Re: [RTG-DIR] Rtgdir last call review of draft-ietf-idr-bgpls-srv6-ext-12
Alvaro Retana <aretana.ietf@gmail.com> Mon, 12 December 2022 21:14 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E27C5C14CE28; Mon, 12 Dec 2022 13:14:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vetxahdgqoX2; Mon, 12 Dec 2022 13:14:08 -0800 (PST)
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19A44C14CE25; Mon, 12 Dec 2022 13:12:52 -0800 (PST)
Received: by mail-pf1-x434.google.com with SMTP id x66so821268pfx.3; Mon, 12 Dec 2022 13:12:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=PzOj7newl4XdKLHtRYYSuNKZgGuY6VtDq+Ui/Aq9Gi8=; b=IS88NQZ9VIIYmh5j/MgZXCFfeQMronOSG6RkKotmHDCJP9eprm5CYzFfyHU1HvQO7Z D5g4DZ5BxgOWBLeY/8MdCbuGpceHgqFkTkQRSFbNxQJjDTG5flN/qnL+B+MF5hrCNLtg hD86m43nKc0rtmMWCLMbOfGdQss1Fo9pdcJSiq85f043hpJwg11Hff1QHU60A7I0K9fb YG9umHCsdZSI5Fv3lmmf7Vxil+TqZI/ui/XhRQkmP0bAtGfNWCNFXCqg1/LO9rkBsEH6 xgpUy+r5Dhd7r9SZGF+v/qelDx761w9vtmUYjrF4pUvpGssWe6ug+QbSV8RMRwAHFaR1 +d6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PzOj7newl4XdKLHtRYYSuNKZgGuY6VtDq+Ui/Aq9Gi8=; b=bij4ZJ0tqJqgBEcfIbDOk7rrce4L37ZcTgYJ9+B4GMUarBLEKK5hzSkOrX/4cFmcFo JFCTcARmnhKR03Hn3VcZrk5Rz8dxSe0SpJtWAJ4Rb4uUi/7OBpW7qXrEt/pBD/1jXh4i TSFQgo3QoHin5U09u1tjA/PMMBaqOFoRYFzmuE8fPoSJKWR3YMjDg8AzZAs1qV5MRUiX kfDVG/fpwwFUgcMIgO/jRlpKvNmhjGK2veZiZxGqVsytkdlng14kQKr5V7/mf8vKfYBg s+L/5yybEpstFznj/aF/3Xwj0xEjOUzpy4XQ6iYbetjZHHuTVA8GuCR9//FUhAvbRqOt KczA==
X-Gm-Message-State: ANoB5pl4D5Fkr0UoSLx075Dalqnfi/qwqTrdIgbZls6b/wkXgTfjbUJG ogBs/XQZv7Aoo1tccy8tOvlH2Oxa//RoS6pzJdT7FL/s
X-Google-Smtp-Source: AA0mqf5fDzm/irzWo1zEgyi3YJpGITNgtdbdCJzHcstRlWHeaNBWzO9E+vVxZiZjwAnrSj3al6SyFfU511rPLUzkRJk=
X-Received: by 2002:a63:1464:0:b0:46a:f665:ed96 with SMTP id 36-20020a631464000000b0046af665ed96mr69653295pgu.486.1670879570782; Mon, 12 Dec 2022 13:12:50 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 12 Dec 2022 15:12:50 -0600
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <166962073801.18346.2098650422227174656@ietfa.amsl.com>
References: <166962073801.18346.2098650422227174656@ietfa.amsl.com>
MIME-Version: 1.0
Date: Mon, 12 Dec 2022 15:12:50 -0600
Message-ID: <CAMMESsyy=4-Jox4Rp9RE_0bVich91XhyyxLdjTH_Twi878QRWQ@mail.gmail.com>
To: rtg-dir@ietf.org, Stewart Bryant <stewart.bryant@gmail.com>
Cc: draft-ietf-idr-bgpls-srv6-ext.all@ietf.org, last-call@ietf.org, rtg-ads@ietf.org, idr@ietf.org, sec-ads@ietf.org
Content-Type: multipart/alternative; boundary="000000000000476f3705efa7f7aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/5A5kmPTyqurmZLN-QhzU9x0MyNI>
Subject: Re: [RTG-DIR] Rtgdir last call review of draft-ietf-idr-bgpls-srv6-ext-12
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2022 21:14:12 -0000
Stewart: Hi! Thanks for the review! The risk of propagating information beyond where it should be is not new to BGP or BGP-LS. :-( This fact is mentioned in the Security Considerations of rfc7752 (BGP-LS). The review ends by saying that "a more complete review of the security model is needed before this specification is finalised." Which security model are you referring to? This document is an application of BGP-LS -- is that what you mean? If so, please take a look at rfc7752bis [1] as any issues with BGP-LS should be addressed there. This document contains this text in the Security Considerations: BGP-LS SRv6 extensions enable traffic engineering use-cases within the Segment Routing domain. SR operates within a trusted domain [RFC8402] and its security considerations also apply to BGP-LS sessions when carrying SR information. The SR traffic engineering policies using the SIDs advertised via BGP-LS are expected to be used entirely within this trusted SR domain (e.g., between multiple AS or IGP domains within a single provider network). Therefore, precaution is necessary to ensure that the link-state information (including SRv6 information) advertised via BGP-LS sessions is limited to consumers in a secure manner within this trusted SR domain. BGP peering sessions for address-families other than Link-State may be set up to routers outside the SR domain. The isolation of BGP-LS peering sessions is RECOMMENDED to ensure that BGP-LS topology information (including the newly added SR information) is not advertised to an external BGP peering session outside the SR domain. I believe it complements this text from rfc7752bis: Additionally, it may be considered that the export of link-state and TE information as described in this document constitutes a risk to confidentiality of mission-critical or commercially sensitive information about the network. BGP peerings are not automatic and require configuration; thus, it is the responsibility of the network operator to ensure that only trusted BGP Speakers are configured to receive such information. Similar security considerations also arise on the interface between BGP Speaker and BGP-LS Consumers but their discussion is outside the scope of this document. What else is this document missing? Thanks! Alvaro. [1] https://datatracker.ietf.org/doc/draft-ietf-idr-rfc7752bis/ On November 28, 2022 at 2:32:19 AM, Stewart Bryant via Datatracker ( noreply@ietf.org) wrote: Reviewer: Stewart Bryant Review result: Has Issues I apologies for the lateness of this last call review. The routing technology in this specification seems fine, however I do have concerns over the network security. >From the text in the introduction is says: "On similar lines, introducing the SRv6 related information in BGP-LS allows consumer applications that require topological visibility to also receive the SRv6 SIDs from nodes across an IGP domain or even across Autonomous Systems (AS), as required. This allows applications to leverage the SRv6 capabilities for network programming." Then in the security section it says "SR operates within a trusted domain [RFC8402] and its security considerations also apply to BGP-LS sessions when carrying SR information." I am concerned that the exposure of sensitive network information outside the network as proposed here represents a significant security risk. I am also concerned that the increased (practically unconstrained) exposure to the threat of hostile actors. The "trusted domain" concept which is fundamental to SRv6 is fragile at best. The scope of the domain and the method of policing are not well described, and unlike MPLS which successfully operates that model, SRv6 does not have the advantage of being able to automatically classify external traffic as being of an alien type. With this specification the domain is expanded from the network itself to some subset of the applications using the network. It is difficult to see how the scope and size of the threat to the network is contained in this operational model and I do not see text that help the operator in that regard. Applications significantly increase the size of the code base and number of organizations that can introduce a threat, and by their nature expand the geographic area of risk in an unconstrained way, perhaps to the full Internet. I believe that a more complete review of the security model is needed before this specification is finalised.
- [RTG-DIR] Rtgdir last call review of draft-ietf-i… Stewart Bryant via Datatracker
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Alvaro Retana