IETF Logo Mail Archive

[secdir] secdir review of draft-ietf-spring-segment-routing-13

David Mandelberg <david@mandelberg.org> Thu, 02 November 2017 17:53 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D768913F474 for <secdir@ietfa.amsl.com>; Thu, 2 Nov 2017 10:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3MzBFlwsiu3 for <secdir@ietfa.amsl.com>; Thu, 2 Nov 2017 10:53:22 -0700 (PDT)
Received: from sonic317-34.consmr.mail.gq1.yahoo.com (sonic317-34.consmr.mail.gq1.yahoo.com [98.137.66.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51FA91394E4 for <secdir@ietf.org>; Thu, 2 Nov 2017 10:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1509645201; bh=+H7dIS7s66n2HPPxVfDXxMgFGXMC5lxXKao4TFc6JVs=; h=To:From:Subject:Date:From:Subject; b=b4IPRM0SmJ5JDRvkH+R82QTOPoB61Qcni+1uSgKNQnhkEpi0AhAQb5QVybG5YXUbcKpKmjGVRbPWt0+wJLduEOs7m4EvJ+bdELqYI0t9OlkiC2AlWTat4rHLGvRSIGiG6sndhsklm2QOHKh73T0i5Q8efvCDgp+9HvnzYFiZgipz0ebOhfjQdWzggWaoTHPZGta3Cq6rJVZW7yJF4PJ7YehXyZXTpc8m4iE/zmL5dJvHVLKT2YYsh4/B0SVV+PqLsYuqJxKYFtZQlhUliKhdrREL+fTeoxk1zelqodntnQHosJZFXVd++wcXfImx1S/q/RECFbTia9DYf9CJNnMgcw==
X-YMail-OSG: h04lq44VM1kHf4SLi4ukwf2t05Puq5b5TwFvhwaKOHa6kB6_ayEsaa1NXR056Cx k7ruGEiRxmb27P7yhcJgN7vnJtTkjvszmelt2TkNqYO3FMDKh91sVlZmIJBtBu4Wz4hxoqqffzAa GVth9..EsLWj4VJ6P.syGO84CurQIdPO0iVZKvf5VzM9k6gTNTDjozVIBoVAmHRNvqP2eRyl.l9j MyxUUaVySwiMXyyzncGz2cM4MWuu0_e_gbsZ3ln37LHa3A_ZF9PsRmsay5w0smduyMBs4m50CUQt AbvBlZfA8E4oiw2moQv0vENIj_jIsASHUS01K20k_I.JuDgdSvVl9KzTMU1QiZw1Z3Z1k.bfn6M6 NSvRieMk7Ns_6L5Ax.5OSGREslxFZ.0qQUG3RWrl7Qg6TVDFljsClgG7cdMmrLIvwkH.gpPX8sqj 309GgWFFLjf8x0lU3KkWqZNplQIzAFsdWCRdXDaJFiu9x4OU6kbSNFvBoELP3bYj_RkklEksnuoU uWFfW_yzpLOyRybP8iDETgL0BG02gyKe8clb3yslT2d_iZtYiDxOYEwZ1kpJH7_0fd8wSFW7r
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.gq1.yahoo.com with HTTP; Thu, 2 Nov 2017 17:53:21 +0000
Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 02 Nov 2017 17:53:20 -0000
X-Yahoo-Newman-Id: 609678.75684.bm@smtp114.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: h04lq44VM1kHf4SLi4ukwf2t05Puq5b5TwFvhwaKOHa6kB6 _ayEsaa1NXR056Cxk7ruGEiRxmb27P7yhcJgN7vnJtTkjvszmelt2TkNqYO3 FMDKh91sVlZmIJBtBu4Wz4hxoqqffzAaGVth9..EsLWj4VJ6P.syGO84CurQ IdPO0iVZKvf5VzM9k6gTNTDjozVIBoVAmHRNvqP2eRyl.l9jMyxUUaVySwiM XyyzncGz2cM4MWuu0_e_gbsZ3ln37LHa3A_ZF9PsRmsay5w0smduyMBs4m50 CUQtAbvBlZfA8E4oiw2moQv0vENIj_jIsASHUS01K20k_I.JuDgdSvVl9KzT MU1QiZw1Z3Z1k.bfn6M6NSvRieMk7Ns_6L5Ax.5OSGREslxFZ.0qQUG3RWrl 7Qg6TVDFljsClgG7cdMmrLIvwkH.gpPX8sqj309GgWFFLjf8x0lU3KkWqZNp lQIzAFsdWCRdXDaJFiu9x4OU6kbSNFvBoELP3bYj_RkklEksnuoUuWFfW_yz pLOyRybP8iDETgL0BG02gyKe8clb3yslT2d_iZtYiDxOYEwZ1kpJH7_0fd8w SFW7r
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 5C8471C6098; Thu, 2 Nov 2017 13:53:17 -0400 (EDT)
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-spring-segment-routing.all@ietf.org
From: David Mandelberg <david@mandelberg.org>
Message-ID: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org>
Date: Thu, 02 Nov 2017 13:53:14 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/DW3Y0huKi8sSGZtNfA4SlT3vjEA>
Subject: [secdir] secdir review of draft-ietf-spring-segment-routing-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Nov 2017 17:53:24 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready with nits.

This document affects routing within a trusted domain, and the security 
considerations section adequately talks about filtering at the border of 
a trusted domain.

I do have one question about something I didn't see in the document, 
what happens when SIDs change while packets are in transit? Here's a 
hypothetical situation that could be bad for security, but I'm not sure 
whether or not it could happen: 1. An internal node calculates an SR 
Policy and sends out a packet that will eventually egress towards a BGP 
peer. 2. Multiple links on the BGP router go down and then back up, but 
are allocated different PeerAdj SIDs than they had before. 3. The packet 
reaches the BGP router, but egresses to the wrong BGP peer because the 
original PeerAdj SID is now mapped to a different PeerAdj segment.

-- 
Freelance cyber security consultant, software developer, and more
https://david.mandelberg.org/

v2.23.0 | Report a Bug | By Email