[spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)

Boris Hassanov <bhassanov@yahoo.com> Sat, 10 August 2024 16:35 UTC

Return-Path: <bhassanov@yahoo.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3871EC169413 for <spring@ietfa.amsl.com>; Sat, 10 Aug 2024 09:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id INNXsjUIBMny for <spring@ietfa.amsl.com>; Sat, 10 Aug 2024 09:35:06 -0700 (PDT)
Received: from sonic315-13.consmr.mail.bf2.yahoo.com (sonic315-13.consmr.mail.bf2.yahoo.com [74.6.134.123]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61C93C1519B4 for <spring@ietf.org>; Sat, 10 Aug 2024 09:35:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1723307705; bh=Bd1KuEtw9wPh9wTdfdNvnnZjG5KOqvZ+St5A3GQu31o=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=QjBTv+H1Id9tDuoq/iwjy3UtjNCKNvSLwYf7MxtYoqzP6vIzhC+zVqU4LmR7BOPwn23caAIi5Gqgg39RxMUFMZZDCdTeTrK33KJx9ASsqtfZcqClOtiaRHATjzU/KhVUlRya+9ase9Vw0yoKIIlC7fFa5GCLHEafJ9Nv2wWkN3OGtwFKbqZVETsAKku3s0wDR5qE9Vi4zrcOwIy+cteN642GZJEa5W2D0p9Zd612VhlIy/8bvhaavC/7yODnbjPT9Ur1WR2MxCtl6RhPhixpBqAYpTpG3NCkK5TnoX/cJ7NOvStW3U+UB7MBAGy0l5pIb6NpITtzm4mrUjcWklSqCw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1723307705; bh=/MmzcN5o+Q3DUcdv3Nnz6MzNmt+rEfG+h+ZTYm/tIPS=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=iRgh/UPIi9YzFRve2BnTPUzk5B1rQOa6OvMv7TdNbEy8itYpkZtFbRv5ZMr8e8f8HUPvZLon0jeDipFGj7Iylpgqurb//1M1ZDJ+P4V5J57KX1oug/JciaovO1aA9qFGxY9DijPJjxEaDeRaYV7/sQ7PaRHaQDllNHt+ACTuraVkPu3Kj7PfwQ9wWuOJHQWmtGJ3BoPY9VnNgPk7I0A+03juxH7OdRxNp28dnHr3Ka5E1bmRkVoxqLBbnSK8+qz2O+1TNHSE9tUmZK8ih+0wMN+m6syR0RZK3oF9pti+bqPQO+OkI8AZ68Gz5YQ0UXq9Jsps82BLoudBgrIAbizqMA==
X-YMail-OSG: TQDpqi4VM1nftqthkdk5eI05oudvxN2SSTzisBLLp3jYgXTu.WXl_A6kpf1aZEK NNTe4waJE7UbaeaLXqtKjXNBBr2_V9g5AwBWA0aRPu7R76nUMMWGs4rS24RT9Z867zVwZiWsCGGY cGC.62DeXq8L_tX2XiavFbCyLiBSjrZla8edwaRHX.tJtU9G1wb4WKjHb40Jn9LfeDzqNGfv8jTU h432rgJJDMyauvXjmz6NSYqa3rgP1rFRqmBjXwzJnxa8q9GIj5uRFDxmnGvZMl2SM4MK5eBGbXbf sdleuJEVf9maIKPFgqCpI_z0H4uIJbnMV_KICatFisHzoUnjhHMq16sMAT1WkARlhRrg8uPfBhx9 c_lcuS4bsKSk.Cm7eLYVEhicPArGJzZ_hFoVmFz0iNK3E8wzkmQgXkm0k7HZhPfXw6J_E9rb9zqV iOuzQbXe1jJDKD8g72JmBM1xfOAL0RWUG9_pEA_oaEFV50px7eY.7cjilz.SIIOp0Au1C8v8_mA1 HVpmSE3AyZ_N0QH6lG5hRrjdbpei67oaK0GfyLi0voP_wCkQ_t35Uo6GkVlOuhY5U.uKWoyKHLBa kbNSdACfE1zvbk.S3jfnayjX6Djutob4u9l6mgDCYLe6ksGlU6c9mRmJOhv2t0bb1DD8JqX9RAvt Q4BPWwSVmXdNYt.UogkEAQx.zrGiR.ChE2.fiv6MsJWfPUsFLzftv7x8qawLlJquJOHuDU1vUBHs aZOYpnabRH9BW8w3HSb7wZwSgBcYae7KzxVORmJihIrXDRj_WavTF6yKSPTCdEWNQk.d7HfDKLYz gZi2crZflGtLqfdjRjcFYlKC1VGvaAmZS3xLwT0EynDS8XkkRjFL_CSOIuJSjC0pkJZrsnmKQC25 a3osfPZ.z7gi6LZv.e1jlomQRTh0Ogg.sdGiuSOPsRcPppJjlBWT0PaSffwBfpO903qCMZjv3QFg JXoxnIStKTYHzjKTxTN_5j1kgUNlvL20xrz0cMebCO94rSwjdk11af6c0IFXQtwWYfubjdut6b8E .MBDrdrgeBj07NvvTkM9ho_e1vK2qfAeYbTA2uuqhIlz4dsY9DM_BZ55QAGuj7NRrZ7xnddW0HVc 7QmmZ.32uT_AlRMi8wmV1dnNXjzaej70U35kiI8YixBkv22_CVkdDnUSSjmkOLY2vM6oHjXfVLEp YyK0hTy6EvHZ35ClBYVNNEb5d5B2mdg..En1gRm61lupRmvDkcgYdg__C8H8_Uw2OKoCBcnDzN.6 rJx3wKPLTcRJAO45_kSY6tIbgiLXFCcU8N3LGnI5ujjKQY.BgnvixxMTOTTv__OylHsi3bnYNxOO xkSsm4p.lWD0ulat6r8v_TUL6V3MuqBu8C_6DdstoC31oAs6MTZ_hgG4qLxg8hyDJavZlIWuKSnE 1ceYl8gaegRoVGR6phunEUsv04F1PmY.YFHP7oppnuutJU1YRjxj8hDWPK9_a6BNOU2c5LQzh.N9 kRNzurEJBXbPKtm_GESa5jW81igaAmo8.YsuszhzcenOyPKoUjFdBVtYz2BAOOSXfxngLDBVkCaY SvMNIt._ZicLrawVGan7acNeeJpb4TeKn2xt36HoVpFj5v332p6RO0F.u59XaBFfo6vCAgkoM_aV 7ItP8iYuRTKy..fup2tzyg1RTgQ3qB1UlwpzFBNh2FSmBmzZbGGfFiYoyx.Wj05rbujP9hUVNhiE deDs6fBZz8H8qcU9QPoV0S3MmUKn5EaDoseJ42RYmHkAin0d2F9QGRqogAWLEe.Ceg1C8aScmpot rCveHds9zy.TRQ3ou3v0EQwy2MtuSlooCiIQ0ZLxcJrMOmTuHg6_aB2ZCboW6uBW8t97UXR2J.Rz er8BnHg5XndoGi8X0FrK0FHdUjOz.2no1HPP.bhWmBdu__yZUMya1HvIc7BiH1D6cEJhh0kc8K8K 95ram2DDcHMqQg_m8.5vEvsPToekxzIDjEtAILK3LuWBAMp3kqHFmaiGI7FnWm_V037L4ui6Vh93 C2O7W04yC.B3KEm8na8YiqQoG56.LMcV44rUDzv9VScWU5CJfSQGMB9d9pyrqvRc6GYUfu73XCua fkLgDyijNqtmh9pHHIIidDvf66iCOW9TsbTkeMc9WJrCJ0b2ejbmVzj7njZeWndzgQxdM_nBPPxO xTe4_2d6bRif39y57fFX8wcI.jsBxewuB_DiQ7racak6mPqzFe50joXqj5B_k15srHK2lal.8HfR PSyQEiZD4Asst3hodP_hXVBozmC.7yujrCZVwbGaZQvjyFdE-
X-Sonic-MF: <bhassanov@yahoo.com>
X-Sonic-ID: 5697228a-c896-4b34-ae00-b54ea84e11be
Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.bf2.yahoo.com with HTTP; Sat, 10 Aug 2024 16:35:05 +0000
Date: Sat, 10 Aug 2024 16:35:00 +0000
From: Boris Hassanov <bhassanov@yahoo.com>
To: SPRING WG <spring@ietf.org>, Alvaro Retana <aretana.ietf@gmail.com>
Message-ID: <341896698.3248447.1723307700288@mail.yahoo.com>
In-Reply-To: <CAMMESsyA1iPN7b1RhgW6ajFcG6m0f07Q072jxQn3q2729W3xzw@mail.gmail.com>
References: <CAMMESsyA1iPN7b1RhgW6ajFcG6m0f07Q072jxQn3q2729W3xzw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.22544 YMailNorrin
Message-ID-Hash: OUWHWOB42CORQGKN5XFV3ISQXXOEEBAE
X-Message-ID-Hash: OUWHWOB42CORQGKN5XFV3ISQXXOEEBAE
X-MailFrom: bhassanov@yahoo.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-bdmgct-spring-srv6-security@ietf.org" <draft-bdmgct-spring-srv6-security@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Ysxgaf4qrJQUAJp2q2vlShm-CJo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Hi Alvaro and all,

Yes, I support the publishing of this document.

Few  comments after the review:
1) 1.Introduction
1.1) "SRv6 makes use of the SRH which is a new type of Routing Extension Header." -> IMO, would be better to write: "SRv6 may use the SRH which is a new type of Routing Extension Header [RFC8754]."
1.2) "SRv6 consists of using the SRH on the IPv6 dataplane..." -> "SRv6 uses the IPv6 dataplane..."
1.3) "A typical SRv6 segment identifier (SID) is broken into a locator, a function identifier, and optionally, function arguments." -> "A typical SRv6 segment identifier (SID) consists of  a locator, a function identifier, and optionally, function arguments (LOC:FUNCT:ARG [RFC8986])."

2)  4.Threat model
2.1) "Internal vs. External:...In this context, the latter means that the attacker can be reached from a node in the SR domain without traversing an SR egress node, and can reach a node in the SR domain without traversing an SR ingress node."

IMO, this sentence brings a confusion here and not needed, since the previous sentence: "Specifically, an internal attacker either has access to a node in the SR domain, or is located on an internal path between two nodes in the SR domain. " is a self-explanatory. Also you give comparison On-path vs. Off-path in the next paragraph. So I would re-write that paragraph in this way:
" Internal vs. External:  An internal attacker in the context of SRv6 is an attacker who is located within an SR domain.  Specifically, an internal attacker either has access to a node in the SR domain, or is located on an internal path between two nodes in the SR domain.  External attackers, on the other hand, are not within the SR domain.  "

3) 5. Impact
3.1) "Unauthorized Access: an attack that results in unauthorized access might be achieved by having an attacker leverage SRv6 to circumvent security controls as a result of security devices being unable to enforce security policies in the presence of IPv6 Extension Headers (see [RFC9098]," -> This part of sentence is quite complex and confusing, I cannot get the logic:  SRv6 is just a transport mechanism in this context, if it  was somehow leveraged to  circumvent security control on the router - how is this related with some security devices and their inability to enforce security policies? RFC9098 mainly says about DoS attacks with leveraging IPv6 EH.
Probably it would be better to re-write.

4) 6.Attacks
I would add the comparison table at the end of this chapter (Attack type - Overview--- Scope--Impact)

5) 8.2.  Middlebox Filtering Issues

"And it is able to retrieve the final destination of SRv6 packet from the last entry in the ." -> Probably the SRH is missed: "And it is able to retrieve the final destination of SRv6 packet from the last entry in the SRH".

"Additionally, implementation limitations in the processing of IPv6 packets with extension headers may result in SRv6 packets being dropped RFC7872 [RFC9098]." -> " Additionally, implementation limitations in the processing of IPv6 packets with extension headers may result in SRv6 packets being dropped [RFC9098]. "

Will the authors propose any kind of solution here besides the problem statement?

There is also the term: SRv6 aware firewall, 7.5 of RFC9098 says about multiple challenges which IPv6 extension headers bring to a FW.  So I think more research work is needed to define the requirements for SRv6 aware firewall.

6) Items 12 and 13 (Security Considerations and IANA Considerations) repeat the same items 9 and 10

7) I think it would be very helpful if we add  the table about known supported mitigation methods for vendor and open source SRv6 implementations such as HMAC TLV, IPv6 extension headers filtering etc.



SY,
Boris

On Monday, August 5, 2024 at 04:04:44 PM GMT+3, Alvaro Retana <aretana.ietf@gmail.com> wrote: 





Dear WG:

This message starts a two-week adoption call for
ddraft-bdmgct-spring-srv6-security, ending on August/19. From the
Abstract:

   This document discusses security considerations in SRv6 networks,
   including the potential threats and the possible mitigation methods.
   The document does not define any new security protocols or extensions
   to existing protocols.


   https://datatracker.ietf.org/doc/draft-bdmgct-spring-srv6-security/


Please review the draft and consider whether you support its adoption
by the WG. Please share any thoughts with the list to indicate support
or opposition -- this is not a vote.

If you are willing to provide a more in-depth review, please state it
explicitly to give the chairs an indication of the energy level in the
working group willing to work on the document.

WG adoption is the start of the process. The fundamental question is
whether you agree the proposal is worth the WG's time to work on and
whether this draft represents a good starting point. The chairs are
particularly interested in hearing the opinions of people who are not
authors of the document.

Note that the IESG requested that the WG deliver a document covering
security considerations for SRv6. This document is intended to satisfy
that request.

Thanks!

Alvaro (for the Chairs)

_______________________________________________
spring mailing list -- spring@ietf.org
To unsubscribe send an email to spring-leave@ietf.org