Return-Path: <jmh@joelhalpern.com>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id 862F1D275800;
	Fri, 27 Mar 2026 08:32:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1774625531; bh=BOKi2RdlbKh4u8Ad2wwCgFMe2M8cfhMpam4X8JktVIE=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To;
	b=UyAf4y5WF437XL0am/7m0ovm9oI9f/c+epQuSGOZQqprXJkjGqDx+HorFm8ZSLbtQ
	 P3CnFlxyA6fG0CGSkBLpkAiU/jSizukMpjVMox9ZXBjnXaL9RACshed9TLRd4/5Z3j
	 vX+u5FF7Xf9D8z90dSS4Z8Gb8crrPCLyVhSxhtaw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level: 
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
	RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
	RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001]
	autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key)
	header.d=joelhalpern.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id QyClLqn6AWp5; Fri, 27 Mar 2026 08:32:10 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id CDDB1D2757FB;
	Fri, 27 Mar 2026 08:32:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com;
	s=2.tigertech; t=1774625524;
	bh=yKkXSU0uhyM91eSqwa75INDAGhwkvsmOnt3yIRHZzR4=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=LrMAoNMQpEWUwCMH84VNxySLRStyKGr0VwZGTMRrpVJy83BjAtOcghqAi9OdG0wF1
	 ViMFuGwYLewie3vtIY/EpbcBLB6OwAQV8/QhmZJPv6Q2yHEsyQ5KtJyENVIG4Iryh5
	 k3lTMp5YBO80bpSY4opxtnZlIkzhuwYyaVbeZMWs=
Received: from localhost (localhost [127.0.0.1])
	by mailb2.tigertech.net (Postfix) with ESMTP id 4fj4Pw5kMcz2Fpqh;
	Fri, 27 Mar 2026 08:32:04 -0700 (PDT)
X-Quarantine-ID: <1s_uED9gosm0>
X-Virus-Scanned: Debian amavis at b2.tigertech.net
Received: from [IPV6:2600:8806:103:9500:24d7:4864:5d36:b4c5] (unknown
 [IPv6:2600:8806:103:9500:24d7:4864:5d36:b4c5])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mailb2.tigertech.net (Postfix) with ESMTPSA id 4fj4Pv6Bbpz2Fpqf;
	Fri, 27 Mar 2026 08:32:03 -0700 (PDT)
Message-ID: <1d9e693a-d784-4e6d-805b-143f2079db6a@joelhalpern.com>
Date: Fri, 27 Mar 2026 11:32:02 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>,
 Jean-Michel Combes <jeanmichel.combes@gmail.com>
References: 
 <177195214360.2334629.133943892944994060@dt-datatracker-6ff7c68975-7k42g>
 <CABUE3X=s8UhZ6cFgijYPcf+fcLQCsyEipj5Ey24wiBrk3Qh-gA@mail.gmail.com>
Content-Language: en-US
From: Joel Halpern <jmh@joelhalpern.com>
In-Reply-To: 
 <CABUE3X=s8UhZ6cFgijYPcf+fcLQCsyEipj5Ey24wiBrk3Qh-gA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Message-ID-Hash: KJNPEDWVJ2NRDK2DQXMV6QC5CULLLMVD
X-Message-ID-Hash: KJNPEDWVJ2NRDK2DQXMV6QC5CULLLMVD
X-MailFrom: jmh@joelhalpern.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-spring.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: ops-dir@ietf.org, draft-ietf-spring-srv6-security.all@ietf.org,
 spring@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5Bspring=5D_Re=3A_draft-ietf-spring-srv6-security-11_early_Opsdir?=
	=?utf-8?q?_review?=
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/spring/UA5iwzxm2DL2Wh1OXRcovYERD0g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Regarding one item:

On 3/27/2026 4:53 AM, Tal Mizrahi wrote:
> Dear Jean-Michel,
>
> Many thanks for a very thorough review.
> We have revised the document and we believe that the current version
> resolves almost all the issues:
> https://datatracker.ietf.org/doc/draft-ietf-spring-srv6-security/12
>
> Please see the replies below, marked [TM], along with a couple of text
> update suggestions that we would be happy to hear your opinion about.
>
> Thanks,
> Tal.
>
>
> On Tue, Feb 24, 2026 at 6:55 PM Jean-Michel Combes via Datatracker
> <noreply@ietf.org> wrote:
>> <snip>
>>
>> 7.1.2.  SRH Filtering
>>
>>     Filtering can be performed based on the presence of an SRH.  More
>>     generally, [RFC9288] provides recommendations on the filtering of
>>     IPv6 packets containing IPv6 extension headers at transit routers.
>>     However, filtering based on the presence of an SRH is not necessarily
>>     useful for two reasons: 1.  The SRH is optional for SID processing as
>>     described in [RFC8754] section 3.1 and 4.1. 2.  A packet containing
>>     an SRH may not be destined to the SR domain, it may be simply
>>     transiting the domain.
>>
>> <JMC>
>> <Major issue>
>> “2.  A packet containing an SRH may not be destined to the SR domain”
>> IMHO, not consistent with Section 6.2.1.2, Section 6.2.2.2 and Section 6.2.3.2:
>> where does this packet come from? </Major issue> </JMC>
>>
>>     For these reasons SRH filtering is not necessarily a useful method of
>>     mitigation.
>>
>> <JMC>
>> <Major issue>
>> IMHO, not consistent with RFC 8402, Section 8.2:
>> “Therefore, by default, the explicit routing information MUST NOT be leaked
>> through the boundaries of the administered domain.” IMHO, not consistent also
>> with Section 6.2.1.2, Section 6.2.2.2 and Section 6.2.3.2 </Major issue> </JMC>
> [TM] Here is a proposal for updated text:
> OLD:
> A packet containing an SRH may not be destined to the SR domain.
> NEW:
> A packet containing an SRH may not be destined to the SR domain. This
> scenario is mitigated by encapsulating packets on the domain boundary,
> as discussed in Section 7.2. While inter‑SR‑domain scenarios are
> generally out of scope for this document’s threat model, the
> operational practices recommended here aim to preserve
> interoperability and avoid blanket behaviors that would break SR when
> adjacent networks follow different practices.

Personally, I would recommend stronger text about the putative 
inter-domain usage.

Instead of:

"While inter-SR-domain scenarios are generally out of scope for this 
document's threat model"

I would suggest

"While inter-SR-domain scenarios are a violation of the trust model 
described above"

and then continue with the text about not gratuitously breaking things.

Yours,

Joel

>
>> Hope that helps.
>>
>> Thanks in advance for your reply.
>>
>> Best regards,
>>
>> JMC.
>>
>>
>>