Re: [spring] Secdir last call review of draft-ietf-spring-srv6-network-programming-17

"Pablo Camarillo (pcamaril)" <pcamaril@cisco.com> Mon, 14 September 2020 14:41 UTC

Return-Path: <pcamaril@cisco.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34E903A0AAA; Mon, 14 Sep 2020 07:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=LzJdur+6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=xYOJaNFv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5Ewem2l3-nT; Mon, 14 Sep 2020 07:41:45 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B4BF3A0AC6; Mon, 14 Sep 2020 07:41:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30980; q=dns/txt; s=iport; t=1600094504; x=1601304104; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=h0M496FFPt9taClXMMxEPVRGvbtRBTElKCsROa8Ko5Q=; b=LzJdur+6KjzVxK5PyK2OMwUpYbbdqV0P4MTXf3+NGwAfKjn8w+qqVhM/ Vm6Ztu7e2RNS9ejd/bHBRCxi5ZZ33FOZuiQ1iAYdDFYjOdNSyM78Pk7SM +ZOMYUfiJxlcLmvrIjy+xW9jqXaEBVmAQeMmE3xwOFmfOTZlQKK1Od5Nd k=;
X-IPAS-Result: =?us-ascii?q?A0CrAAACgF9f/5RdJa1gHQEBAQEJARIBBQUBgXwHAQsBg?= =?us-ascii?q?SIvIy4HcFkvLAqEL4NGA41uigyOZoEugSUDVQsBAQENAQEtAgQBAYRLAheCE?= =?us-ascii?q?AIkNQgOAgMBAQEDAgMBAQEBBQEBAQIBBgRthVwMhXIBAQEBAxIRChMBATcBC?= =?us-ascii?q?wQCAQgOAwEDAQEoAwICAh8RFAMGCAIEDgUIGoMFgX5NAy4BqmUCgTmIYXaBM?= =?us-ascii?q?oMBAQEFhS8NC4IQCYE4AYJwg2mGUhuBQT+BVIIYNT6CGoFbSgUHKIJhM4Iti?= =?us-ascii?q?0yEFiALgxqGcItyj3k3UQqCZZRPaQSFIoMJiXWTbqAbkiYCBAIEBQIOAQEFg?= =?us-ascii?q?VYDNYFXcBUaIYJpUBcCDY4fDBeDTopWdDcCBgEJAQEDCXyNH4EkATBgAQE?=
IronPort-PHdr: =?us-ascii?q?9a23=3APqbO3h1rJX8nk4m1smDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGuadiiVbIWcPQ7PcXw+bVsqW1X2sG7N7BtX0Za5VDWl?= =?us-ascii?q?cDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoPk1cGcK4bFrX8TW+6DcIEU?= =?us-ascii?q?D5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.76,426,1592870400"; d="scan'208,217";a="533128377"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 Sep 2020 14:41:43 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 08EEfhOA002753 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 14 Sep 2020 14:41:43 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 14 Sep 2020 09:41:43 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 14 Sep 2020 09:41:42 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 14 Sep 2020 09:41:42 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A6V/cMml9+waIgl0LGF4Ijf2CelieLYwa7Ly4Gm/pAb4scRW6Ers/ssgr012sfK8E/5h2AEyJK/5ZI8wqS23MPGdSYUWj7+tJboTGquUTYu70sEJW3IA6d982Q2nnaxYXobtvBx2M5kWF8BKZfoWtP2QsrkAh3U3WlimaLiNzztTlWh7Q9lbJ569/o8LLKugw61yqS9DRnUZ4llQxm9tVAnZB+BBD7r87H+CZ79F0CXOaHeBekC7RG0uEYgBJy0lhH74uC9ZZ1TUwbXJFOFzmilovZkQpeEJIcP3RSFHnxjJCkCAmDZVCCNTPNUeAZeyHRLY/FIxkfLiOicmJthlLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h0M496FFPt9taClXMMxEPVRGvbtRBTElKCsROa8Ko5Q=; b=Xed/jYCiHVp26DhQVfBh/riH9110gT6XFiYn1+Ob9iCrO2H+Bta4CHs2/AP+8TkgFCPF3wCi86HIppH3BGO99R5ekVw3HYhhkozWnaWdrlxld/iibObQzEDAZ7yViKJHTTnZs4uyNR9WRJ946npNpoRxF2nC5jl+dnBwubCzckXfsjRkrY/LP3MQnqrXzTJN4XAbkDw5nhp/HDd42rN0/jbiPNlqpW5VQx19BNcyGihPTBVVOjl06tIy7rzCvJQH0Zr3JNBge8ag+rWerDHE0kXe50vI1rAClDmKEjG0vRKofC+M2VSJn73ZQbDuQO8iMiYguxfD+fxwalPgu+R4Tg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h0M496FFPt9taClXMMxEPVRGvbtRBTElKCsROa8Ko5Q=; b=xYOJaNFvj0TmSdGEKKa/x6cLrUcr02cDe5SN/+p9OHABm0cjA0SDzt8XsxsZtM0RK22BF8wr9G9uUDtL9uziKrsKyn6TmeAMOdqfo8vYmhoOPAvtbLvKXkiCXZ/lnmJ/gW+kIDr7gEJ9HHFsthtUzoIawFCMSlZGEc2Hd3dIIos=
Received: from MWHPR11MB1374.namprd11.prod.outlook.com (2603:10b6:300:24::8) by MWHPR11MB1375.namprd11.prod.outlook.com (2603:10b6:300:23::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.17; Mon, 14 Sep 2020 14:41:41 +0000
Received: from MWHPR11MB1374.namprd11.prod.outlook.com ([fe80::91c6:cab8:6b42:58ca]) by MWHPR11MB1374.namprd11.prod.outlook.com ([fe80::91c6:cab8:6b42:58ca%3]) with mapi id 15.20.3370.019; Mon, 14 Sep 2020 14:41:41 +0000
From: "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>
To: Brian Weis <bew.stds@gmail.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-spring-srv6-network-programming.all@ietf.org" <draft-ietf-spring-srv6-network-programming.all@ietf.org>, "spring@ietf.org" <spring@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-spring-srv6-network-programming-17
Thread-Index: AQHWfCAs7si/IaQjAUGLemDRAKxyiKlTzVOQgAVi8ACADx4iMA==
Date: Mon, 14 Sep 2020 14:41:41 +0000
Message-ID: <MWHPR11MB137477559AF7955E2EC6FB31C9230@MWHPR11MB1374.namprd11.prod.outlook.com>
References: <159849805983.7699.460089427690333419@ietfa.amsl.com> <MWHPR11MB1374FC1CD4ED7439FB5ABFB3C92E0@MWHPR11MB1374.namprd11.prod.outlook.com> <38FBDE44-D2F4-44AD-BFF4-FBE9B6FC42DE@gmail.com>
In-Reply-To: <38FBDE44-D2F4-44AD-BFF4-FBE9B6FC42DE@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.220.53]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5a405a15-3786-4b8d-c940-08d858bc4b93
x-ms-traffictypediagnostic: MWHPR11MB1375:
x-microsoft-antispam-prvs: <MWHPR11MB13753A3C60B076CC88093D57C9230@MWHPR11MB1375.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zUFq3H0HaRSL1dCgtPim9vBZcpbLNPxAG/Cglaad4iyuijSGlkkTMHxlVYnicSysufx2z4SWyYrA4FVQQsDI+CKof7UNILYALF1DNC9HLLkAM1+d/cPG7znrymPziXBH2bolIx86TIPsmR3iNqSF0A/5CM08aOGUiI9V/lATtEuy70WwJ/o9PWAzxqDU2Wjt4nM5ZDrR04MWQyjmL7FKqML1UK6ub03jbfqDGJYZ75sqMWiM3CnY6FsFcFvGfj/LBAsis6tFAanNn1GvF79l0RV7uOK+4949uITW9jSOzZSL4+oAWH/IGOLjjonSDhd9unjTbmxhGTynmoSHv78kpw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR11MB1374.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(346002)(39860400002)(396003)(136003)(54906003)(26005)(76116006)(66946007)(478600001)(66476007)(8936002)(9686003)(5660300002)(316002)(4326008)(64756008)(66556008)(66446008)(55016002)(86362001)(6916009)(186003)(7696005)(33656002)(71200400001)(2906002)(8676002)(53546011)(6506007)(52536014)(83380400001)(66574015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QRc/jaR91gJaujhIpHepMC0IXV9bwk7Yg7bnfqrVGOovNVxMZYd8Ciy3NkH0kp1UGzbItoDOOWqoGflDKPOq9zOkiMjfquqSvefAk3HUN64kEYa5OZ6yU6OyDILRLW6tWwJX35nplCVhQJIsIPb3XxSQcdD6ifA6uWvUaIcna6cPr0RNxFU0Q7A7QiEDw5WapP7jVrC425AnPeazP1RNY5XKbfiJ4hqM/c/60Ip8K20b/ahFxsor6IyqlyZP2Wp7glMDpsq3vjeNHJLsKBRzncrWMrHffDb+BmTWrreROTmfLmqjvw8IUooMQ37M06waL2IhvRMJgbs4dNe/yQFrg1e0RP1DitHcW2wzq7DKOPFxQWmfjvvVkuuip5s61oNK3byOUZFVpMtam/Wz96NEg8lTusy+2MQUAetEjLSDawD3TPjFrm4pS5rxfdV8n5DcFwAQXrR1ajmiaVddj4RGf2QKbejESiybCPYY74fNmMi0W6M2xlMnHJs6o1QPiIvOpcLcpG0dPH1Scjl6D5mQ/PrjIO/aeGvNvRtL08UvLWMKHHx1ntjSXJFRpkXoCr7kWrHsJfZNdYXqxru5KkKL3GfdSPikfIsL8zJB2ukHprs/dmqzaivTCixNvjKC9jkHLPAwu3GfdPGMwhhBTHfz4Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR11MB137477559AF7955E2EC6FB31C9230MWHPR11MB1374namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR11MB1374.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a405a15-3786-4b8d-c940-08d858bc4b93
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2020 14:41:41.7188 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MK6uM5w764IfN5dIJpxJdbPAxdwA9vH0ZM2oYfcEZyxkPC4v4rkblc7A5+MgbSOi4LzzNFEaYBRHzsWwPWxFUg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1375
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/8v_so_39wL3B6qvpLE6BmTza7SA>
Subject: Re: [spring] Secdir last call review of draft-ietf-spring-srv6-network-programming-17
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 14:41:48 -0000

Hi Brian,

Inline.

Many thanks!

From: Brian Weis <bew.stds@gmail.com>
Sent: sábado, 5 de septiembre de 2020 1:37
To: Pablo Camarillo (pcamaril) <pcamaril@cisco.com>
Cc: secdir@ietf.org; draft-ietf-spring-srv6-network-programming.all@ietf.org; spring@ietf.org; last-call@ietf.org
Subject: Re: Secdir last call review of draft-ietf-spring-srv6-network-programming-17

Hi Pablo,


On Sep 1, 2020, at 8:37 AM, Pablo Camarillo (pcamaril) <pcamaril@cisco.com<mailto:pcamaril@cisco.com>> wrote:

Hi Brian,

Many thanks for the time you took to do a thorough review, please see inline below with [PC].

Cheers,
Pablo.

-----Original Message-----
From: Brian Weis via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>>
Sent: jueves, 27 de agosto de 2020 5:14
To: secdir@ietf.org<mailto:secdir@ietf.org>
Cc: draft-ietf-spring-srv6-network-programming.all@ietf.org<mailto:draft-ietf-spring-srv6-network-programming.all@ietf.org>; spring@ietf.org<mailto:spring@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>
Subject: Secdir last call review of draft-ietf-spring-srv6-network-programming-17

Reviewer: Brian Weis
Review result: Has Nits

This document is titled “SRv6 Network Programming”, which is attention grabbing. It fleshes out how Segment Routing routes IPv6 packets by Segment ID (SID), as well as defining the format of a SID for IPv6. The Introduction states, “An ingress node steers a packet through an ordered list of instructions, called segments.” When one considers this statement along with the document title, it’s apparent that network devices are indeed being given “instructions” in the programming sense, where each “instruction” is encoded in an IPv6 address.

An “instruction” (i.e., SRv6 SID) comprises a locator (which is used to route to a particular network device), and also directs the network device acting as the locator how to process the IPv6 packet. With the help of an IPv6 Segment Routing Header (SRH) header, a series of “instructions” can source route a packet through the network, where each network device acting as a locator learns how to handle the packet before possibly sending it on to the next SID (if any).

The encoding of an IPv6 address as an SRv6 SID includes a locator, a code indicating a certain function, and optionally arguments to that function. An initial set of codes (and their associated algorithms) is defined in this document. Most of the codes describe how the egress router should decapsulate the packet, with might include defining  which routing table the receiving router should look up after decapsulation.

The Security Considerations section points to the Security Considerations of the architecture document and the SRH document. Both documents focus on the fact that SRv6 is intended to be used within a single domain (e.g., provider
network) and discuss routing mitigations such as filtering external traffic appropriately. They seem to assume that the boundaries of the domain itself are inviolate such that the domain boundary devices are not subverted, and that there are no bad actors within the domain. These are common assumptions for service provider networks where Segment Routing is intended to be deployed.

However, it cannot be certain that all networks deploying Service Routing to be free of bad actors, and there will certainly be some benefit to a bad actor changing “instructions” encoded in IPv6 addresses. Perhaps there is opportunity for mischief in changing the routing table argument in an End.DT46, for example. Also, as other SRv6 functions are defined (e.g., packet inspection functions), it would be important to ensure that those SIDs are not modified to avoid or decrease the quality of those inspection functions.

[PC] Indeed, the assumption that a domain is free of bad actors is a common assumption for networks where SRv6 is intended to be deployed. The security section of RFC8754 does talk about these bad actor attacks (7.1) on such networks, and other types of attacks they can launch.

The SRH document does describe an HMAC TLV that is intended to mitigate these kinds of attacks. Since neither of the referenced documents Security Considerations mention it, it would be a good idea to describe here that there are threats to changing SIDs, and point out how to mitigate them with the HMAC TLV.

[PC] The HMAC TLV allows a segment endpoint node to "verify that the SRH applied to a packet was selected by an authorized party and to ensure that the segment list is not modified after generation."  We could call this out specifically in the security section.
<OLD>
Together, they describe the required security mechanisms
  that allow establishment of an SR domain of trust to operate
  SRv6-based services for internal traffic while preventing any
  external traffic from accessing or exploiting the SRv6-based
  services.
</OLD>
<NEW>
Together, they describe the required security mechanisms
  that allow establishment of an SR domain of trust to operate
  SRv6-based services for internal traffic while preventing any
  external traffic from accessing or exploiting the SRv6-based
  services. Additionally, RFC8754 defines an HMAC TLV permitting nodes in the SR domain to verify that the SRH applied to a packet was selected by an authorized party and to ensure that the segment list is not modified after generation, providing further protection against bad actors within the SR domain.
</NEW>

The new wording sounds good to me, thanks.


Also, if I’m not mistaken, when there is just one SID then it is placed in the
IPv6 DA and there is no SRH header or HMAC TLV.

[PC] The SRH MAY be included when there is just one SID if flags or TLVs are required (RFC8754 section 4.1 paragraph 1) so the HMAC TLV may be used in this case.

This might be good to point out too. How about putting it in context of this section something like this: “When modification detection is deemed important, an SRH header with an HMAC TLV SHOULD be included even when just one SID is required. This ensures that the SID is protected just as when the SRH is used to carry multiple SIDs.”. I recognize this is adding a new normative requirement, but it is dependent on the first clause being true so might not be so objectionable.
[PC2] I would propose the following diff that combines the previously agreed text and this new point.
<OLD>
Together, they describe the required security mechanisms
  that allow establishment of an SR domain of trust to operate
  SRv6-based services for internal traffic while preventing any
  external traffic from accessing or exploiting the SRv6-based
  services.
</OLD>
<NEW>
Together, they describe the required security mechanisms
  that allow establishment of an SR domain of trust to operate
  SRv6-based services for internal traffic while preventing any
  external traffic from accessing or exploiting the SRv6-based
  services.

Additionally, RFC8754 defines an HMAC TLV permitting nodes in the
SR domain to verify that the SRH applied to a packet was selected
by an authorized party and to ensure that the segment list is not modified
after generation, regardless of the number of segments in the segment list.
This provides further protection against bad actors within the
SR domain.
</NEW>

Thanks,
Brian



This is a general problem with ensuring that the DA on packets are not changed in transit, and one could use IPsec to mitigate that issue. It’s probably worthwhile mentioning something like that.