IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Nick Buraglio <buraglio@es.net> Fri, 07 October 2022 16:41 UTC

Return-Path: <buraglio@es.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 511AFC1522A4 for <spring@ietfa.amsl.com>; Fri, 7 Oct 2022 09:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.691
X-Spam-Level:
X-Spam-Status: No, score=-0.691 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=es.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YMPkwRj-tIAE for <spring@ietfa.amsl.com>; Fri, 7 Oct 2022 09:41:40 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D528C14CF15 for <spring@ietf.org>; Fri, 7 Oct 2022 09:40:51 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id bj12so12422487ejb.13 for <spring@ietf.org>; Fri, 07 Oct 2022 09:40:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.net; s=esnet-google; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rAomEXtvsDOBytoSFDZGsT+RK5jVLdgsz4Nmidz+bdw=; b=H4t/cKlZqvHGkywsXcleSLv2VfNL1zWLFt2QXGJQlZPZOWG7YsmDdB/J0OKqNMrFQq BUwhLfEdfR6Kr4d73we6UwKeSpcorY56kqh7Htr0qvh1JH5P0ZaE78mN1gW24dDtO1nm mntDdS/lSWVdqp0p3j8L+whqj+u5DYlm3ehLVsXdwHiMXLqFLupU0lD5HeqFjVkbxMJF IGe7bsuToONOMIiEzcmzQ8ox3MdgjF0ZGTH3j2RR/GB0Hj3MdhgkRklLlneTV72IzbH0 l+BvILntEmtaLvFLDhSNHt+HFAeJDRfL6yg5436/ZjU5PiyVeIPeg/5w3EC31BAkjWxa yuUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rAomEXtvsDOBytoSFDZGsT+RK5jVLdgsz4Nmidz+bdw=; b=FkjaAFwEPSp+4oxooIgISGDWnfWtgSPO0Caner11XrTCKdKdscXWvArK0i9t0f3V0F 9qzZQmj5lJHdM2sDZgX1fhVbMxAjJ0o5SqwiRtfVmXxab/iMTieds7YVqhuIwdPoZAgL T1t3rf2uAzD2clZYhf2S3W42wKcaK/Lvzf72SC1NNqkDJehBWuk38bI9OVuLrY8TbkcL coyZ5U8pIjqn+pnCb+HZCG7w6ae+std/t9uRoc9oR9yiWW4zFWZR9tlH/AS68cQThGjo rAS31twn4t6PWCtmnfYaZJ1RmWcIHuS7MnWWPiuzjpTtGPpxEQYtz+McBAqLY1MpBM29 0ybw==
X-Gm-Message-State: ACrzQf0hV07FuIQw3rEcrmyuiqMJMFaJQcqElhmu92UA04FiNeWVLZ87 l8G4WG/3+elr4/Wq7osMrETHU7ItBjKhk0cf50juzuPuqRBAskkakzN5u1x3Ux88ytfLg/v2NzU ew95sKWgNlCe4NhFdVrn46mSFsTJY2ybDprjo1blVcv4Ws8HxA3N8yrRfNB2WZLZzw7rTRjL4ud x4Xg==
X-Google-Smtp-Source: AMsMyM4n2StTar1zRaic+uClsk6rKkF+zqBOSThoCtMB9MpGVEOtI+NAMydUmlUgfb6ipoQyL6RpUi1zmz7A+wLrYr8=
X-Received: by 2002:a17:907:2c5b:b0:78d:3f8a:19d0 with SMTP id hf27-20020a1709072c5b00b0078d3f8a19d0mr4633180ejc.369.1665160849495; Fri, 07 Oct 2022 09:40:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4+N31=ggO03AAQJANv7RgHaC1eNGXRUQ9B20rLK+nJyg@mail.gmail.com> <E77D8982-11E9-45F9-81BF-3CA1E1F6B745@gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <CAM5+tA9cAybjVHFTDEAWLLq7FcKhTGzTuBDbFyfv19ARVyXEoA@mail.gmail.com> <Y0A8azCcoHMH6Nas@dwc-desktop.local>
In-Reply-To: <Y0A8azCcoHMH6Nas@dwc-desktop.local>
Reply-To: buraglio@es.net
From: Nick Buraglio <buraglio@es.net>
Date: Fri, 07 Oct 2022 11:40:38 -0500
Message-ID: <CAM5+tA9yY0P6rNbJYS9giV5cGE8VRnukOaESoSr579UAbOiozQ@mail.gmail.com>
To: "Dale W. Carder" <dwcarder@es.net>
Cc: Joel Halpern <jmh@joelhalpern.com>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ee25d805ea747802"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/11VN-8fqWgnLFYDjxDxZ5lMA_0w>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2022 16:41:45 -0000

On Fri, Oct 7, 2022 at 9:49 AM Dale W. Carder <dwcarder@es.net> wrote:

> Thus spake Nick Buraglio (buraglio@es.net) on Fri, Oct 07, 2022 at
> 06:20:12AM -0500:
> > On Thu, Oct 6, 2022 at 10:15 PM Joel Halpern <jmh@joelhalpern.com>
> wrote:
> >
> > > I wonder if we could / should add a sentence or two related to the
> address
> > > block noting that if an operator chooses to use other address blocks
> for
> > > the SRv6 SIDs then they need to be extra careful about configuring
> their
> > > edge filters to prevent leaks inwards or outwards?
> > >
> >
> > This is a large concern I have heard within the operational community
> and I
> > believe it should be noted as a best operational practice.
>
> Is draft-li-spring-srv6-security-consideration still being worked on?
> (I have not been able to keep up to date w/ spring) That may be a more
> comprehensive document to reference.
>
>
Section 4.2. of draft-li-spring-srv6-security-consideration lightly touches
on the filtering at the edges of an SR domain. It's seemingly still in
active status. Looking around through different docs again, RFC8754 has
some relevant text, and and specifically section 8.2 (SRv6 section) of
8402:






*SR domain boundary routers MUST filter any external traffic destinedto an
address within the SRGB of the trusted domain or the SRLB ofthe specific
boundary router.  External traffic is any trafficreceived from an interface
connected to a node outside the domain oftrust.*
could perhaps be a useful reference.


> Dale
>
ᐧ

v2.23.0 | Report a Bug | By Email