >>> precarious in itself since it allows valid configurations where
> >>> sources are setting HMAC TLV, but nobody in the path actually is
> >>> verifying it leading to a false sense of security). If anything, AH is
> >>> a superset of HMAC TLV.
> >>>
> >>> So, I don't see any argument here that AH is any more unneeded in an
> >>> SR domain versus any other network, nor any argument that HMAC TLV is
> >>> somehow superior to AH for security in an SR domain. I suggest to
> >>> remove this whole paragraph and just keep the next paragraph that AH
> >>> will be defined in other documents. Let users decide what security
> >>> measures (AH, HMAC TLV, edge filtering, etc.) are appropriate for
> >>> their paritcular network...
> >>>
> >>> Tom
> >>>
> >>> --------------------------------------------------------------------
> >>> IETF IPv6 working group mailing list
> >>> ipv6@ietf.org
> >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>> --------------------------------------------------------------------
> >>
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email