Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13
"Les Ginsberg (ginsberg)" <ginsberg@cisco.com> Fri, 23 March 2018 22:43 UTC
Return-Path: <ginsberg@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DBE512D94D; Fri, 23 Mar 2018 15:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2M6jvMmKVUI; Fri, 23 Mar 2018 15:43:46 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D92512946D; Fri, 23 Mar 2018 15:43:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5498; q=dns/txt; s=iport; t=1521845026; x=1523054626; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=50zWlKjFyo2RCH4Z0AK547U3OSnp/ubadgi2vu0TwIc=; b=mPEY1L/zeewIugSTJP6x938amllj8sItLgBmznj56NslkT+TGB8oelBN AhR7c7VxRXsOxZisIFvLwXRZfF4jg+D6bbb3vAi9m3HoLX0jaWPWUKlsC Ep/Su+P2b/MKRAggcCKQlXHP11A/pUdJZUUTKo/YpyHPtY5OPioug1pez Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A5AQD2gbVa/4gNJK1dGQEBAQEBAQEBAQEBAQcBAQEBAYMSL2FwKAqDUod/jRCBdIERkk2CBgsjgViDCgIag1YhNBgBAgEBAQEBAQJrKIUlAQEBBCMRUQQCAQYCEQEDAQEBAgImAgICMBUCBggCBAESCIUGD41dmziCIIhBghUFgQiEJ4IRgVRAgQyDBoMTAQECAYFygmqCVAOXPAgChU+FMIMngTgagz2HMokShjwCERMBgSQBHDiBUnAVgn2CIRiOFm+OFiuBBIEWAQE
X-IronPort-AV: E=Sophos;i="5.48,352,1517875200"; d="scan'208";a="88942448"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2018 22:43:45 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id w2NMhjGm024897 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Mar 2018 22:43:45 GMT
Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 23 Mar 2018 17:43:45 -0500
Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1320.000; Fri, 23 Mar 2018 17:43:44 -0500
From: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
To: David Mandelberg <david+work@mandelberg.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-spring-segment-routing.all@ietf.org" <draft-ietf-spring-segment-routing.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-spring-segment-routing-13
Thread-Index: AQHTVAN+h13Fy6LhA0quT26NkWnvTKPee6ywgAEZggD//7GikA==
Date: Fri, 23 Mar 2018 22:43:44 +0000
Message-ID: <ef5efa3a9f1d434580946f1012ebb0bc@XCH-ALN-001.cisco.com>
References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <e32e5f9bc00043e3a8b86205d434c35d@XCH-ALN-001.cisco.com> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org>
In-Reply-To: <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.5.233]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/zZqPhuF3rTZp8VSaSStv0lMJ6eI>
Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 22:43:59 -0000
David -
Thanx for the very prompt response.
If a controller (for example) is defining a SID stack for an SR Policy, it can choose to use an Adj-SID which is advertised as Persistent and be confident that the SID will not be reused for some other purpose no matter what happens on the owning node.
BTW, the flag isn’t new - it has been part of the IGP specifications for quite a long while. It just wasn't mentioned in the SR Architecture in earlier versions.
HTH
Les
> -----Original Message-----
> From: David Mandelberg <david+work@mandelberg.org>
> Sent: Friday, March 23, 2018 3:17 PM
> To: Les Ginsberg (ginsberg) <ginsberg@cisco.com>; iesg@ietf.org;
> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org
> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13
>
> Hi,
>
> How will the indication of persistence be used? I scanned the changes from -13
> to -15, but I didn't notice any other text about the new flag.
>
> On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote:
> > David -
> >
> > Apologies. It appears that I neglected to respond to this old review
> > comment.
> >
> > This was not intentional. Authors actively discussed your comment
> > promptly and we did add text in V14 of the draft to address this point:
> >
> > Please see:
> > https://tools.ietf.org/html/draft-ietf-spring-segment-routing-15#secti
> > on-3.4
> >
> > /o Indication whether the Adj-SID is persistent across control plane/
> >
> > / restarts. Persistence is a key attribute in ensuring that an
> > SR/
> >
> > / Policy does not temporarily result in misforwarding due to/
> >
> > / reassignment of an Adj-SID./
> >
> > //
> >
> > Please let us know if this adequately addresses your comment.
> >
> > Again, apologies for the long delay.
> >
> > Les
> >
> > > -----Original Message-----
> >
> > > From: David Mandelberg <david@mandelberg.org>
> >
> > > Sent: Thursday, November 02, 2017 10:53 AM
> >
> > > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-spring-segment-
> >
> > > routing.all@ietf.org
> >
> > > Subject: secdir review of draft-ietf-spring-segment-routing-13
> >
> > >
> >
> > > I have reviewed this document as part of the security directorate's
> > ongoing
> >
> > > effort to review all IETF documents being processed by the IESG.
> > These
> >
> > > comments were written primarily for the benefit of the security
> > area directors.
> >
> > > Document editors and WG chairs should treat these comments just
> > like any
> >
> > > other last call comments.
> >
> > >
> >
> > > The summary of the review is Ready with nits.
> >
> > >
> >
> > > This document affects routing within a trusted domain, and the
> > security
> >
> > > considerations section adequately talks about filtering at the
> > border of a trusted
> >
> > > domain.
> >
> > >
> >
> > > I do have one question about something I didn't see in the
> > document, what
> >
> > > happens when SIDs change while packets are in transit? Here's a
> > hypothetical
> >
> > > situation that could be bad for security, but I'm not sure whether
> > or not it could
> >
> > > happen: 1. An internal node calculates an SR Policy and sends out a
> > packet that
> >
> > > will eventually egress towards a BGP peer. 2. Multiple links on the
> > BGP router go
> >
> > > down and then back up, but are allocated different PeerAdj SIDs
> > than they had
> >
> > > before. 3. The packet reaches the BGP router, but egresses to the
> > wrong BGP
> >
> > > peer because the original PeerAdj SID is now mapped to a different
> > PeerAdj
> >
> > > segment.
> >
> > >
> >
> > > --
> >
> > > Freelance cyber security consultant, software developer, and more
> >
> > > https://david.mandelberg.org/
> >
>
>
> --
> Freelance cyber security consultant, software developer, and more
> https://david.mandelberg.org/
- [secdir] secdir review of draft-ietf-spring-segme… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-spring-s… Les Ginsberg (ginsberg)
- Re: [secdir] secdir review of draft-ietf-spring-s… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-spring-s… Les Ginsberg (ginsberg)
- Re: [secdir] secdir review of draft-ietf-spring-s… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-spring-s… Les Ginsberg (ginsberg)
- Re: [secdir] secdir review of draft-ietf-spring-s… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-spring-s… Les Ginsberg (ginsberg)
- Re: [secdir] secdir review of draft-ietf-spring-s… Eric Rescorla
- Re: [secdir] secdir review of draft-ietf-spring-s… Les Ginsberg (ginsberg)
- Re: [secdir] secdir review of draft-ietf-spring-s… Eric Rescorla
- Re: [secdir] secdir review of draft-ietf-spring-s… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-spring-s… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-spring-s… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-spring-s… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-spring-s… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-spring-s… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-spring-s… Benjamin Kaduk