IETF Logo Mail Archive

Re: Questions regarding the security mechanisms//RE: CRH and RH0

John Scudder <jgs@juniper.net> Fri, 22 May 2020 17:21 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 838393A0B8F for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=JHnQQ4lV; dkim=pass (1024-bit key) header.d=juniper.net header.b=QWsCslqo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qBjZeY1P_npo for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:21:24 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12C503A0B85 for <6man@ietf.org>; Fri, 22 May 2020 10:21:24 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04MHIcfc001274; Fri, 22 May 2020 10:21:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=+KXX5UsKs637h6bO5uArMJt8rza0jVPLf4vGLX5BJic=; b=JHnQQ4lVdjY4HXBJ76ynUQblKkq9CfmuwxzBN0GVW4HVHng//PgbIX1wQFUukVJmwZ+u cccsAYNItth8+bnligWqPJVHa7kG5OJES7BmatKMXlfm2JXgfIOiN5LTcGxv+UjFd3m3 nPhK51IzGizWeNv4ljkBBkvnpHT+XXE494uT58VZJsWA+jMrBc7EkAP9jXexZ2x+3Cb2 DDqGkcu/4ULEdn3ohN/FSYP9Q+2N+A02lmel5AUaO+1wrvzsANxmv4zfG8I5T6iRCTJJ j4DxYKndbLcLtGMeNTbWbLzgF4qTS1MGamWVImoZxsf7VFWLDaqu3/IvTSSIongsMk27 Pg==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2045.outbound.protection.outlook.com [104.47.66.45]) by mx0a-00273201.pphosted.com with ESMTP id 312e50me72-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 May 2020 10:21:07 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DrU2+WINxEX4BIoHXLb0a4r/bnUDJ+bSrW/gwHQYsW+LSQrk9LpsuVO4Qxy1OQIO6WJw9Yadw8NCliCwYMIfEXvc4DBnl2UITDSgheiCo8JO4+XUAIFzaRtsYHG5S9kccpkTr4bbuC3slT0NeJ8tux6rwQz+FI1h2mIuiI9CiZJrk0YhgjfAwAPSmZV474nKvZbZPS8hrgg5lY7Gb0y1JDqR+xvVVQldDi31R8jPBQ4tF2oF5Lpl7+Bon7kT0QyRu3SballLH1nbGiZSmDNtmx6HmQLsUVUy6xgj8sLyR20a9XFUowi6R5YSxDYBqn322KR89RA8amnko8fSRF5YoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+KXX5UsKs637h6bO5uArMJt8rza0jVPLf4vGLX5BJic=; b=e7et/mwsPGdKnnEvKmdPg33IXH/v2QRNy9DTB25KpKPVvrMogV4NcWA+jnU2GMvZPhWYfnBNZotK443k8EFAu3Sl7IZgbNbetj6rNc6I2Ly6+EYPSSrKE2Hz1SFIA+G1jUyujuqACEcu+5PxVAAlPA9UeuMDG5mrYC8y4IT+nKB0E2R4BetfiCmTEXPQd8o8vQ+NHUaFSpDXkUfRx3xWJunMl3kZcc8+rgRBakfQoqmB+5A+BkbxbhK6dc4S1q2BWG1XWEapqIM2rqh0Io7Nf8S6pBsOhaN6mc6WvJTLR4wKg2WOAUJb1FVXxgTfK2eUC1NRK9iNm+Hs4tEofiKjww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+KXX5UsKs637h6bO5uArMJt8rza0jVPLf4vGLX5BJic=; b=QWsCslqo77gTuzh8nJNxPyME4PfKYTitMcuP7EDzu31gY+hNBImjF2IgAE1ZeR35KULqpOPXVsu/3s6/2WjrXGhTETitOmrRsP42l2pZ8ZYXIqwKBHJ99fbcyfMJGboy9zri3L3EOkMPHXRycB+t2U31Okanfrkr/mQ9bAeBU2I=
Received: from BYAPR05MB5078.namprd05.prod.outlook.com (2603:10b6:a03:9d::32) by BYAPR05MB5895.namprd05.prod.outlook.com (2603:10b6:a03:cb::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.13; Fri, 22 May 2020 17:21:06 +0000
Received: from BYAPR05MB5078.namprd05.prod.outlook.com ([fe80::3440:a7bc:2ba1:9ac0]) by BYAPR05MB5078.namprd05.prod.outlook.com ([fe80::3440:a7bc:2ba1:9ac0%5]) with mapi id 15.20.3021.019; Fri, 22 May 2020 17:21:06 +0000
From: John Scudder <jgs@juniper.net>
To: Nick Hilliard <nick@foobar.org>
CC: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, 6man <6man@ietf.org>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAATfhkAABqdDHIBJoB9AAAAWAzYAACMsIAAAZ1bgAAAo56A
Date: Fri, 22 May 2020 17:21:05 +0000
Message-ID: <F50C20DD-D557-4291-A70F-A0617C6DF0EF@juniper.net>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com> <891ccad03b484c7386ab527d89143f8c@huawei.com> <87E86EE4-7D6C-49A3-A965-317C3F95A346@juniper.net> <ab0b9d67d294464fb886b9cb5e7639a5@huawei.com> <592214BF-5340-40A6-86C8-430C87AC0171@juniper.net> <8a1355937f024458b7be31d7d64ca060@huawei.com> <34df057e-18c4-567c-9ec0-477b31621d4a@foobar.org>
In-Reply-To: <34df057e-18c4-567c-9ec0-477b31621d4a@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
authentication-results: foobar.org; dkim=none (message not signed) header.d=none;foobar.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d213b079-a6b3-4421-3750-08d7fe7482cc
x-ms-traffictypediagnostic: BYAPR05MB5895:
x-microsoft-antispam-prvs: <BYAPR05MB5895661E250CCAE98F2C4DE1AAB40@BYAPR05MB5895.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 04111BAC64
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Wnj7hVmGJfdi3CZhe6AjrwAWpQ3IYOk7EMv0tMSRsndxwEMoPcWu277UEoa0UHDMiDctwAW+bXdds6Es7kj8rVpGJ5GJG9PNd8DKTonbDo0/KwdYQYjQCn3V+Jaso3n10NRPA33rznCuCjfoltScQ6nvxCqiHzrbM558nudkvqEie2pNWse3RlEQvyD55Q+nBILNY07+9agwpvof+7uacHTrxKXsBXX/ShIsnMy/8kqBWKtOgoTtQEHQdlWfLwelyJXK8N7XoM+6xYEyplV3eRvf2Tsuegd7gwAtDFd61RyP7eIs1NnXxQ9c60VpyTjuQNhhzV0je04Cw8yOqAApgXVGCiYCXwcIUfovK4td7O5Ev5CBlZ/i60RPEbJRj5xo/aKGQ0+auox4M1nP6nQehQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR05MB5078.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(366004)(346002)(376002)(396003)(26005)(33656002)(8676002)(6916009)(66946007)(966005)(71200400001)(66476007)(478600001)(8936002)(66446008)(66556008)(64756008)(66574014)(76116006)(186003)(15650500001)(2616005)(6486002)(4326008)(54906003)(5660300002)(6506007)(53546011)(6512007)(36756003)(2906002)(316002)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: J5PKvedf67WAMIOgxLQLav33xPghZ/uEwIO6/EweNXrI0WuRdgUdbfI14nk2Q8Ijp7GR7LSPYLfgsp+PRlYacIMxcw2TnLYb9OQRw9OVlyH7uQZ0Rdj67qwDSPidFLpsXbo/Jij7WlV1EdXRsAeYwkhINioLG7Jy7cV92RJYhMvokCAM1ofgSaWrdGUqgjzm0MfXGvX0Sf3hqhft7u4+3UdnU+seE1Fanu4Tj1awj7uMPSMcN5RMZXQGfYhBO8ZPFM7UNjh+mm6J78SPg68xNjGXK8hM8eRXmIA8H6WggQN0HRjITEHV9HS8pa4OJQcTJ9xDVsJbtA0QAULjSzpY/MSrqVCFURDrtwkaZwbjN9IVP9G9Ybyhci1hNFW+tLR+Ll7xuGIP+XbI8w+eiVasgKI0H58O7rrIyV0r5OYm+nVAuQl0IAtHAcSNUCWFdOz7atGklmCXjbCIZtulxU/gWpGG1RJwoaxXGyjqGCpWTCY=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3609652E2A17CB4D9947A24E4086D32B@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: d213b079-a6b3-4421-3750-08d7fe7482cc
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2020 17:21:05.8388 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bqlPD9SRcVT8RPT9fbNXtqPO1GErKkcmDtjeqbwENMwSD8C7/eK/efskpTn/N7+Q
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5895
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-22_05:2020-05-22, 2020-05-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 malwarescore=0 bulkscore=0 impostorscore=0 mlxlogscore=793 spamscore=0 suspectscore=0 adultscore=0 cotscore=-2147483648 lowpriorityscore=0 priorityscore=1501 clxscore=1011 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005220138
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/vzfIs3Nk94BMf8QbwL4x69TvPPY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 17:21:27 -0000

On May 22, 2020, at 1:02 PM, Nick Hilliard <nick@foobar.org> wrote:
> 
> Xiejingrong (Jingrong) wrote on 22/05/2020 17:16:
>> Hi John,
>> I have read the analysis you provided in previous message.
>> The "very helpful" is to the layered security mode: https://urldefense.com/v3/__https://en.wikipedia.org/wiki/Layered_security__;!!NEt6yMaO-gk!Tw9lbMxww481JNNLZlsb30EWBwhxUeOMmaFkiRKCTP1kWW7IWmKQhR2Zx-S1Gw$
>> To the RH security problem we are discussing:
>> (1) the border ACLs may fail to deploy. For example, there may be 1 border router (among 1000) is not configured correctly.
>> (2) a border router may be compromised (RFC8279 "If a BFIR is compromised"), the ACLs on the border router may be modified.
> 
> a useful second line on defence would be to recommend that all
> crh-capable nodes to drop packets containing CRHs if either the SID is
> unknown or if it comes from a source IP address outside the CRH domain.
> The perimeter of the domain will presumably already use regular iACLs to
> protect the internal infrastructure from spoofing attacks.  If your
> iACLs fail, you have bigger problems.
> 
> Good point though - something like this should go into the security
> considerations section.

Makes sense to me. (And is logically distinct from the 8754 case, in a good way.)

—John

v2.23.0 | Report a Bug | By Email