IETF Logo Mail Archive

Re: [spring] Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)

"Pablo Camarillo (pcamaril)" <pcamaril@cisco.com> Tue, 29 December 2020 18:04 UTC

Return-Path: <pcamaril@cisco.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 881FF3A03F5; Tue, 29 Dec 2020 10:04:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.901
X-Spam-Level:
X-Spam-Status: No, score=-11.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=cOGHrJpJ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=iHA85A0Y
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZfY67_ke8zk2; Tue, 29 Dec 2020 10:04:30 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BA5D3A03F4; Tue, 29 Dec 2020 10:04:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7558; q=dns/txt; s=iport; t=1609265070; x=1610474670; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=eYR3VvSiCxgjSpwj9URzu3u8JcoEDwEFregziKqXRl0=; b=cOGHrJpJz0hlXIc06hotA+QcC5aULXAr8cQiVYEFuqdb7lqkUUy5KeOx MEcp9h+6RB24rTRgkuK0klfJuASzRn+Ov00flxHcQmcyM258Iya3iy3S4 +jlb5UXZkLn1l9HKWwLGT2xx+4/6dlZ398eQk6owEwZePzs85gr1xIVPn A=;
X-IPAS-Result: A0D9AADNbetfkIwNJK1iDg8BAQEBCQESAQUFAUCBPgUBCwGBUiMufVsvLgqENYNIA41gA5kNglMDVAsBAQENAQEjCgIEAQGESgIXgVgCJTcGDgIDAQEBAwIDAQEBAQUBAQECAQYEFAEBAQEBAYY4DIVzAQEBAwESEREMAQE3AQQHBAIBCBEEAQEBAgIfBwICAjAVCAgCBA4FCBqDBAGCVQMOIAEDC6R2AoE8iGl2gTKDBAEBBoUTGIIQAwaBDioBgnSDfIU+eiYbgUE/gRFDglY+gl0BAQOBXgUxAoJeNIIsgVmBD0AEHTQCIF8YG00RFAUeAo9Ngn4/pAqBEQqCdokqjRWFO6JQnxuRKxKEZgIEAgQFAg4BAQaBJUcigVlwFYMkUBcCDY4hDA4JFIM6hRSFBEB0NwIGAQkBAQMJfIphLYEGAYEQAQE
IronPort-PHdr: 9a23:jDWubxcLpkNlbRp+tsvOL9fJlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaQBdfe6u4ChubL4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8P/exvfrmDhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,458,1599523200"; d="scan'208";a="659061443"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 29 Dec 2020 18:04:26 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BTI4QQP010715 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 29 Dec 2020 18:04:26 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 29 Dec 2020 12:04:26 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 29 Dec 2020 12:04:25 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 29 Dec 2020 12:04:25 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lbeaEQZ33id7K9OEGl06n1Nf/bGEYXWXMZJ2TdZ30NqlcbiRkQ99x1pNYLFj0mRgwLKZF8DDJoNBHaVUqlv8prpep4kaRGrhIjsmbThlYjVKBJa5um+hxuDBfWMGnbPozYOpGGOu9ExjT8ktEoB3B1H4yQOV7Vs2xLKOrlvsUalpeES0vb+cdd5g91I0VZogNwebuIYYsLROOQnVg76cvJ0cSEjQ3rnHJEt/fIdt0D7ppjmhsxJzeH99PXTOjT4EIRY4enFFvpK8q2/lcnFkm8iYGoKpauFJOJpAhJwSgImBOBDZdT4PlVG0EeTdhkvslbwspYDJwd4cVcJbxGYWjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eYR3VvSiCxgjSpwj9URzu3u8JcoEDwEFregziKqXRl0=; b=j2yoNkAYtk9FiF2D0s8RgvkNHdVj1iVYMxBDn/z7WGpfi+DXM0FsrREbydQKWgqivdyYwUSkTETsOtn9hD6UoCmk0KB6hH7caYYCujEJeirel0d1KPSOHDmj5UeqW0TuULbNEbm1Weu7h0PRwOgRIed1byepgpbyY47bptA1KtFVGB3phFGWJgu7qSa2qTKusERm9J1zXDohxCzbD+ZM1uVQ0mcUhOjnwzWqnMddyAHQO1cXZ1jntbwgP5r12J32u9rjDFaLE1wZJMpRcgmOlNxvvWpd/KstujuxSwO/LpN8V4IVw6MrKqFP7JuX1tt7CYz3ek82Rz6QULSXIhjt2w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eYR3VvSiCxgjSpwj9URzu3u8JcoEDwEFregziKqXRl0=; b=iHA85A0YfGigK9+keKGffVbt3yTgyxUwcgV1pwXoe+qLrzS/eAxNozkhGVj4J17sSkXLkeIJmTrSxDO0Gk0opdP219EOfc94xRSgZ3SMzn0tTv2FQ0FYJ2lFz4AhBGjMZw/jTU8YPSLOSJ0HFq+K8rKFAhbRM2TD+JoKZQoDjug=
Received: from SA2PR11MB5082.namprd11.prod.outlook.com (2603:10b6:806:115::5) by SN6PR11MB2703.namprd11.prod.outlook.com (2603:10b6:805:59::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.31; Tue, 29 Dec 2020 18:04:24 +0000
Received: from SA2PR11MB5082.namprd11.prod.outlook.com ([fe80::d8db:82ac:c47c:ad0d]) by SA2PR11MB5082.namprd11.prod.outlook.com ([fe80::d8db:82ac:c47c:ad0d%4]) with mapi id 15.20.3721.019; Tue, 29 Dec 2020 18:04:24 +0000
From: "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-spring-srv6-network-programming@ietf.org" <draft-ietf-spring-srv6-network-programming@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>, "spring@ietf.org" <spring@ietf.org>, Bruno Decraene <bruno.decraene@orange.com>, Joel Halpern <jmh@joelhalpern.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)
Thread-Index: AQHWzk11hJlsON8AwUKTQpqAtVRetqnweUEwgBzMjQCAATGmoA==
Date: Tue, 29 Dec 2020 18:04:24 +0000
Message-ID: <SA2PR11MB50827802246E89407C3FC275C9D80@SA2PR11MB5082.namprd11.prod.outlook.com>
References: <160753350153.28997.1345859562639063746@ietfa.amsl.com> <SA2PR11MB5082504972845833E0F12FF6C9CB0@SA2PR11MB5082.namprd11.prod.outlook.com> <20201228232854.GJ89068@kduck.mit.edu>
In-Reply-To: <20201228232854.GJ89068@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [83.43.91.44]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 082759c4-5b22-4765-03c0-08d8ac242ccd
x-ms-traffictypediagnostic: SN6PR11MB2703:
x-microsoft-antispam-prvs: <SN6PR11MB27033D1582AA619FEEE122A1C9D80@SN6PR11MB2703.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xFrpt+Bc3oruhNKSjzAc8YoOJvTmt9JJKCiBPQZ6LmIR+WTURrQ5bBwB9p2sBZNGjLr7lpACr6k9gqpSs692jM3YlX0bFMCj6RxdGqcOXnWQHGTkgch349wt/Dg6sWc897aMOfYsj+B8rG9U32STTScDMS4XqswhCylPcAM+Wqj/ugbOTOSxcuk8z6qvDzqYCq2Pydi4wfgc4XAeFWr0mQCCI4x2f2IMbfdyIZbRcW/TEw2iFiLmkE28W1srrDl3hWnU3LHEDalTdXz3yYpM4HmWOd4duGSI6U3AQ8/62rzWVuPKCdYIF/HjAt3zVhtW/tdxeZWDx+81im2pUcG2iuk+7hHTjsjUIYgSvOTC/eGMnBl3zTzJ2QErenvhu94MfDyRjuFpA6WYqRR335xJy3m5vR28Bdu9KvSaDR2mDu+c1aYvstl0NUQYApPiXs2cHxU/LRdD/6WmGYXeZoMo7w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA2PR11MB5082.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(346002)(396003)(39860400002)(136003)(64756008)(6916009)(9686003)(8936002)(5660300002)(2906002)(66446008)(8676002)(76116006)(66556008)(478600001)(55016002)(316002)(52536014)(54906003)(71200400001)(26005)(53546011)(6506007)(966005)(83380400001)(66574015)(4326008)(86362001)(33656002)(66946007)(66476007)(7696005)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: j7I0sHbv4TkQsNBz+ML70qtqR0Az+489BptPAsPem5/Eh8UwRYmjo/Qs2h3CcYYalXEMkTnWCiceSA6gjTXffRpzywd5IEcUTG1ykfji/7KtJb4k4AgBXSgGz7VMaL7uoROcpkse41Oa5jp7EbL6Zn1Zt5+4rDPz+Su8Kri/kUyOAQ6sTNmWk0bqdD5TRkHTjw5EdjlEa9tggdd2nlCMUlxCkFjRaYgtRoPWNYIIgyWh1hYyxi5aTMefXAFLgKxcxYHoeODvN8gnesqhtnYf3i1cE1dRSZJHODYpUHqllCBo+WQppeZcPkXaX9iPSr/N+oSuiYxYiSRsB3sGE1NbhyZH38KyykjhkWXQ+iyA8N5idMpAMQjcPN8eAA3gMwYAy7JJ3JshBqBi0VdRtMGj0pNHI1oG1MoYHI8n10OlxtONBeelwZDl/Xvx/HJyAOIfPlMe42Xyd6W6fBA+3kqqmgbGihFmpWelIXXf79vq6BGSXG7T/6/riWQlTNGV4t9Wk3d5fpS5g0jz0wEBBgUmJ4VvKBUacTMSiVfiSYxqboaG43AoLLNzQ+0tMZxtSzyy1F+tho+w5akwm9x2HioG4s76dDXCBbY/SNxKDiCxEmXzRcJ3JT+X3WcJsHMZIlBiyQq2R42ZU7RIQm5FTKsLTqQbHVYNHK1MDxmdlRcnC7QDYZJh7XUuwz7YxBw5iqgEhYbtPnFH7yHwhPjpNnnYJSXujXmMKrHvhuMtQ5ADizPZ3NXDSXwItZtwCCqs4+LWeDhQ1gLxH82i7I9NkjqcCnvTwcglVmDYzHpFQqBOV31xVHL1C+woejSs8YBXJ7Qp7Y9dj662EAktFx3N7tJXCotmkzBA72PMIm8OQzUnGfFkyIBiyV96TM8sYVPM7I1PNkqwHCtDfkAEktA+oaZx7KwBAwl+zGeBFGzKhtLzDIqjS8JhD9qRP74dsexJDlefyVR5DXk0pa9yi97JqYqRAePIa1TN773HB26OzdOyblg=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA2PR11MB5082.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 082759c4-5b22-4765-03c0-08d8ac242ccd
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Dec 2020 18:04:24.2143 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jDIs50tn9MamzGt5FNz9HDxNa08oa7+rRG7TAbbPEbkksvFL6+k5U+LI2Xs7qGfmhENCcDfcwU4YfD8l3UGeSg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB2703
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/0gLdm5h8yKd4n1_0wWAjXGCdxng>
Subject: Re: [spring] Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2020 18:04:33 -0000

Ben,

Many thanks for your time to review the document and confirming the DISCUSS point is resolved now.
We'll post a rev28 adding the proposed text for your comment point below.

Thanks,
Pablo.

-----Original Message-----
From: Benjamin Kaduk <kaduk@mit.edu> 
Sent: martes, 29 de diciembre de 2020 0:29
To: Pablo Camarillo (pcamaril) <pcamaril@cisco.com>
Cc: The IESG <iesg@ietf.org>; draft-ietf-spring-srv6-network-programming@ietf.org; spring-chairs@ietf.org; spring@ietf.org; Bruno Decraene <bruno.decraene@orange.com>; Joel Halpern <jmh@joelhalpern.com>
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and COMMENT)

Hi Pablo,

On Thu, Dec 10, 2020 at 06:01:58PM +0000, Pablo Camarillo (pcamaril) wrote:
> Hi Ben,
> 
> Many thanks for your time on this document.
> We’ve published rev27 of the document with the changes.  Details inline with [PC].
> https://tools.ietf.org/html/draft-ietf-spring-srv6-network-programming
> -27

Thanks for the updates; I've cleared my discuss in the datatracker.

I'll trim the resolved stuff and just reply on a couple remaining points inline...

> 
> -----Original Message-----
> From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
> Sent: miércoles, 9 de diciembre de 2020 18:05
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-spring-srv6-network-programming@ietf.org; 
> spring-chairs@ietf.org; spring@ietf.org; Bruno Decraene 
> <bruno.decraene@orange.com>; Joel Halpern <jmh@joelhalpern.com>; 
> jmh@joelhalpern.com
> Subject: Benjamin Kaduk's Discuss on 
> draft-ietf-spring-srv6-network-programming-26: (with DISCUSS and 
> COMMENT)
> 
> Section 4.16.1.2
> 
>    As a reminder, [RFC8754] defines in section 5 the SR Deployment Model
>    within the SR Domain [RFC8402].  Within this framework, the
>    Authentication Header (AH) is not used to secure the SRH as described
>    in Section 7.5 of [RFC8754].
> 
> (repeating from the previous thread as a placeholder) I think we need another sentence or clause here to clarify why this statement is relevant, e.g., "Thus, while the AH can detect changes to the IPv6 header chain, it will not be used in combination with the SRH, so use of PSP will not cause delivery failure due to AH validation checks."
> 
> [PC] What about this?
> <OLD>
> Within this framework, the Authentication Header (AH) is not used to secure the SRH as described in Section 7.5 of [RFC8754].
> </OLD>
> <PROPOSAL>
> Within this framework, the Authentication Header (AH) is not used to secure the SRH as described in Section 7.5 of [RFC8754]. Hence, the discussion of applicability of PSP along with AH usage is beyond the scope of this document.
> </PROPOSAL>

That seems okay, thanks.

> Section 9
> 
> There seem to be some security considerations relating to the use of PSP, in that the egress node loses visibility into which policy was used for a given packet, so all packets from all policies that egress via that SID are in the same anonymity (and policy!) set.  In particular, even if an HMAC TLV was present in the SRH, it is not available and cannot be validated.  I recognize that the headend (or whatever entity is assigning SR policy) should know when such validation would be intended to occur and not assign a policy incompatible with it, but there are still new considerations in the sense that the headend needs to be aware of these considerations.
> 
> [PC] As part of the comments from Alvaro we added this text which I believe covers that point:
> “The headend policy definition should be consistent with the specific
>    behavior used and any local configuration”
> 
> (repeating as a placeholder from the previous thread) I think we should also say that in the absence of the HMAC TLV, valid FUNC and ARG values on any given node may be guessable and spoofable, along with the standard disclaimer that risks are minimal since all nodes in the SR domain are assumed to be trusted.  This is distinct from the already-extant ability to spoof a SID in that the underlying structure in the SID may allow the attacker to induce behavior that was never intended to be a SID, for example if the implementation logically separates FUNC and ARG processing and the attacker makes a combination that was never advertised.
> 
> [PC] I believe you are making an implementation assumption on how SIDs are matched at a node. As a reminder RFC8754 states that “When an SRv6-capable node receives an IPv6 packet, it performs a longest-prefix-match lookup on the packet's destination address.”. Thus, the ability to spoof a particular FUNCT is the same as the ability to spoof any other IP address on the node. In the context of SRv6, this is mitigated by using the SR Domain as described in RFC8754 and -in particular Section 7.2-.

I'm definitely making implementation assumptions, yes.  It is possible to implement it in a way that does not suffer the potential issue, though there is a perhaps-tempting way to implement it that does suffer from the issue.

In particular, I'm less concerned about spoofing FUNCT (as you note, it's similar to spoofing other things, including other SIDs) than about spoofing ARG.  The ability to encode semantic information (even when the semantics are only known to the one node) in a part of the IP address in this manner seems like a fairly novel construction, and I was hoping to emphasize that care should be taken when implementing the parser.

Thanks,

Ben

v2.23.0 | Report a Bug | By Email