IETF Logo Mail Archive

[spring] Re: draft-ietf-spring-srv6-security-11 early Opsdir review

Jean-Michel Combes <jeanmichel.combes@gmail.com> Wed, 08 April 2026 13:06 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 956CAD8137E4 for <spring@mail2.ietf.org>; Wed, 8 Apr 2026 06:06:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775653602; bh=rrTGWI7FCGlc1uOKBCkHNREeBZXxIyiTStTjJIhR6mc=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=TdmiuWZEFjL5UV55fGn17bx98Y/eWI6UkeHfMJFm+tr80bp6yeo2uYzVIpHFRNEfg ErxcExBq+3j04RT9bmjZG4CiEz2OPSkzBhC7By0Ftsns/NB4aQYUIykafVbuBD9UGD u55sjWBxiH/xEySadKYoCNdPx2Ytu8uHwH5/Cd+U=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Level:
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsqAxdD8w2Ut for <spring@mail2.ietf.org>; Wed, 8 Apr 2026 06:06:41 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9ABC9D812C2D for <spring@ietf.org>; Wed, 8 Apr 2026 06:02:43 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id 71dfb90a1353d-56a8fdaddebso2086566e0c.0 for <spring@ietf.org>; Wed, 08 Apr 2026 06:02:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775653357; cv=none; d=google.com; s=arc-20240605; b=iDLQhEVcT251MRmpN3ah2TQnNdtR/C7cwO28E7+kFtnjzxBzHDy3nM65vKbcSpfiDM gOu/kksJG0XeA9INt1uXLQM3w2XHKIhaZy+oGGVSg08oZF9ySHpbobzv0TXtADz3d9b0 eK1tbuvqq6X7Kn1uRoKZpS0Z3fSJ6wcvO+WKOXUoy+L0qLYS6sYdLSGfn0lvd+3t5PWA gLJwzXT8Qa5PNGS6u3zDc8Cxi+rag/5Vg/v70gSRpR5kehjV9/QRF+CyWkBWvy71Y3ZX uoFpDKnuND+4VHrcjCY9ZIyxT/GZtibz0aduHw635O8gP+dfPzUgvwi5kbAGEfi6bkyC /W9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=wdZ7qvp12oOuq7V+72QdJ6cWqRQLPZOUMvnBpl+MRvo=; fh=gy7DmXHhXY5iqMN0wC+MEkQjOZH9Ij4WMZwcdGNFDVw=; b=lf7YSDd7Gp+iq/q+NPtak79vRDCcrfIpo40oMBbn0NJ3Wda5JvKmUkb4NVyD6Uni9G tPrB44HoVG0A/0Id7Wn+Spki1sZ72ExVLDR1NnIOcWo/MiKayKlV+poKLvDbtbpmEydm KzkPtwcDTFgm/l5JnjJa+ZyJl8FjMbtiQqA859Qs3ewo+UFSIo1FnR+Ty+ks9r6xEDWm 38Jv+vag2jvAIyNi20M+FGZeveCGSiEppzPryYLoef1pEGnrU9d07jX3LaN98B9u0GXR UtqPfMFKCfWKxrRX+5Fnc+4GjKomlS1LdJaAleX5GqI4t2o4WRAqhcHEZNjRtIvYveBq v55g==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775653357; x=1776258157; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wdZ7qvp12oOuq7V+72QdJ6cWqRQLPZOUMvnBpl+MRvo=; b=Aj3WrhFu6WH4JaI0VM0eL1eKxzkPEln7/4uMRlpVEVa9bY75vb9Vfa1x4SBNpXCP9z exky0z4r1TFqVg0UIf+9Y99U5yjyTFfUmUY/HypgW+EwqYxhecnVXwiKMo4gKgE60TJG HPOYnN+Up37gb/DbRLu+eb9NVT4bVM4+UtHsbkpeYZ7LR/A0sLZGAcYbzhrox0U89ujE M6qqdUuHQW0Npqv6aj9zcj+oibyhrT5u/sCfklDY2gTHRmhfyRS17DB4qXX0u1/+C2Cb JT7/lCalelbwNt16vsVRX+JRk1EEHnJD/pfzSVXe2njQpHTHHgmqCadqV5LLdZki+2g/ MQ8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775653357; x=1776258157; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wdZ7qvp12oOuq7V+72QdJ6cWqRQLPZOUMvnBpl+MRvo=; b=WYXJyZTB7BpiH1Orks7Nj9ZAW26SWD2FkgGg3/CHRV5sLMCkJYx0/1c+JhJhXPAYlu nEMveLNijjNLCor7eOXXuWAiJAyc682Hs/mLvXD0ush0w2CReWS99d677dXBaKfyophF 3VWKCZ0CIzbMzet0zCtaX8pc7V+3MnBR+3EZMdkuN7dzngD7Xvc0dMcoD8l4kmM5G4nw 6ZBoCpbjh4LcTYUhXpNHfbIPulWlt0pjSSWkarjgn5In6o/qiKIKDP6CSfjgI0TKbddr xSScoL7xKxN6XaUGjotBRAATxnMlrWov12t/HAhH0wI3POVwIx7XpfY/eMJSCRPUjiaV QNmQ==
X-Forwarded-Encrypted: i=1; AJvYcCVBZW3vgkaQq5+zC5vKT3NIitlkVyRkgLHIw6DBD+oZ/1SopYLBpMokNuC3r53Fi61p5obuLQg=@ietf.org
X-Gm-Message-State: AOJu0Yze5maa+5zgnrsIF3xv3Ss9OodY6fQ79WqaPy/CiR67gAhVulw5 joJTUsHP9sHrYFfMQBNaGEtXY+Z2mKRaeGP7zFDh7fXcr6V+cF5scHF+yBIfOhHBt3hLfQF5HpO urgR0649E++nx4/YkLD5k13oXP/BkUIw=
X-Gm-Gg: AeBDieuAfzVvlzEk5It3MORUu5RbPb4w1Sfh0D9/bkpjdI/x1xqkQRQ4tbhNR3Rn0ce cvEaNEfWHg8KbUCMPD3YjFERo/s7dD+X8CPG8IfNrsn83jsYbu8+XWQL5SNcDVIG16ZpuPhHlt8 dxRp7ey9Ab7VlIsbTjNwrSEtKcmG9cXxzlMJfzhn3VjkIZ+7874XWUEUcEO8DWWZLPj62j2yU7m b+iKGC19NNN1otkaxNjb04do349wUDQox6pHPPzmhLC6N/7XJq/deJDhJ5DzvgbzSIQab6XaoB+ /u2I
X-Received: by 2002:a05:6122:2886:b0:56b:9784:8a2a with SMTP id 71dfb90a1353d-56dab9a8277mr8269288e0c.10.1775653356990; Wed, 08 Apr 2026 06:02:36 -0700 (PDT)
MIME-Version: 1.0
References: <177195214360.2334629.133943892944994060@dt-datatracker-6ff7c68975-7k42g> <CABUE3X=s8UhZ6cFgijYPcf+fcLQCsyEipj5Ey24wiBrk3Qh-gA@mail.gmail.com> <CAA7e52roeZ9rvNyrb7+0W8k-Jzg161Kh5JF+AnUvyu==puFpxA@mail.gmail.com> <CABUE3XmyA8R7x9UJ4=D+=dekKzZR=W_+DNnXu2o7Dp6UxxFGeg@mail.gmail.com>
In-Reply-To: <CABUE3XmyA8R7x9UJ4=D+=dekKzZR=W_+DNnXu2o7Dp6UxxFGeg@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
Date: Wed, 08 Apr 2026 15:02:25 +0200
X-Gm-Features: AQROBzAFfTDivrVLUwyVeioJDNIMvagbH-4IE2a6aESPOJtm7cvTt1IcLVKMKqw
Message-ID: <CAA7e52qdHDThtmLSQZSiuHHdVh6fK_JPBve5JwaKAYWMqiMCZg@mail.gmail.com>
To: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000096787e064ef2836b"
Message-ID-Hash: 6SWL66OKZX7FZUUPXZNGSCNE3XVFAQWL
X-Message-ID-Hash: 6SWL66OKZX7FZUUPXZNGSCNE3XVFAQWL
X-MailFrom: jeanmichel.combes@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ops-dir@ietf.org, draft-ietf-spring-srv6-security.all@ietf.org, spring@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: draft-ietf-spring-srv6-security-11 early Opsdir review
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/VzuDRsXvq7vDwIT0udOuuvb7YHY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Hi,

At first, thanks for your reply.
All your answers work for me.

Thanks again for your replies.

Best regards,

JMC.


Le jeu. 2 avr. 2026 à 12:26, Tal Mizrahi <tal.mizrahi.phd@gmail.com> a
écrit :

> Hi Jean-Michel,
>
> Thanks for reviewing the updated version.
> Please see my responses below, marked [[TM]].
>
> On Wed, Apr 1, 2026 at 6:25 PM Jean-Michel Combes
> <jeanmichel.combes@gmail.com> wrote:
>
> [snip]
>
> >> > <JMC>
> >> > <Major issue>
> >> > “Therefore,”: without definition of “trusted domain” (cf. above), I
> must admit
> >> > it is hard for me to have such a conclusion. </Major issue> </JMC>
> >>
> >> [TM] Based on this comment and other comments from directorate
> >> reviewers we have significantly revised the text about "SR domain" and
> >> "trusted domain" in Section 4 (Threat Terminology). While the current
> >> document is not intended to redefine these terms, we believe that the
> >> current version is clearer about the meaning of these terms based on
> >> RFC 8402.
> >
> >
> > <JMC2>
> > Sorry, but the new text doesn't clarify the "trusted domain" term for me.
> > Option #1: a SR domain, where filtering policy at the domain boundaries
> - as defined in the document, is applied and so, is considered as a
> "trusted domain" => a SR domain where there is no/partial filtering policy
> at the domain boundaries is not considered as a "trusted domain"
> > Option #2: the filtering policy at the domain boundaries - as defined in
> the document, is only an additional security feature for a "trusted domain"
> and so, there is/are security assumption(s)/feature(s) a SR domain MUST
> have to become a "trusted domain"
> > Option #1 or Option #2?
> > If Option #2, what is/are the security assumption(s)/feature(s)?
> > </JMC2>
>
> [[TM]] Please note that the text in version 13 says: "...the term
> trusted domain denotes an SR domain for which the boundary-filtering
> assumption of [RFC8402] is in force."
> Thus, from the two options you suggested, Option #1 can clearly be
> understood from this sentence.
> In my opinion the text is clear about this point.
>
>
> [snip]
>
> >> > 7.1.2.  SRH Filtering
> >> >
> >> >    Filtering can be performed based on the presence of an SRH.  More
> >> >    generally, [RFC9288] provides recommendations on the filtering of
> >> >    IPv6 packets containing IPv6 extension headers at transit routers.
> >> >    However, filtering based on the presence of an SRH is not
> necessarily
> >> >    useful for two reasons: 1.  The SRH is optional for SID processing
> as
> >> >    described in [RFC8754] section 3.1 and 4.1. 2.  A packet containing
> >> >    an SRH may not be destined to the SR domain, it may be simply
> >> >    transiting the domain.
> >> >
> >> > <JMC>
> >> > <Major issue>
> >> > “2.  A packet containing an SRH may not be destined to the SR domain”
> >> > IMHO, not consistent with Section 6.2.1.2, Section 6.2.2.2 and
> Section 6.2.3.2:
> >> > where does this packet come from? </Major issue> </JMC>
> >> >
> >> >    For these reasons SRH filtering is not necessarily a useful method
> of
> >> >    mitigation.
> >> >
> >> > <JMC>
> >> > <Major issue>
> >> > IMHO, not consistent with RFC 8402, Section 8.2:
> >> > “Therefore, by default, the explicit routing information MUST NOT be
> leaked
> >> > through the boundaries of the administered domain.” IMHO, not
> consistent also
> >> > with Section 6.2.1.2, Section 6.2.2.2 and Section 6.2.3.2 </Major
> issue> </JMC>
> >>
> >> [TM] Here is a proposal for updated text:
> >> OLD:
> >> A packet containing an SRH may not be destined to the SR domain.
> >> NEW:
> >> A packet containing an SRH may not be destined to the SR domain. This
> >> scenario is mitigated by encapsulating packets on the domain boundary,
> >> as discussed in Section 7.2. While inter‑SR‑domain scenarios are
> >> generally out of scope for this document’s threat model, the
> >> operational practices recommended here aim to preserve
> >> interoperability and avoid blanket behaviors that would break SR when
> >> adjacent networks follow different practices.
> >
> >
> > <JMC2>
> > Maybe I was not clear enough, sorry. You have merged my 2 previous
> comments inside one but:
> > - the first one was about incoming packets (i.e., to the SR domain)
> > You replied to my comment.
> > - the second one was about outgoing packets - with a SRH (i.e., from the
> SR domain)
> > You didn't reply to my comment.
> > </JMC2>
>
> [[TM]] I would suggest the following text update to explicitly explain
> that this section refers to both ingress and egress filtering.
>
> OLD:
>        A packet containing an SRH may not be destined to the SR domain,
>        as it may be simply transiting the domain.  This scenario is
>        mitigated by encapsulating packets on the domain boundary, as
>        discussed in Section 7.2.  While inter-SR-domain scenarios are a
>        violation of the trust model described above, the operational
>        practices recommended here aim to preserve interoperability and
>        avoid blanket behaviors that would break SR when adjacent
>        networks follow different practices.
> NEW:
>        A packet containing an SRH may not be destined to the SR domain,
>        as it may be simply transiting the domain. Therefore, filtering
> solely
>        based on the presence of an SRH, at either SR ingress or SR egress,
>        is not necessarily recommended. Instead, this scenario is
>        mitigated by encapsulating packets on the domain boundary, as
>        discussed in Section 7.2.  While inter-SR-domain scenarios are a
>        violation of the trust model described above, the operational
>        practices recommended here aim to preserve interoperability and
>        avoid blanket behaviors that would break SR when adjacent
>        networks follow different practices.
>
> >
> > Thanks in advance for your reply.
> >
> > Best regards,
> >
> > JMC.
>
> Thanks,
> Tal.
>

v2.45.0 | Report a Bug | By Email | System Status