IETF Logo Mail Archive

[spring] Re: draft-ietf-spring-srv6-security-11 early Opsdir review

Tal Mizrahi <tal.mizrahi.phd@gmail.com> Thu, 02 April 2026 10:26 UTC

Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 81E75D56EE0E for <spring@mail2.ietf.org>; Thu, 2 Apr 2026 03:26:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775125612; bh=He93zUkozMHoqzZ82Lv0Vbw38jmaGG+DJLlfpBuhpUM=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=GFJxZNsswbGxsMWjVhgyCXmWmwtFeXdjdNAs6K5GCnIzWMwskE5H9tyZHaV8pllGp HQ0ZGiCp6G8guIhwsfbdNxM7odKLhZyNkQTMJDlv1Xi5F6zZtPwQ70qIOdPaz9VpUo 3kw+F+NxIDV4S3n4ikqsYJ/JFTUVncXzW8oLqUKQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFSANMJwH1dF for <spring@mail2.ietf.org>; Thu, 2 Apr 2026 03:26:50 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B42C5D56EDF3 for <spring@ietf.org>; Thu, 2 Apr 2026 03:26:50 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-b982b0889d8so92861466b.2 for <spring@ietf.org>; Thu, 02 Apr 2026 03:26:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775125610; cv=none; d=google.com; s=arc-20240605; b=aiGTFkK9fX5BkB0Dwud7vwPuUzAj355r7AjFp6fuk3oQkweG2TFGNB1/mLA/BJbRLY KjKiZscyoyrMi3sdFgTdOX06bjZKGFa4xcxPCfCgpIwXhtCSyOaKxTwROhA8hIucDT+g Lvt6EfbuNNCOI88+GLjkXzqXc0gvhYEkaT6ubefg6RDmya8WwWV6mH6BP9SKW6+PmzQH DdoU0H5RpQwb+93oWE6HG2lU5ItoQa1v9QaYNJ2pvuM2sR/Ne2+HTjtPW84Qq9VVcv7X ut0Q7KdJ83II3VuytpQSNvTQMa56V9km55iFk9523dxYLgNUiAGLUk+uyoFWoCakt8CP 5UwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=OxtJa3hn59jzB3lxsPa/p1u1oP1Jh/0NjwA4Qf2tirE=; fh=I20KeK1QP9Lr+2G7AcZ9B0/5cfVqWkBbn6iY00H8hgA=; b=Xu5rnovLZZXEp/vrBW3/UBQEqHEfhNsTdhFv3qwLOH7x51Mb0YL4Jm6h2jGIpdtyDi VmMCWMh5tJmfZ3nVWmMoiCISy9n5AjFF1FqzXkIiadKIbWSCGlGt0lptVmpmlt0/b17K gajO6fOxt2kIXz9tRk2PgQ0okFeRDKr9sESKoF+JkXRuaDcSL1PKbC8kQWSkjCdFEL7Q st0ce3Iw3nT3U7iaBLqcmBM68JOfiuznFHe0Zn4mVOkcui3kfRB1PIX793PQYWCrdm0I Zw6BOGLKsJ90TUqpHRj27IwIMZeWZFAGbTs55rY1WuE1PSHm/Xxt5pcswbWEYg4fnPZz Ksbg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775125610; x=1775730410; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=OxtJa3hn59jzB3lxsPa/p1u1oP1Jh/0NjwA4Qf2tirE=; b=RYmwuEaftZxQdoYfEecXC79XDeLumyMKDxsJ1xrPj1njjecopIcH/5YTB6xpX+MrWm FdmKLfRP4ZGRX786b0TlMzOcf2Sovsq651javDjuk8BJBAxTd/tYe53jeAjNOnXjQSxR VQ6DZlhH2kWVTuVYAEgrLm8UUn+fq91xwwKd+HCF3nzuIcG6rRu6extgHde2pl+a8itC R8N/SjCYzvkGSIGcOP8pm14FiGZJ3Kc34fBsw43kgPQiSACDjh2Ta/r80vgx3aSBJXbh 77+AfWS78Sv8ur/z3G7xVSYDBBrFMzcP4PyJd3gPFzpNbDnetwcz9bW77adNCGGnsiVG t1Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775125610; x=1775730410; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=OxtJa3hn59jzB3lxsPa/p1u1oP1Jh/0NjwA4Qf2tirE=; b=H1/E4zvM0Q/Kuoe1mJgJ2RV1r1m9IBh8rbQSq8f0DnFM+WDNpZ2eW8AQ6a2dnqMN2l DwseTB5w/n855FtM9vmBzyOn/7H+BDTACKs8rOTkfYGpxrndLFuBUGEPgN4VsYpKPa5t D+aHa6omnR6ZErR7gT2fo1Ck7DeaIwojkcc6M+U31n+kufjKYGbBgaKHVHmB47B+0ZnZ KRV+U4xfBBvRSVhsJgBKoE7L18x8UKb5lVs4IF1PPJkFgvBvv8HuxJTCjQ2eKQUAYgpE DWvg6MRNhthxrTacYWnU8jOA+HGkASJrGlLRYFl16sPh8Q68bxdVep0Z1yrs7PPoHy9l pbPQ==
X-Forwarded-Encrypted: i=1; AJvYcCWMrSu6ueYO2xmSWP09KiqPNusTfMSu2+9qdL7sEzqJidxrr/fX2q80uzf+3C/uxjdeLodr0Qc=@ietf.org
X-Gm-Message-State: AOJu0Yw6t1/pr88bDfSySaprnwn8d0VJmzm6GLY4l6YyhbEP7Wd8Wsjw eke8ZMpz6RBkSR7sWSBvJPBE8BaoDjwCq1cKVxsWkOQR0GvVM/n3mdpeBpLL3dfWIeXH5t2Wsql 2u7mjok03rICHSOTbJ2M9wQ6nkiiSu5s=
X-Gm-Gg: ATEYQzyJ/xMwihff0AbqTtQs0/HJ4U64IYbuj+N7s4EsgUMRSAlEBQ973fHGt/Pjo61 pJz7P3yQOe+QZLtprpBPqVUtrvpp2YU5i8me9fCjOT3TLUg7ejUC6wJ1/UqMClmLBBqNL9zDJkK 44+qoxnINC9koBYiYl9jTfEthK9fckLLvmQ8R03rYLIMLy431QjOcyXD7FE+3CQbg1c/6kJU0c+ UkhGMBVKIfVDlBbwg/x1MefCAil+W+mzyrEb4hmkIjL6ujDuc7HeVkGhMYny6g6YiQ5WF0CU9q3 lQVmlltC7VoGXdqMQTT3psOPOj3F6yJ9MNJEfdEMcCysjmMTLjr0JhKS4P07TTS9iu1iIeApBsZ I1io3Yqo=
X-Received: by 2002:a17:907:c789:b0:b97:c719:14d4 with SMTP id a640c23a62f3a-b9c13b3ce4bmr433973366b.29.1775125609432; Thu, 02 Apr 2026 03:26:49 -0700 (PDT)
MIME-Version: 1.0
References: <177195214360.2334629.133943892944994060@dt-datatracker-6ff7c68975-7k42g> <CABUE3X=s8UhZ6cFgijYPcf+fcLQCsyEipj5Ey24wiBrk3Qh-gA@mail.gmail.com> <CAA7e52roeZ9rvNyrb7+0W8k-Jzg161Kh5JF+AnUvyu==puFpxA@mail.gmail.com>
In-Reply-To: <CAA7e52roeZ9rvNyrb7+0W8k-Jzg161Kh5JF+AnUvyu==puFpxA@mail.gmail.com>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Thu, 02 Apr 2026 13:26:38 +0300
X-Gm-Features: AQROBzAIByqv7vvc4Zmoi71VJw2ljFRMPgKVFxhK-Ank9VjCoaZN6BjBGsa9tQk
Message-ID: <CABUE3XmyA8R7x9UJ4=D+=dekKzZR=W_+DNnXu2o7Dp6UxxFGeg@mail.gmail.com>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: R7M5UWKXFZBPLTTNW6KZGOQ7PK3LCFD4
X-Message-ID-Hash: R7M5UWKXFZBPLTTNW6KZGOQ7PK3LCFD4
X-MailFrom: tal.mizrahi.phd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ops-dir@ietf.org, draft-ietf-spring-srv6-security.all@ietf.org, spring@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: draft-ietf-spring-srv6-security-11 early Opsdir review
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/AHvuYk3aGniLuoifP99Rn3Cia8g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Hi Jean-Michel,

Thanks for reviewing the updated version.
Please see my responses below, marked [[TM]].

On Wed, Apr 1, 2026 at 6:25 PM Jean-Michel Combes
<jeanmichel.combes@gmail.com> wrote:

[snip]

>> > <JMC>
>> > <Major issue>
>> > “Therefore,”: without definition of “trusted domain” (cf. above), I must admit
>> > it is hard for me to have such a conclusion. </Major issue> </JMC>
>>
>> [TM] Based on this comment and other comments from directorate
>> reviewers we have significantly revised the text about "SR domain" and
>> "trusted domain" in Section 4 (Threat Terminology). While the current
>> document is not intended to redefine these terms, we believe that the
>> current version is clearer about the meaning of these terms based on
>> RFC 8402.
>
>
> <JMC2>
> Sorry, but the new text doesn't clarify the "trusted domain" term for me.
> Option #1: a SR domain, where filtering policy at the domain boundaries - as defined in the document, is applied and so, is considered as a "trusted domain" => a SR domain where there is no/partial filtering policy at the domain boundaries is not considered as a "trusted domain"
> Option #2: the filtering policy at the domain boundaries - as defined in the document, is only an additional security feature for a "trusted domain" and so, there is/are security assumption(s)/feature(s) a SR domain MUST have to become a "trusted domain"
> Option #1 or Option #2?
> If Option #2, what is/are the security assumption(s)/feature(s)?
> </JMC2>

[[TM]] Please note that the text in version 13 says: "...the term
trusted domain denotes an SR domain for which the boundary-filtering
assumption of [RFC8402] is in force."
Thus, from the two options you suggested, Option #1 can clearly be
understood from this sentence.
In my opinion the text is clear about this point.


[snip]

>> > 7.1.2.  SRH Filtering
>> >
>> >    Filtering can be performed based on the presence of an SRH.  More
>> >    generally, [RFC9288] provides recommendations on the filtering of
>> >    IPv6 packets containing IPv6 extension headers at transit routers.
>> >    However, filtering based on the presence of an SRH is not necessarily
>> >    useful for two reasons: 1.  The SRH is optional for SID processing as
>> >    described in [RFC8754] section 3.1 and 4.1. 2.  A packet containing
>> >    an SRH may not be destined to the SR domain, it may be simply
>> >    transiting the domain.
>> >
>> > <JMC>
>> > <Major issue>
>> > “2.  A packet containing an SRH may not be destined to the SR domain”
>> > IMHO, not consistent with Section 6.2.1.2, Section 6.2.2.2 and Section 6.2.3.2:
>> > where does this packet come from? </Major issue> </JMC>
>> >
>> >    For these reasons SRH filtering is not necessarily a useful method of
>> >    mitigation.
>> >
>> > <JMC>
>> > <Major issue>
>> > IMHO, not consistent with RFC 8402, Section 8.2:
>> > “Therefore, by default, the explicit routing information MUST NOT be leaked
>> > through the boundaries of the administered domain.” IMHO, not consistent also
>> > with Section 6.2.1.2, Section 6.2.2.2 and Section 6.2.3.2 </Major issue> </JMC>
>>
>> [TM] Here is a proposal for updated text:
>> OLD:
>> A packet containing an SRH may not be destined to the SR domain.
>> NEW:
>> A packet containing an SRH may not be destined to the SR domain. This
>> scenario is mitigated by encapsulating packets on the domain boundary,
>> as discussed in Section 7.2. While inter‑SR‑domain scenarios are
>> generally out of scope for this document’s threat model, the
>> operational practices recommended here aim to preserve
>> interoperability and avoid blanket behaviors that would break SR when
>> adjacent networks follow different practices.
>
>
> <JMC2>
> Maybe I was not clear enough, sorry. You have merged my 2 previous comments inside one but:
> - the first one was about incoming packets (i.e., to the SR domain)
> You replied to my comment.
> - the second one was about outgoing packets - with a SRH (i.e., from the SR domain)
> You didn't reply to my comment.
> </JMC2>

[[TM]] I would suggest the following text update to explicitly explain
that this section refers to both ingress and egress filtering.

OLD:
       A packet containing an SRH may not be destined to the SR domain,
       as it may be simply transiting the domain.  This scenario is
       mitigated by encapsulating packets on the domain boundary, as
       discussed in Section 7.2.  While inter-SR-domain scenarios are a
       violation of the trust model described above, the operational
       practices recommended here aim to preserve interoperability and
       avoid blanket behaviors that would break SR when adjacent
       networks follow different practices.
NEW:
       A packet containing an SRH may not be destined to the SR domain,
       as it may be simply transiting the domain. Therefore, filtering solely
       based on the presence of an SRH, at either SR ingress or SR egress,
       is not necessarily recommended. Instead, this scenario is
       mitigated by encapsulating packets on the domain boundary, as
       discussed in Section 7.2.  While inter-SR-domain scenarios are a
       violation of the trust model described above, the operational
       practices recommended here aim to preserve interoperability and
       avoid blanket behaviors that would break SR when adjacent
       networks follow different practices.

>
> Thanks in advance for your reply.
>
> Best regards,
>
> JMC.

Thanks,
Tal.

v2.45.0 | Report a Bug | By Email | System Status