[secdir] Secdir early review of draft-ietf-rtgwg-srv6-egress-protection-16
Phillip Hallam-Baker via Datatracker <noreply@ietf.org> Sat, 02 November 2024 12:14 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from [10.244.8.206] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id F1D17C14F726; Sat, 2 Nov 2024 05:14:09 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Phillip Hallam-Baker via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.26.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <173054964960.269138.9622228854134346911@dt-datatracker-84cf84bdcc-hlxgg>
Date: Sat, 02 Nov 2024 05:14:09 -0700
Message-ID-Hash: 7GXRJCRL7V3P2ZRUPUG4MWLM4T4KZMGF
X-Message-ID-Hash: 7GXRJCRL7V3P2ZRUPUG4MWLM4T4KZMGF
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-rtgwg-srv6-egress-protection.all@ietf.org, rtgwg@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Phillip Hallam-Baker <hallam@gmail.com>
Subject: [secdir] Secdir early review of draft-ietf-rtgwg-srv6-egress-protection-16
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OsW1v_jPg4W2_T6njjR-LabF6F4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Reviewer: Phillip Hallam-Baker Review result: Has Issues I have reviewed this document and in general, it seems ready. While it does raise serious security concerns, it is not clear that these are new to this proposal or that this proposal gives more leverage to an attacker. Specifically, the draft stipulates that 'the area is in a single administrative domain' the security considerations describes one set of attacks arising from customers served by the domain. However, this set of attacks may be broader than described. Consider for instance the case where there are two domains A and B that provide transit for ISP C. An attacker that wants to ensure C is serviced exclusively by B might perform a denial of service attack on A so as to increase the cost of that route so as to achieve that goal. A real world attack that has been seen in the past is country X preparing for an invasion of country Y, performing BGP level attacks to effectively reroute Internet traffic within Y so that the government Web sites were serviced by fake sites set up by X. These sites containing messages of the form 'don't worry about the military exercises'.
- [secdir] Secdir early review of draft-ietf-rtgwg-… Phillip Hallam-Baker via Datatracker
- [secdir] Re: Secdir early review of draft-ietf-rt… 何涛(联通集团本部)