[spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)
Nick Buraglio <buraglio@forwardingplane.net> Wed, 21 August 2024 19:53 UTC
Return-Path: <buraglio@forwardingplane.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65BF9C1519AB for <spring@ietfa.amsl.com>; Wed, 21 Aug 2024 12:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forwardingplane.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WYxU18DSr8O9 for <spring@ietfa.amsl.com>; Wed, 21 Aug 2024 12:53:30 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F744C169430 for <spring@ietf.org>; Wed, 21 Aug 2024 12:53:30 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-44ff6dd158cso609531cf.3 for <spring@ietf.org>; Wed, 21 Aug 2024 12:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane.net; s=google; t=1724270009; x=1724874809; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gfT0VUBxfvsQXUKqK2f7q0VDp3P8QPm6TiqH2sAkW9M=; b=hc3am0fd2QjFHOXLAxB/NXhrq5A/Ck7gs/TQQTlOtDJQ11i1RsNDwG/9XRFLwZIOCP UUw096oLYnMx9zqTvLD12b/mn0mIUwWkFtw3OEKzdjfAbX/NjenO4LU/j/39M5q1v+Yg 39UwYe+CpO2eWMjt08s6CD/V6fsZQJoDni++0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724270009; x=1724874809; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gfT0VUBxfvsQXUKqK2f7q0VDp3P8QPm6TiqH2sAkW9M=; b=FzDh1f+4K+TYudrct0ImE19w4NH0/JET2iR+5D7wJHpxCm76Zpi6Bq5Hhqpdt9l8X+ oiE8NwUxqrSSdbwIs4OeNqsW4Tr/BZoncqLbg0EJ8O8Xne3slKOeONgFZOeJDJAXSxbV lEpM55yRtPHR6dOXytYc5vs5nY7HjSGT8gLvotVKA9hwUWyqTVyRISzChs7RalCKWns+ XIwmR7L2BEVzD/DRdcTfI6jTQwg7UXkne79m5hJVEGgt3WfJ0FFc40ss28/aR94X1UQS xEBo1OX0wR0PvBnLrjK4Vya+lAq7P0joodqDdv4Sa65vQZhbm3VgGU/C5920ySnx4ft9 E6Yg==
X-Gm-Message-State: AOJu0YzafWjfjCvJC52bbbyfjH3PX+9V48nvXEtdrtnBHESxIMb0INUv WJNjoYicgCtxGKSf0EoqBN/cHCAiZcb3Y99H/w9r4uY+PzrTdQlZbB8Kr0RB394gcSnL+WZXfDV 5dr/0ISWU3GQg7om+2kYCvwZInt5vA22/htuY
X-Google-Smtp-Source: AGHT+IGKnznkQgV9h3Zq2CRS8QWSwTafNhqXGRhwun2bDI8BW09sAK4JDpA0ixwVaIm2r4oZSKulF0rMWcsnuQxOZSo=
X-Received: by 2002:a05:622a:250e:b0:447:e91d:39bf with SMTP id d75a77b69052e-454f220c319mr51672561cf.19.1724270009184; Wed, 21 Aug 2024 12:53:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESsyA1iPN7b1RhgW6ajFcG6m0f07Q072jxQn3q2729W3xzw@mail.gmail.com> <341896698.3248447.1723307700288@mail.yahoo.com>
In-Reply-To: <341896698.3248447.1723307700288@mail.yahoo.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Wed, 21 Aug 2024 14:53:18 -0500
Message-ID: <CACMsEX8O5cDo4iYJaDF0pzgLZayminMKGB-LD4VrOK2-RsUJqQ@mail.gmail.com>
To: Boris Hassanov <bhassanov@yahoo.com>
Content-Type: multipart/alternative; boundary="0000000000006509d6062036e5ba"
Message-ID-Hash: KXWTR6LKD2ILMPQCHFGAMH2P2GEGYM6O
X-Message-ID-Hash: KXWTR6LKD2ILMPQCHFGAMH2P2GEGYM6O
X-MailFrom: buraglio@forwardingplane.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: SPRING WG <spring@ietf.org>, Alvaro Retana <aretana.ietf@gmail.com>, "draft-bdmgct-spring-srv6-security@ietf.org" <draft-bdmgct-spring-srv6-security@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/EqGimIQU3rkYMt3xKo5JpIrVZJE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>
On Sat, Aug 10, 2024 at 11:35 AM Boris Hassanov <bhassanov@yahoo.com> wrote: > Hi Alvaro and all, > > Yes, I support the publishing of this document. > > Few comments after the review: > 1) 1.Introduction > 1.1) "SRv6 makes use of the SRH which is a new type of Routing Extension > Header." -> IMO, would be better to write: "SRv6 may use the SRH which is a > new type of Routing Extension Header [RFC8754]." > How does this sound: "SRv6 may use the SRH which is a type of Routing Extension Header defined by [RFC8754]." 1.2) "SRv6 consists of using the SRH on the IPv6 dataplane..." -> "SRv6 > uses the IPv6 dataplane..." > +1 > 1.3) "A typical SRv6 segment identifier (SID) is broken into a locator, a > function identifier, and optionally, function arguments." -> "A typical > SRv6 segment identifier (SID) consists of a locator, a function > identifier, and optionally, function arguments (LOC:FUNCT:ARG [RFC8986])." > +1 > 2) 4.Threat model > 2.1) "Internal vs. External:...In this context, the latter means that the > attacker can be reached from a node in the SR domain without traversing an > SR egress node, and can reach a node in the SR domain without traversing an > SR ingress node." > > IMO, this sentence brings a confusion here and not needed, since the > previous sentence: "Specifically, an internal attacker either has access to > a node in the SR domain, or is located on an internal path between two > nodes in the SR domain. " is a self-explanatory. Also you give > comparison On-path vs. Off-path in the next paragraph. So I would re-write > that paragraph in this way: > " Internal vs. External: An internal attacker in the context of SRv6 is > an attacker who is located within an SR domain. Specifically, an internal > attacker either has access to a node in the SR domain, or is located on an > internal path between two nodes in the SR domain. External attackers, on > the other hand, are not within the SR domain. " +1 > 3) 5. Impact > 3.1) "Unauthorized Access: an attack that results in unauthorized access > might be achieved by having an attacker leverage SRv6 to circumvent > security controls as a result of security devices being unable to enforce > security policies in the presence of IPv6 Extension Headers (see > [RFC9098]," -> This part of sentence is quite complex and confusing, I > cannot get the logic: SRv6 is just a transport mechanism in this context, > if it was somehow leveraged to circumvent security control on the router > - how is this related with some security devices and their inability to > enforce security policies? RFC9098 mainly says about DoS attacks with > leveraging IPv6 EH. > Probably it would be better to re-write. > Will work with the group on this. > > 4) 6.Attacks > I would add the comparison table at the end of this chapter (Attack type - > Overview--- Scope--Impact) > Will work with the group on this. > > 5) 8.2. Middlebox Filtering Issues > > "And it is able to retrieve the final destination of SRv6 packet from the > last entry in the ." -> Probably the SRH is missed: "And it is able to > retrieve the final destination of SRv6 packet from the last entry in the > SRH". > +1 > > "Additionally, implementation limitations in the processing of IPv6 > packets with extension headers may result in SRv6 packets being dropped > RFC7872 [RFC9098]." -> " Additionally, implementation limitations in the > processing of IPv6 packets with extension headers may result in SRv6 > packets being dropped [RFC9098]. " > Is there a desire to remove the citation for RFC7872? > > Will the authors propose any kind of solution here besides the problem > statement? > I don't believe we will provide any solutions. > > There is also the term: SRv6 aware firewall, 7.5 of RFC9098 says about > multiple challenges which IPv6 extension headers bring to a FW. So I think > more research work is needed to define the requirements for SRv6 aware > firewall. > What are the group's thoughts on generalizing this to be more about the challenges which IPv6 extension headers introduce to middle boxes, and note that there this extends into the use of SRv6 in that context? > > 6) Items 12 and 13 (Security Considerations and IANA Considerations) > repeat the same items 9 and 10 > Fixed > 7) I think it would be very helpful if we add the table about known > supported mitigation methods for vendor and open source SRv6 > implementations such as HMAC TLV, IPv6 extension headers filtering etc. > Will discuss with the group. > > > > SY, > Boris > > On Monday, August 5, 2024 at 04:04:44 PM GMT+3, Alvaro Retana < > aretana.ietf@gmail.com> wrote: > > > > > > Dear WG: > > This message starts a two-week adoption call for > ddraft-bdmgct-spring-srv6-security, ending on August/19. From the > Abstract: > > This document discusses security considerations in SRv6 networks, > including the potential threats and the possible mitigation methods. > The document does not define any new security protocols or extensions > to existing protocols. > > > https://datatracker.ietf.org/doc/draft-bdmgct-spring-srv6-security/ > > > Please review the draft and consider whether you support its adoption > by the WG. Please share any thoughts with the list to indicate support > or opposition -- this is not a vote. > > If you are willing to provide a more in-depth review, please state it > explicitly to give the chairs an indication of the energy level in the > working group willing to work on the document. > > WG adoption is the start of the process. The fundamental question is > whether you agree the proposal is worth the WG's time to work on and > whether this draft represents a good starting point. The chairs are > particularly interested in hearing the opinions of people who are not > authors of the document. > > Note that the IESG requested that the WG deliver a document covering > security considerations for SRv6. This document is intended to satisfy > that request. > > Thanks! > > Alvaro (for the Chairs) > > _______________________________________________ > spring mailing list -- spring@ietf.org > To unsubscribe send an email to spring-leave@ietf.org >
- [spring] WG Adoption Call for draft-bdmgct-spring… Alvaro Retana
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Mark Smith
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Eric Vyncke (evyncke)
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Yingzhen Qu
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Alvaro Retana
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Antoine FRESSANCOURT
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… song.xueyan2
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Boris Hassanov
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Alvaro Retana
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Nick Buraglio
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… N.Leymann
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Eduard Metz
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Zafar Ali (zali)
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Alvaro Retana
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Zafar Ali (zali)
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Nick Buraglio
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Nick Buraglio
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Alvaro Retana
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Nick Buraglio
- [spring] Re: [EXTERNAL] Re: WG Adoption Call for … Alexander Vainshtein
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Dhruv Dhody
- [spring] Re: WG Adoption Call for draft-bdmgct-sp… Nick Buraglio