IETF Logo Mail Archive

[spring] Re: I-D Action: draft-ietf-spring-srv6-security-09.txt

Nick Buraglio <buraglio@forwardingplane.net> Thu, 06 November 2025 18:44 UTC

Return-Path: <buraglio@forwardingplane.net>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 600A6849BCB9 for <spring@mail2.ietf.org>; Thu, 6 Nov 2025 10:44:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=forwardingplane.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dStEvH0she8t for <spring@mail2.ietf.org>; Thu, 6 Nov 2025 10:44:53 -0800 (PST)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B31D8849BCB2 for <spring@ietf.org>; Thu, 6 Nov 2025 10:44:53 -0800 (PST)
Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-88057f5d041so13664846d6.1 for <spring@ietf.org>; Thu, 06 Nov 2025 10:44:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane.net; s=google; t=1762454693; x=1763059493; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GBe1SHmXAt/PkNytTqjghR7deeNjOG/sfPSDFrUJjB4=; b=O5NQP1z4aq1GHfIBiPrPJqk9ChfmjV8t64Q+DZl/H24wGfCEsC+os/EebOELmVwbKX U0bEMvB6qYZ6Zf3wwWjS1isNWeYIlgpiL70R81268yUAwizH6yky0XgOKq+BTT01X9Sk zpVzqv9qoMxKoas2wjehw3fNle5LIsZO1CgAo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762454693; x=1763059493; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GBe1SHmXAt/PkNytTqjghR7deeNjOG/sfPSDFrUJjB4=; b=IQyuKa7FbMeXgI7503HuhI+Zwcz9ETwR67bZPTARXpx5IAb2wP8izXtGsk40k7iVT9 Mb4MggiTi82vek0xsOFe8KFRXnq5SqbmVZvTEE+NGZmWcvwezm/sGBuRbVcGIenYRj1W NRu5HrwSFe+r3SOKLrEBasLfoMjBq+cLGdOi+Iiw80bfroj1yAS7SSzQsEgNpMBoGrzM xEejNp0bsNEA6387mMbDPNccHVNsFRyrMp89CVJycbkYOpU09Epe63ZjqjWlhsljMJIR ibyQ6zqNE5zPAcADg5EEbOulF4/AhsLCq0ZFjnVHMdSX+FXJmkHlwcVP/4PFTsJKtUvO H9fA==
X-Gm-Message-State: AOJu0YwJS3bMN3WxXpCEuD+CbeG8sWYPo3mQYn0j8RgyKx8QobKoR1sp Jirp6sbhlIC6TvQ0jcFvtMy4x0JzhoxTaHO/+xqQmWAoQaaIFLVscnNkmeGsWlZFJgqDTum8aXm iLQZqptDaHqaozbA9wERQYS6p/8cHi8GVFLaET/yhzKSA9iA+0ett8ZFaNXo=
X-Gm-Gg: ASbGncu/+7P95YVbXDyhSoU9BWIRbCK00CzBAIAEX9kYNdh7pDCanAKB/+IkXrrmoFY wkDHyUXcYLQGePfEiJEVXIyEJ/HXRGwVwnK1jUsXg162xuZreSi+nHqDm5rWxby1YgSA8Iezjk4 KdikhCJrjFL92WCxSpmMOKixYWgcLl5Rs7auu57QJpZBnc7c6pNduQY3ru1H9XO78NK4IvU1Ngc /sjO6u2R1mRbf3/Um0rBXzfbqP7aAIF1Oeu94BJGhdb2v8X3sHQF4SbXrlg8ECNbBmRKNUkIBzU n1MrB8imtERKgwstzsV5VkoJ+kI=
X-Google-Smtp-Source: AGHT+IGWYnCiYUZiISDLa+s/iBWJRO4t5uOXlGg1kvvlgVsG6bSeRSKmZG1kY353AiJBad5nOa2ih+FvUyitRBXea28=
X-Received: by 2002:a05:6214:21e8:b0:880:523c:a57e with SMTP id 6a1803df08f44-88167b17975mr7385766d6.10.1762454693116; Thu, 06 Nov 2025 10:44:53 -0800 (PST)
MIME-Version: 1.0
References: <176243992050.1121566.9646304621236626647@dt-datatracker-5df8666cb-7l4w5> <de2195e4-e26d-49f0-a061-55a28ca0ce3e@joelhalpern.com> <CACMsEX8GkA+EBYr3qqUcKbvZGdgALn22eJF6PX6yZvCZWuGE8A@mail.gmail.com> <e6732dc7-3970-4236-a5bc-4b37045eb4e5@joelhalpern.com>
In-Reply-To: <e6732dc7-3970-4236-a5bc-4b37045eb4e5@joelhalpern.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Thu, 06 Nov 2025 13:44:42 -0500
X-Gm-Features: AWmQ_blYFxjwvJLB9SYN0vh77s0jSMucYUbb7GhzF0aJjSqRORahw7aK3D17uc8
Message-ID: <CACMsEX-LO2_fTChWWKUoqtE8qHHyNRB2U75Ps7TmaRdtwxDKzQ@mail.gmail.com>
To: Joel Halpern <jmh@joelhalpern.com>
Content-Type: multipart/alternative; boundary="000000000000ea8a160642f175da"
Message-ID-Hash: HQXDIL6TOOX4YZN5STOZ32HLMFHQBQFL
X-Message-ID-Hash: HQXDIL6TOOX4YZN5STOZ32HLMFHQBQFL
X-MailFrom: buraglio@forwardingplane.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: spring@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: I-D Action: draft-ietf-spring-srv6-security-09.txt
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/-gFboNxIne1P55I6dBVmyU-hhNI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Joel,

Would Suresh's text aid in that clarification?

*Following the direction of [RFC8402], the current document assumes that
SRv6 is deployed within a trusted domain and that the traffic is filtered
at the domain boundaries. Traffic MUST be filtered at the domain
boundaries. Thus, most of the attacks described in this document are
limited to within the domain (i.e., internal attackers).*




On Thu, Nov 6, 2025 at 12:22 PM Joel Halpern <jmh@joelhalpern.com> wrote:

> From where I sit, I can't see how the detailed text in 7.1 (MUST be
> filtered) comports with the new text that says that the trust boundary can
> be policy without mechanism.
>
> Yours,
>
> Joel
> On 11/6/2025 12:16 PM, Nick Buraglio wrote:
>
> Joel,
>
> In section 7.1 we provide a fair amount of detail surrounding filtering a
> trusted domain. For example:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *7.1.  Trusted Domains and Filtering 7.1.1.  Overview    As specified in
> [RFC8402]:     By default, SR operates within a trusted domain.  Traffic
> MUST be     filtered at the domain boundaries.     The use of best
> practices to reduce the risk of tampering within the     trusted domain is
> important.  Such practices are discussed in     [RFC4381] and are
> applicable to both SR-MPLS and SRv6.    Following the spirit of [RFC8402],
> the current document assumes that    SRv6 is deployed within a trusted
> domain.  Traffic MUST be filtered    at the domain boundaries.  Thus, most
> of the attacks described in    this document are limited to within the
> domain (i.e., internal    attackers). *
> There is quite a lot dedicated to protecting the TD and what it means if
> it isn't.
> Would that be sufficient?
>
> nb
>
>
>
> On Thu, Nov 6, 2025 at 9:48 AM Joel Halpern <jmh@joelhalpern.com> wrote:
>
>> Speaking strictly as a participant, I don't see how a trust domain
>> boundary can exist purely as a polciy demarcation without enforcement
>> mechanism.  An organization may have a boundary on where it wants to run
>> SRv6 by policy..  But there needs to be an enforced boundary (either at
>> or around that policy boundary) or folks who are not trusted will be
>> able to send in SRv6 packets with arbitrary SRH, destination, etc.
>> This change to the wording does not seem to me as a participant to be
>> correct.
>>
>> Yours,
>>
>> Joel
>>
>> On 11/6/2025 9:38 AM, internet-drafts@ietf.org wrote:
>> > Internet-Draft draft-ietf-spring-srv6-security-09.txt is now available.
>> It is
>> > a work item of the Source Packet Routing in Networking (SPRING) WG of
>> the
>> > IETF.
>> >
>> >     Title:   Segment Routing IPv6 Security Considerations
>> >     Authors: Nick Buraglio
>> >              Tal Mizrahi
>> >              Tian Tong
>> >              Luis M. Contreras
>> >              Fernando Gont
>> >     Name:    draft-ietf-spring-srv6-security-09.txt
>> >     Pages:   30
>> >     Dates:   2025-11-06
>> >
>> > Abstract:
>> >
>> >     SRv6 is a traffic engineering, encapsulation and steering mechanism
>> >     utilizing IPv6 addresses to identify segments in a pre-defined
>> >     policy.  This document discusses security considerations in SRv6
>> >     networks, including the potential threats and the possible
>> mitigation
>> >     methods.  The document does not define any new security protocols or
>> >     extensions to existing protocols.
>> >
>> > The IETF datatracker status page for this Internet-Draft is:
>> > https://datatracker.ietf.org/doc/draft-ietf-spring-srv6-security/
>> >
>> > There is also an HTML version available at:
>> > https://www.ietf.org/archive/id/draft-ietf-spring-srv6-security-09.html
>> >
>> > A diff from the previous version is available at:
>> >
>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-spring-srv6-security-09
>> >
>> > Internet-Drafts are also available by rsync at:
>> > rsync.ietf.org::internet-drafts
>> >
>> >
>> > _______________________________________________
>> > I-D-Announce mailing list -- i-d-announce@ietf.org
>> > To unsubscribe send an email to i-d-announce-leave@ietf.org
>>
>> _______________________________________________
>> spring mailing list -- spring@ietf.org
>> To unsubscribe send an email to spring-leave@ietf.org
>>
>

v2.46.0 | Report a Bug | By Email | System Status