[spring] Re: draft-ietf-spring-srv6-security-11 early Secdir review
Tal Mizrahi <tal.mizrahi.phd@gmail.com> Fri, 27 March 2026 09:14 UTC
Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 43CCBD24C645 for <spring@mail2.ietf.org>; Fri, 27 Mar 2026 02:14:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1774602842; bh=LoxUnu2eHOWUgiXEFWBKA99NqkDGGMq6cnhXinc9IqQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=rgwSi2i6Ci3RPW2VLfFHXfzNWiPCDYcKYjkTfpem9OsqHVtuzf+W5mNSXC9bkpS8D qiZxpfL9yyOQnoVdkq6XMjAnenorRAm2pYhIxBeWbfzBOIZVfo/13lQcfJsSP88sns i3knt32qkh9G1q+Cl8+ecaCpNB+bC+gUm+C3OjCk=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajiow4tZsM6h for <spring@mail2.ietf.org>; Fri, 27 Mar 2026 02:14:01 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A9682D24C636 for <spring@ietf.org>; Fri, 27 Mar 2026 02:14:01 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-66b51bfe5f3so71539a12.2 for <spring@ietf.org>; Fri, 27 Mar 2026 02:14:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1774602841; cv=none; d=google.com; s=arc-20240605; b=Qbgg1azvdstrtj/sET3jNrfqWAAbeqdGFEW96N5pVE6sDGwoqq7NNqfBpxA6pqfGnG 1sOHrSJpsVcFHlt3+cqoT8wNnwT1gi7jGmWTZF2TgM4n4eGp5a7LWsELl7xzcoiQksxX yiW4qruIQ4T+v3th/tVy1qf5+naJKGRo7Vg1eMPcQfzW8A0CJdYYZI/mLkAloEYpquos c+TG/Jf9X5CE6siP90ecl6Ak3Ak/ZtIEw0EZVBz0KFJj8YRiM41hTvRxdD462xGzu/0i BX/2Es8WFvwPh5+7dRyzHN1x46N7SKpXoJFV886uFKbQchRj7IpTiCu5+R6t47wKlaRw 9UwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=eCJXJV8IXpEPnM1QVQdmc8J+4fCBwdZUnu2jP+u49i4=; fh=UayYK4YvlQ9wECGfoULJomUp96gQRtYsd9w/QdzQ6/0=; b=RAi1wlcPjN+pcvPUO2kzXVjjBwNM1D+LrNPajtn69tPEIK59mW1c6aV/vOCnNHe6iL UUfFE6f0c3MgsbSuOHMvx763vw33YROaYC91KtaotYQkjUN3q3/wPJ+9oKWrgE8nW2kV y/Eyj1wxO5PHaEpSs/Bi3YZ7OIHnSjIwbVqnlNrVbyRWFlbpGnZ9xkqiHY2gJ/tep5kx p89tXKwUy1Fd3yG14Gdbhm1mZDHzhGZEuq9gUl6inaD0DqSdQ75BMlJIi3Zr74q3lM6n ZTy+dHzWiPhGdHf2TOJ/lV/2XH/MI1DBC8AWeBkppmI8kFm2KoxWg+F3DwFRN+WYhJ3i WdxA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774602841; x=1775207641; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eCJXJV8IXpEPnM1QVQdmc8J+4fCBwdZUnu2jP+u49i4=; b=aCplIYNcDdzQIVN4WVsqGQDii07jRiZHxyj5fShRPbvxeejm2zOA34ObrVvwuIuFtJ 3RouWlNAp4J7X2qzxPrng/+b2fviNHQOvl9qzEEOaHrOm7dq/yUSxzuHyrq+hR2VyfYZ XguL/JgODPoDMOFiXs8qjsCn68kUZanqf3Afrr9cGibtz6b5eqe3vNm04sSRoeRjuFX3 2urNL3rIouKWjMK5wGDda8qRiTlM46uZrqmhPhkGrOiS+sG7aTmHFi7Ml9e+MVFdCJOu tehI03dDLOdZfOiNZDcUWB5+fEfLjVA4kURCbumz8X+QOAGv5owPi4SGf0csjISXnLwD Pynw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774602841; x=1775207641; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=eCJXJV8IXpEPnM1QVQdmc8J+4fCBwdZUnu2jP+u49i4=; b=M1QbGwB72ZzpjGnFyGVoMSc5kB8wsUajrC2oBf6sakNLgyFJOim+fMtAzK0Er2Wp4+ kAYFleTNzL5JFps+eCSbcXbPcmP0HMqjS9f+3Fc/k++UxThHpQ04X24RyWSxlc5n4Rfm Mh1X0xFZ5cm1XSD8yGyF90J4tjcRiXNn1MFToH79G9ki3meFOCrzupcf9RNHUpESIRAp Ja3rTN6+eFPlRYemCQY4DsSbUbyWpfwRS0FL1STnRWKDmWOY0IjnQXuJtfbmPBwcbUY2 remcyFsWcvVnLbAAoWMoENIvi1pXZjM+PSDbqBJWok8URdzTESP5xXQcaa0itBmyiaZS YQjg==
X-Forwarded-Encrypted: i=1; AJvYcCVj2AgRe0BIz4QKa/l6J1W589R5J0QsWgrhWtIBJXt3Dnou5RNfrnLQNSs5E5lIf3AJM07lmrw=@ietf.org
X-Gm-Message-State: AOJu0Yz+O2dPhMQ3wtbUxgCeoJWyXz+ez2Hwg2dU762olmV5SIicrp+H nm84M77WSjOg9k6wVqYZby/Y3XnsoPb9LwU8ceJ8/1K8ZDbubihHEpS4AsDFmGNLNpT6OO8g0EL 9y10gB5361AVhwX6vee1OyE4VK/EGeWY=
X-Gm-Gg: ATEYQzzCOtVE7x7bzBULzwYL+IplQYyAHl0QDqp+QR9er+RL8wkhj8MWAHFBZ/Xsexb OfkFWfO67xCCL0uFIc7qMDGgZ7Lkt1ICEoDnUHhyqeMndoOYZtdfcEkuyhfkD0ktulyDHsvTO3z hyxS0oYwbVs1VUCg9eyGFRTJq5PJSqGVNVbUAyWzsTERrnHyvfNCtJcn8qah8TAX5SfY5cBmHyH Ie74rluwka7KG2VIrKwHgILrzBRwDW8PcbUghFNkpDXn8hdozbg6+ZEjgoWJWGxgiByvPkhK5rX kB+1aM83C3oAQI/N2YQap9A05a/wLZhM586cUVrvI90ZmyhXH42+rJN3nFX6AXUJmmLXgP+c5A= =
X-Received: by 2002:a17:907:d501:b0:b83:95c8:15d0 with SMTP id a640c23a62f3a-b9b5094530fmr100500066b.52.1774602840364; Fri, 27 Mar 2026 02:14:00 -0700 (PDT)
MIME-Version: 1.0
References: <177111318555.435673.3642205218143643087@dt-datatracker-6ff7c68975-7k42g>
In-Reply-To: <177111318555.435673.3642205218143643087@dt-datatracker-6ff7c68975-7k42g>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Fri, 27 Mar 2026 12:13:48 +0300
X-Gm-Features: AQROBzB02--mGXPyLtuXBB72b4t3SaW2IRy9BecdmQShHS7SaMkcHhXL0XSSv64
Message-ID: <CABUE3XnNCbd_yzyeCVXQ6Oq7fAAefWohPAmT_MaxgoXM0KFExQ@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: KZ23GLG23PVL6GQVXV5RAZQ2IOWDSFDK
X-Message-ID-Hash: KZ23GLG23PVL6GQVXV5RAZQ2IOWDSFDK
X-MailFrom: tal.mizrahi.phd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-spring-srv6-security.all@ietf.org, spring@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: draft-ietf-spring-srv6-security-11 early Secdir review
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Mt7JD3xJOuUO19sOkOJ8CltTd8c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>
Hi Christian, Thanks for a very detailed review. We have posted a revised version: https://datatracker.ietf.org/doc/draft-ietf-spring-srv6-security/12 Please see some replies below. Cheers, Tal. On Sun, Feb 15, 2026 at 1:53 AM Christian Huitema via Datatracker <noreply@ietf.org> wrote: > > Document: draft-ietf-spring-srv6-security > Title: Segment Routing IPv6 Security Considerations > Reviewer: Christian Huitema > Review result: Has Nits > > This document is titled "Segment Routing IPv6 Security Considerations", which > is rather bland, but the document itself is anything but bland. It is a > methodical evaluation of SRv6 security issues, starting with a well > constructed threat model, going all the way to the evaluation of attacks and > existing mitigations, some of which it finds wanting. It does propose practical > improvements. It is great to see this kind of work coming from the > routing area, and my first reaction is to applaud! > > The threat analysis follows a methodical progression: categorization of attackers, > listing of assets, listing of attacks and analysis of mitigations. They consider 5 > types of attackers, on path or not, internal or external, and with access to > the control plane. The listing of assets is good, although I would add something > about the privacy of end to end users. I would apply the same remark to the > analysis of attacks. It is rather exhaustive, except maybe for the possible use of SRH > options as a way to track end users or their behavior. [TM] Right. Based on your comment we have revised Section 6.2.2.3, adding the privacy aspect. We have also updated the text in 7.1.3, which now also addresses this issue. > > I think the meat of the document is in the analysis of mitigations. I hope that > deployments of SRV6 pay attention to it, and in particular the robust discussion of > Trusted Domains and Filtering in section 1.1, which points out that it might > be insufficient to trust access filtering at the domain borders to ensure safety > of operations. To quote: > > Practically speaking, this means successfully enforcing a "Trusted > Domain" may be operationally difficult and error-prone in practice, > and that attacks that are expected to be unfeasible from outside the > trusted domain may actually become feasible when any of the involved > systems fails to enforce the filtering policy that is required to > define the Trusted Domain. > > This is typical of the seriousness of this document, which does not attempt to brush off obvious > issues with the idea of "limited domains". Not a really new concept, the old polar bear > adage "crunchy on the outside, chewy on the inside" still applies. Section 7.1.3 proposes > a more efficient remediation: use a dedicated prefix for the SRv6 SIDs inside a domain, > and apply filtering based on these SIDs not only at the border but also "in depth". > > Section 7.2 advocates convincingly for the use of encapsulation/decapsulation at domain boundaries, > which would largely mitigate external attacks. That's very realistic. > > Section 7.3 point out that packet authentication based on well known keys is rather brittle, > due to the difficulties of properly managing such keys. Indeed, we could see security issues > if these keys leaked. > > Section 7.4 discusses the mitigation of control plane attacks. This may be something that we would > want to develop in a separate document. Attackers who want to impair a network are likely to > target some internal nodes to gain privileges -- typically, attacking the laptop of a > network administrator to get a foothold, and from there using that administrator's > access right to attack the network management functions. That attack chain can be used against > SRv6, but it can also be used against networks that do not use SRv6. There are potential > mitigations such as least privilege, isolation of function or early detection. Maybe that > should be addressed in a different document. > > Section 8 discusses the effect of deploying SRv6 on existing hardware, such as firewalls that > do not understand the SRv6 extensiens, or hardware that is not powerful enough to process the > extension. > > Overall, I like this document a lot. My only little remark is that it does not discuss > much potential pricacy issues. SRV6 header carry a significant amount of information, > more information than the the basic IPv6 header. The leak of information through the > IPv6 header information can be mitigated using techniques like privacy addresses or VPNs. > Maybe the draft should discuss whether the SRV6 headers can be used to identify either the > identity behind the addresses or the specific way in which a pair of endpoints communicates? [TM] As mentioned above, privacy aspects have been added. > >
- [spring] draft-ietf-spring-srv6-security-11 early… Christian Huitema via Datatracker
- [spring] Re: draft-ietf-spring-srv6-security-11 e… Tal Mizrahi