[spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)

Nick Buraglio <buraglio@forwardingplane.net> Tue, 20 August 2024 18:04 UTC

Return-Path: <buraglio@forwardingplane.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAD2EC180B48 for <spring@ietfa.amsl.com>; Tue, 20 Aug 2024 11:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forwardingplane.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6LNqmk689Ww for <spring@ietfa.amsl.com>; Tue, 20 Aug 2024 11:04:39 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8178C1840EA for <spring@ietf.org>; Tue, 20 Aug 2024 11:04:39 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-450059a25b9so52619751cf.0 for <spring@ietf.org>; Tue, 20 Aug 2024 11:04:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane.net; s=google; t=1724177079; x=1724781879; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tZ8CLwDRmMOey6PrywaOTXijtN6J79/Fg5W76Tq7vpw=; b=asWbv1y/O5WVMGJzoK0LmTxxwCidXUvKC4eidq+NYjkLA+1RkFgW24BkDgNTyChJMx Yk4OMl+ypjRCcNQLNTV4RSnWYV0Z0mROwot8BsqnutasJzhH6U5tz5oq9ZWFJzj3miE6 K6PB7xvmfxkBB0SyCPbM4IP140ZsNJSZgMXw4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724177079; x=1724781879; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tZ8CLwDRmMOey6PrywaOTXijtN6J79/Fg5W76Tq7vpw=; b=IWam7tTvlFfRDPy0szCZLKSKiw2GQxJUVfmRuUfQi94M0qB7Hbse9hSiO+Pe7C7sPz 2lwrdtCh6TLWeV36RYi92jl/FvXok8oR9zE5hBOwU8UiwCsjE85AS2GzXs0XRflCUMmO rMh1ahDn5JOuIK+wf1T9KB51O1aoDmci4cYSjcnm8OT3jJxb8/Ol/OZDM5xrKZGsxFRP IHTER50Ez5c9FZ6+S1sVXvapWdn3P6izqX7XSHU5XMh+/tp4gCmxoxEfAzc7wG4w87Rq PMURdIgl4CnmrmT/s7WJcZrhab1k2AzLATH0Dyi/6xVEHC2NLlRwYGkWWnW4vJdApFmg B7Ow==
X-Forwarded-Encrypted: i=1; AJvYcCUSwrYwU0eoYXSd04adUpFeocb/eg+MUXc2/ieUJJD1nWna1cDKa/XhCUWCvGIDV0U+M55TG1U=@ietf.org
X-Gm-Message-State: AOJu0Yxhuc6yv1PMS92iMYTZwIl0NhoUmSgw7TqE3GnrYhJLkFM0SeIf 8jgkJi3lcyhBlQ99vgGYkBNEUqghDmgGYWOcB4Gj44M167yQ5+CEumUEEbyyiv2m9j7paLpZIev s2PQGG3vfAAeSuXlbZOQuSCp7QWAiSl5L7ZkUGp6IZXo7nQY=
X-Google-Smtp-Source: AGHT+IF+fMzce8q0duFKijsf3sI14xar9ekac8bo/j+Q/3uTxA+jJ/cPxo8fSlCL1X3BsOM5ZDjgA1b1+BU/NOQDgIQ=
X-Received: by 2002:a05:622a:429b:b0:446:57b5:a761 with SMTP id d75a77b69052e-454e512ee5emr65483231cf.17.1724177078555; Tue, 20 Aug 2024 11:04:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESsyA1iPN7b1RhgW6ajFcG6m0f07Q072jxQn3q2729W3xzw@mail.gmail.com> <CAB75xn7_aHKxacGFZKCdamDtw0rBnctqC2rQMNMi_TSMacY6hg@mail.gmail.com>
In-Reply-To: <CAB75xn7_aHKxacGFZKCdamDtw0rBnctqC2rQMNMi_TSMacY6hg@mail.gmail.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Tue, 20 Aug 2024 13:04:28 -0500
Message-ID: <CACMsEX8DrA9RntHZbjTiOXM0QjZZfmFi7YQh27OZwpM1zJLAjg@mail.gmail.com>
To: Dhruv Dhody <dhruv.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QD7T45SYSMC5PJQFXK2ALA3WSVKQ35RN
X-Message-ID-Hash: QD7T45SYSMC5PJQFXK2ALA3WSVKQ35RN
X-MailFrom: buraglio@forwardingplane.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Alvaro Retana <aretana.ietf@gmail.com>, SPRING WG <spring@ietf.org>, draft-bdmgct-spring-srv6-security@ietf.org, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/DE-UySaI6YSdRwI_89YxkIWhkq4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

On Mon, Aug 19, 2024 at 11:29 AM Dhruv Dhody <dhruv.ietf@gmail.com> wrote:
>
> Hi,
>
> I support adoption. Please find some non-blocking comments that authors can work on.
>
> # Minor
>
> - Should you call out RFC 8986 Network programming in the Introduction?
>
> - Section 2, it gives the impression that the control and management plane are not in scope but we do have section 6.4. Update this section to include text about the control and management plane.

+1
>
> - Section 4; It would be good to be explicit about what it means for the SR domain to be cryptographically secured. It is not clear if HMAC (section 7.3) is an example or THE technique that makes an SRv6 domain cryptographically secure.

Thanks, we'll clean that up.
>
> - Section 5; for Masquerade the reference provided is RFC 9088 but that RFC does not use the term.

Will fix this.
>
> - Section 6.2.4 to Section 6.2.6; I guess these subsections were supposed to be under a section heading (recon attack) that is missing?

Will fix this.
>
> - Section 6.4; Should one also mention compromised PCE or SDN controller? It seems the current focus is mainly on IGP? In this text - "Injection can be performed by off-path attackers, while removal, replaying and listening require on-path access."; if this is about injection of control plane packets, is it wise to use on-path and off-path?

This is an interesting point. We've so far avoided much talk of
controllers, but large scale networks are likely to employ something
to control LSPs and pre-computed paths, among other things. Will
consider how to best address this.
>
> - Section 7.1; I wonder if we should say more about the operational side of these filtering techniques. For section 7.1.2, should we also include RFC-to-be 9602 (draft-ietf-6man-sids)?

Up until now we'd left that out. I'll talk with the group and see what
the consensus is, and how we'd best add details.
>
> - Delete sections 12 and 13, they are duplicates!

+1
>
> # Nits
>
> - Expand SRv6 in the title and abstract
>
> - Add reference for Segment Routing Header (SRH) as [RFC8754]
>
> - s/reliance of a new header/reliance on a new header/
>
> - Section 3.2 can also include - SR, LUA, GUA, DA
>
> - s/applied baed on/applied based on/
>
> - s/using LUA addresses/using ULA addresses/
>
> - s/from the last entry in the ./from the last entry in the SRH./ (?)
>
> - s/keeeping/keeping/
>
> - s/do not posses/do not possess/
>
> - s/PE device a as source address/PE device as source address/
>
> - Please run the text through a grammar check, many issues that I did not list!
Will address the nits, and definitely run through some grammar tooling.
>
> Thanks!
> Dhruv
>
>
> On Mon, Aug 5, 2024 at 6:35 PM Alvaro Retana <aretana.ietf@gmail.com> wrote:
>>
>> Dear WG:
>>
>> This message starts a two-week adoption call for
>> ddraft-bdmgct-spring-srv6-security, ending on August/19. From the
>> Abstract:
>>
>>    This document discusses security considerations in SRv6 networks,
>>    including the potential threats and the possible mitigation methods.
>>    The document does not define any new security protocols or extensions
>>    to existing protocols.
>>
>>
>>    https://datatracker.ietf.org/doc/draft-bdmgct-spring-srv6-security/
>>
>>
>> Please review the draft and consider whether you support its adoption
>> by the WG. Please share any thoughts with the list to indicate support
>> or opposition -- this is not a vote.
>>
>> If you are willing to provide a more in-depth review, please state it
>> explicitly to give the chairs an indication of the energy level in the
>> working group willing to work on the document.
>>
>> WG adoption is the start of the process. The fundamental question is
>> whether you agree the proposal is worth the WG's time to work on and
>> whether this draft represents a good starting point. The chairs are
>> particularly interested in hearing the opinions of people who are not
>> authors of the document.
>>
>> Note that the IESG requested that the WG deliver a document covering
>> security considerations for SRv6. This document is intended to satisfy
>> that request.
>>
>> Thanks!
>>
>> Alvaro (for the Chairs)
>>
>> _______________________________________________
>> spring mailing list -- spring@ietf.org
>> To unsubscribe send an email to spring-leave@ietf.org