Re: [secdir] Secdir last call review of draft-ietf-6man-segment-routing-header-22

"Darren Dukes (ddukes)" <ddukes@cisco.com> Wed, 21 August 2019 15:35 UTC

Return-Path: <ddukes@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3154B120074; Wed, 21 Aug 2019 08:35:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UmrvyD0M; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=kxywuPeQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fk0M1aoNHUkU; Wed, 21 Aug 2019 08:35:22 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C931912000F; Wed, 21 Aug 2019 08:35:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4250; q=dns/txt; s=iport; t=1566401721; x=1567611321; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=mWdK3GGQkVeOi13c9e1Rxqd3nubnx2dwMVh/Ev5xd7A=; b=UmrvyD0MnzkIZiw5PCRcCl1ouPyBSiPmlLM0y8IRoAd6hwgderO/wHs6 WOK36OXKp1z2XHww9e2KfhYs1DXkh9JpuZaMVxLaHhjrXEK/t1W+MkV/P gNpurnzU8grq+xnG3JL09hKp47c0XK/kUaPafo2Oqm02Aiq6MUxxD5xv+ A=;
IronPort-PHdr: =?us-ascii?q?9a23=3AsxdlYBB7mKRI6u/f8KutUyQJPHJ1sqjoPgMT9p?= =?us-ascii?q?ssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHw?= =?us-ascii?q?QAld1QmgUhBMCfDkiuIPL3bCEhNM9DT1RiuXq8NBsdFQ=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ArAAC1Y11d/49dJa1bCRsBAQEBAwE?= =?us-ascii?q?BAQcDAQEBgVQFAQEBCwGBRFADgUIgBAsqCoQVg0cDimeCNyWXZYEugSQDVAk?= =?us-ascii?q?BAQEMAQEtAgEBhD8CF4JFIzUIDgIFAQEEAQEBAgEGBG2FJwyFSgEBAQECARI?= =?us-ascii?q?REQwBATcBBAsCAQYCDgoCAiYCAgIwFRACBA4FIoMAgWsDDg8BAo8BkGECgTi?= =?us-ascii?q?IYXOBMoJ7AQEFhRQYghYJgQwoAYpCgSsYgUA/gREnDBOCTD6EGiqDCzKCJo8?= =?us-ascii?q?XhTKXEAkCgh2QRIN1G4IxhzCOZaVpAgQCBAUCDgEBBYFRATaBWHAVGksBgkG?= =?us-ascii?q?CQoNyilNygSmKfAGBIAEB?=
X-IronPort-AV: E=Sophos;i="5.64,412,1559520000"; d="scan'208";a="613812254"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Aug 2019 15:35:20 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x7LFZK6i030816 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 21 Aug 2019 15:35:20 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 21 Aug 2019 10:35:20 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 21 Aug 2019 11:35:19 -0400
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 21 Aug 2019 10:35:19 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LqgmiWG7iC2Y2aZpDuQ+FwuAPz/RNGObnIVlmYrskR3kNI5pO4NbMzhicMHOLURWMSM/7mcnfsFh0XPHyl7yUJ1eIm2mTdv/LCRwxaymlYsMVMvdfYrZAGbKBnpxKf06XIrF6laGryorY6ETnmseo3RUiEvm0am6RbLNv64nLRnAz6SmCaeqIe4qJc8MgizyUMugtCthYptBEDwCGd5ardjiN3ejbPdtft/9syxgrGhZB/OimiaLjuJT5kK1Tay3ag/0f+yw1asvPMa0Xg0Kt6khz1gq2WdBKOQcujga+A+rjTpLGtrRt0moNODvW57SB7UOWdsICwgpxqFXjvAU9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mWdK3GGQkVeOi13c9e1Rxqd3nubnx2dwMVh/Ev5xd7A=; b=AYZd5x0Kk//WozP9qeLkLDJ+yLF2OS8ty4ruLz9QbZW8Ov5lU5MnnpoEymbmzIURc2nvh5kVkVe/a+zbVBCaQxR/cFAZsupI7py8mgAsBhrXSQsJ3Rt1GP7vScBcmYbbgB+SnExJbrsu2FGekRzmOt9L4Aw0fw9b7x8N2Z4xCdPVGcwrwcufSt0SvcrYB3q9KLr4dMvOT7aN3aNCtwg+FCBhgWo3CM+CK3cvo5bAqr4G9/jMrCn0Vwz3Q2au2i2zit7qp+KqU7gd1dSc3tn8SmVuvLKuiT4eH0EQ5fwAWctlp87iAc4dRMZF8rGwc41SW2FOQvvzywRUTAjMQzG7Iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mWdK3GGQkVeOi13c9e1Rxqd3nubnx2dwMVh/Ev5xd7A=; b=kxywuPeQ3UO2NQTwAdaS44vC6ZIvZcVEVj/3dfUeoRPGhqhRI9rLwF0Y5exFjU+Fspb/bpEMVLr9D7jDNjeQANIXi+5CqhSDU2Ab9Z985JHgM/NShEe83WZV3AJpPVzzerjy6zntYov7s5c53H0Dj1tcY4GO7x3ZCECCQsuljXw=
Received: from DM6PR11MB3516.namprd11.prod.outlook.com (20.177.220.141) by DM6PR11MB4492.namprd11.prod.outlook.com (52.132.251.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.13; Wed, 21 Aug 2019 15:35:16 +0000
Received: from DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::94bf:39d4:29cb:42d1]) by DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::94bf:39d4:29cb:42d1%5]) with mapi id 15.20.2178.020; Wed, 21 Aug 2019 15:35:16 +0000
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: Liang Xia <frank.xialiang@huawei.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-6man-segment-routing-header.all@ietf.org" <draft-ietf-6man-segment-routing-header.all@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-6man-segment-routing-header-22
Thread-Index: AQHVUxspvqTpv8U/cUmc6z0cPvC7r6cFxdkA
Date: Wed, 21 Aug 2019 15:35:16 +0000
Message-ID: <4074EC87-36AB-4521-A415-DCDC621C4129@cisco.com>
References: <156584039497.2287.2516898029582755543@ietfa.amsl.com>
In-Reply-To: <156584039497.2287.2516898029582755543@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ddukes@cisco.com;
x-originating-ip: [161.44.212.218]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 33420f7f-dda2-4084-2759-08d7264d2ad7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB4492;
x-ms-traffictypediagnostic: DM6PR11MB4492:
x-microsoft-antispam-prvs: <DM6PR11MB449248F62A97A736BD408CE4C8AA0@DM6PR11MB4492.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0136C1DDA4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(39860400002)(396003)(376002)(136003)(189003)(199004)(14444005)(6486002)(6246003)(53546011)(81156014)(71200400001)(4326008)(36756003)(26005)(66446008)(54906003)(5660300002)(316002)(64756008)(14454004)(3846002)(6512007)(8936002)(6116002)(486006)(6506007)(66066001)(25786009)(81166006)(446003)(91956017)(33656002)(99286004)(7736002)(476003)(102836004)(66946007)(76116006)(8676002)(6436002)(71190400001)(66556008)(2616005)(478600001)(186003)(66476007)(256004)(53936002)(11346002)(6916009)(2906002)(86362001)(229853002)(76176011)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB4492; H:DM6PR11MB3516.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: N93Tbs355fbk25qvAJiQJ/X+gZ7bq7IfzkvgH+amMD6+rbViCW8t/6MUeUpglSPEIUrSWSMuoVpxH3UJd/CU+eAKY5uHHq6gPAWjyG7iK0de0xR56WXXQVzwGuM9uu+Otr5mcqj+DMPMkmF6MrtBft6SFJGTPJGVKktHD4R1KH6cNc3hdhLJ6VSHZSLANrZX01XX2MQCfuLbd7a0v/fjQpLJ2bdNSOa/qQar9wTezsrSGONorM3OFErwtumPo/V7retznTkoMlGdgqSL96FJ/qZVvatAN4LRJzn8u9pYzTGbzmvM+VbXirWY76ag/dgKl2QoZw7rZx+p3TIVu84vc/scE2OXBII0VIfR9PaFVlczP8Yn4nuR86mryWZJBTICRZpXVkVhXd8KKPiNBohP8iSSgubb0pySkKDn1eesY6I=
Content-Type: text/plain; charset="utf-8"
Content-ID: <5E90721CA2841E4EBF95A894C17995A7@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 33420f7f-dda2-4084-2759-08d7264d2ad7
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2019 15:35:16.8095 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jzsF0YWpepvTxotnSZGhuyG4i+feBxsHO2uREIqbSEZ8kjnowylxWrKtVlao7uMyh9JkDQCJIZGBQUTObe/lXQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB4492
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/T4oNtRWcINOZikB0a-cSI6Pr5hA>
Subject: Re: [secdir] Secdir last call review of draft-ietf-6man-segment-routing-header-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 15:35:25 -0000

Thank you for the review.  Please see inline.

> On Aug 14, 2019, at 11:39 PM, Liang Xia via Datatracker <noreply@ietf.org>; wrote:
> 
> Reviewer: Liang Xia
> Review result: Has Issues
> 
> Some nits:
> 1. title of Section 4.3.2: /FIB Entry is a Local Interface/FIB Entry Is A Local
> Interface
OK

> 2. title of Section 5.2: /SR Domain as a single system with
> delegation among components/SR Domain as A Single System with Delegation among
> Components 

OK


> 3. Section 2.1.1: /There are two types of padding TLVs, pad1 and
> padN, the following applies to both/There are two types of Padding TLVs, pad1
> and padN, the following applies to both 

Ack, we’ll use Padding TLV capitalized as a name.

> 4. Section 2.1.2: "Alignment
> requirement: 8n". What is 8n? For better readability, can you give a more clear
> clarification text? 

Section 2.1 describes what an alignment requirement is and how it is documented, referencing RFC8200.

"All TLVs specify their alignment requirements using an xn+y format.
   The xn+y format is defined as per [RFC8200].  The SR Source nodes use
   the xn+y alignment requirements of TLVs and padding TLVs when
   constructing an SRH.”

Does this address your concern?

> 5. Section 4.1: /HMAC TLV may be set according to Section
> 7./HMAC TLV may be set according to Section 2.1.2./? 

Thanks, I’ve fixed the XML xref for the next revision.

> 6. Section 4.3: have a "*"
> before every item of "A FIB entry…”
> ?
> 

Sure, I expect that would make it more obvious they are individual line items.

> 1 issue:
> The Security Considerations Section mainly clarifies the security protection
> based on the strict SR Domain boundary protection paradigm, and the
> considerations of some identified attacks. They are valuable, but maybe not
> complete in scope. I noticed 2 SR related security consideration drafts
> (draft-perkins-sr-security-00 and
> draft-li-spring-srv6-security-consideration-00), which are trying to summarize
> all the possible vulnerabilities in SR network. I personally suggests the
> authors to review them and consider how to reference or incorporate the
> valuable considerations from them.

Thank you for this suggestion, I’ve analyzed both the referenced documents:

draft-li-spring-srv6-security-consideration-01 concludes that there is no packet falsification, identity spoofing, packet replay, DOS/DDOS threat within an SR Domain.
It defines a security design following that documented in draft-ietf-6man-segment-routing-header-22.  I see nothing to add from this draft.

draft-perkins-sr-security-00 discusses a set of deployment scenarios, and SIDs that are not documented in draft-ietf-6man-segment-routing-header-22, and are therefore out of scope for draft-ietf-6man-segment-routing-header to consider.

However the discussions started with draft-perkins-sr-security-00 should continue in the context of the SPRING WG, as per its charter, for the technologies and documents it produces using the SRH.

Would this address your concern?

Darren