Re: [spring] [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt
Adrian Farrel <adrian@olddog.co.uk> Tue, 28 March 2023 02:24 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB1EC14F749; Mon, 27 Mar 2023 19:24:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NwjYbnY4GoQk; Mon, 27 Mar 2023 19:24:15 -0700 (PDT)
Received: from mta7.iomartmail.com (mta7.iomartmail.com [62.128.193.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D33DC14CEFE; Mon, 27 Mar 2023 19:24:14 -0700 (PDT)
Received: from vs3.iomartmail.com (vs3.iomartmail.com [10.12.10.124]) by mta7.iomartmail.com (8.14.7/8.14.7) with ESMTP id 32S2ODNk028091; Tue, 28 Mar 2023 03:24:13 +0100
Received: from vs3.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E24E54604B; Tue, 28 Mar 2023 03:24:12 +0100 (BST)
Received: from vs3.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C28094604A; Tue, 28 Mar 2023 03:24:12 +0100 (BST)
Received: from asmtp1.iomartmail.com (unknown [10.12.10.248]) by vs3.iomartmail.com (Postfix) with ESMTPS; Tue, 28 Mar 2023 03:24:12 +0100 (BST)
Received: from LAPTOPK7AS653V (dhcp-8a91.meeting.ietf.org [31.133.138.145]) (authenticated bits=0) by asmtp1.iomartmail.com (8.14.7/8.14.7) with ESMTP id 32S2O8cn032317 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 28 Mar 2023 03:24:11 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Andrew Alston - IETF' <andrew-ietf=40liquid.tech@dmarc.ietf.org>, int-area@ietf.org
Cc: spring@ietf.org
References: <167982788827.35510.12970049954861648668@ietfa.amsl.com> <DU2PR03MB8021025B3EA4A7567809EC2BFA8A9@DU2PR03MB8021.eurprd03.prod.outlook.com>
In-Reply-To: <DU2PR03MB8021025B3EA4A7567809EC2BFA8A9@DU2PR03MB8021.eurprd03.prod.outlook.com>
Date: Tue, 28 Mar 2023 03:24:08 +0100
Organization: Old Dog Consulting
Message-ID: <072001d9611c$622fd220$268f7660$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0721_01D96124.C3F80AB0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGkBo+RMFRytokLRo1UaOC2fCtEdgMPSvezr2GwsQA=
Content-Language: en-gb
X-Originating-IP: 31.133.138.145
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type; s=20221128; bh=ygzEcCy4dkgntDKjH8BW9 8VXAbR8KmJkDiqrKqNaeyA=; b=XLx3+G9TRyKGXyZwQ6J2AcpLUQHpK9edl2YFU kmJfXtdKaZIbjsETvDtSFnJUpLAlMckUpMOfOwf35cbhDaTLIOfOQDlI+oMIW1cj TEsCsKkkP8uly3z4/EkteGnTeXjPHX/8VH/yyZRSaa5rXEKZ3gfZ0nbxpenjhAIv m6HrTB7QizK0MlvDtjrodhYvMDuDs3TY7ic0T3W4BHN9EuWgs7IMN2pty8PcQNtu PIbpLEO48zmjf1ph52o0qtYgJpDJUr178af0kSGVDxUHl3jwXQ4pi/FQrj+MN4FL FWuursuaat2vV5qXdrEVKR58pD0Fe18tV1+lMtlUpKLCJ6+gw==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-27530.004
X-TM-AS-Result: No--49.169-10.0-31-10
X-imss-scan-details: No--49.169-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-27530.004
X-TMASE-Result: 10--49.168500-10.000000
X-TMASE-MatchedRID: IeZYkn8zfFrH1DfC+QNQxHFPUrVDm6jtSOZtBHQ3LLzW2YYHslT0I9Ka 7hjHUgAmSa3qUt1vNC2ryYQlTAIlqxDITYD8arnZaDCzqDR7DPaT+6g5ulhlrv4DDXoaCqk7gvQ yi2H06sNuqbWjKBTk5sv20abSQZQzn8kT944y5fdTu0ePu5xhbikDYTG6KmZaQ6Cj3EXWBE3zWM gQWjC6I7mIQj3QvnqhJDSW1TEpRmfCETMWrmkt1H1JIA4rhsZ/MzbF1gbxlQa7Iv2OMTayQavmO PXRqo7RpFedpgCFxaUzArwBl1C3od71TIj/97ToTOzi7zU/vunrxZDnkdZZgShbZduLiFfbUQVl MRWXgtqHPBjOboNyt9FVBb4XJ9sxbF7vPSQ901CVOwZbcOalS8XXUa56bTnnDO+DX+rUwfaZS2s orCV0PgrPedDCXyzyg2n1XHjucgyxQuChZckel0NF5tKVli5KEDnDEqNPduqu7gU0ldDgCoDlBW L8WiAxSO0id6bknMxlANZWyuPENr/WqQZ0iR2uhv1+2J3yQFwl1eMXkCsIV+jMOEZ5AL0S92QJM cbPajB8nFH4zYySYAzeZxrlXjcL5ezhq/eyT2w6HG6H9FokcUnSHQovAWuA8f3rOEwXzqdvXFTt vgJmGrvEuor8U6AqqdGjgNVPyjRZ9E0F9cXPfumLtr3tiWIfCCdq6k3LmHYRt1EvyOXA0U2MQPF yryIy+K7Vy08EsyUve2dQUWfkTsQTSPZE5H8gQ+B060dtsCOc4qcCnuCXteadKULEgqVkBobKxo y0CtG1XnLxs6pL+V9qzfbqje1AQbaLbFvVzf+eAiCmPx4NwGmRqNBHmBvevqq8s2MNhPAL4KbF8 qbADIGKRgK4AknyvECLuM+h4RB+3BndfXUhXQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/cO37NDc_4BKTJUR05IWtg5effeg>
Subject: Re: [spring] [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 02:24:20 -0000
[Spring cc'ed because, well, you know, SR. I wonder whether 6man and 6ops should care as well.] tl;dr I think this is a good initiative and worth discussion. Thanks for the draft. I am particularly reminded of two MPLS-related discussions: - The first was the introduction of Ethertype 8848 for MPLS source-assigned labels. This is a good example of a protocol variant/extension using a different Ethertype in order to facilitate easy distinction between data packets. - The second was the discussion of using a different Ethertype for T-MPLS when the early proposals for what became MPLS-TP were sufficiently different to base MPLS that there were concerns about interop and leakage problems. In the end, a new Ethertype was now assigned because the protocol was modified in a way that made it safe to coexist with MPLS. In my comments below, I call out one point which is important enough to feature up here. I think you also need a new IP protocol number to handle "discovered SR". That is, if an SR packet is encapsulated in an IP header, it is important that it is clear that the payload is an SR packet (otherwise, I can tunnel SR into the middle of your network representing it as native IP). I would note that this Ethertype solution, and my proposed new IP protocol number are not "secure" solutions. That is, for example, an SR packet could still be sent using 86DD and the receiver will not know the difference unless they dig for the SRH and then complain about it. So while this document can require or recommend the use of a new Ethertype, making this a security feature would still require "edge" nodes to inspect packet contents of everything coming in as 86DD. Of course, using a new Ethertype *will* help considerably with misconfiguration and accidents. Cheers, Adrian ==Nitz and Discuzzion== Please use the correct BCP 14 boilerplate --- This document does not specify a "standard". Maybe move to "This document specifies a solution..." --- Why "Fail-Closed Protocol (FPC):" and not FCP? --- Abstract and Introduction have "known security problems", but section 3 is "The SRv6 Security Problem" in the singular. --- 3. SRv6 relies in its architecture on the concept of limited domain which as a concept suffers from lack of security that is deployable in economical, scalable fashion easily. I think it would be helpful to reference the definition of "Segment Routing domain (SR domain)" in 8402 section 2. --- 3. The proper solution is to create a trusted domain that has a default fail-closed approach and a well-defined trusted/untrusted boundary. I wonder whether "the proper solution" is a little strong and likely to cause undue debate. Perhaps "An established and proven solution..." --- 3. I think that a valuable example to add to your list is "MPLS with upstream-assigned label" because this is exactly an example of an extended use of an established protocol that significantly benefited from the use of a different Ethertype. Further, your list might be better if restricted to IETF protocols. Perhaps add Trill (there are at least 3 Ethertypes) and PPP, but leave out LLDP (IEEE) and CLNS (not got an Ethertype at all?) --- "fail closed protocol domain" Please be consistent with capitalisation and hyphenation. Please decide "fail-closed domain" or "fail-closed protocol domain". Ditto "fail-closed protocol" --- 4. Processing of the protocol packet on an interface requires explicit configuration with a default drop behavior. Somewhere (6.1?) you need to state (with a reference) that the correct default behavior for an unknown/unsupported Ethertype is packet (frame) drop. It would clearly be a bad solution if the processing required a marching band and streamers. --- 4. Leaking according protocol packets beyond the boundary of fail-closed domain requires explicit config. Cannot reliably parse. --- 4. Fail closed protocols are easily identifiable by their top level (e.g. link layer) encoding early in the packet formats and often by fields at fixed offset. "Top level encoding" is perhaps not as clear as "outer encapsulation" --- 4. Classification of the protocol packets is completely deterministic. This voice is passive. Who is doing the classification? --- 5. SRv6 in the context of a trusted domain - an objective analysis You saying other analysis work is not objective? ;-) --- 5. It is currently impossible to differentiate SRv6 and IPv6 at the link-layer or easily at network layer by e.g. a reserved protocol number as IPSec does. "Currently" is not survivable language because, if this document becomes an RFC it will no longer be true. This is a somewhat confusing (to me) paragraph. Are you referring to the ESP and AH assigned protocol numbers? I don't think there is a separate Ethertype for IPsec (although I may be wrong). So it is possible you are comparing and contrasting Ethertype with "next protocol" which is not quite a fair comparison. Indeed, using a new protocol number for SR would not solve the problem because it is the outer IP encapsulation that is what matters. (Although, if you go ahead with this, you also need to think about "SR-in-IP" encapsulations, so you *do* need to also assign a new protocol number to handle "discovered SR". --- I wish 7.2 had a few more words! And maybe somewhere else in the document should observe that IEEE manages the Ethertype registry. "TBD0" is not mentioned anywhere in the document. It should be. From: Int-area <int-area-bounces@ietf.org> On Behalf Of Andrew Alston - IETF Sent: 27 March 2023 00:17 To: int-area@ietf.org Subject: [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt Hi All, This is just a notification of publication of the -00 draft referred to in the subject. We, as the authors, welcome any discussions around this draft and look forward to receiving feedback from the working group. Thanks Andrew. Subject: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt A new version of I-D, draft-raviolli-intarea-trusted-domain-srv6-00.txt has been successfully submitted by Andrew Alston and posted to the IETF repository. Name: draft-raviolli-intarea-trusted-domain-srv6 Revision: 00 Title: Trusted Domain SRv6 Document date: 2023-03-26 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/archive/id/draft-raviolli-intarea-trusted-domain-srv6-0 0.txt Status: https://datatracker.ietf.org/doc/draft-raviolli-intarea-trusted-domain-srv6/ <https://datatracker.ietf.org/doc/draft-raviolli-intarea-trusted-domain-srv6 > Htmlized: https://datatracker.ietf.org/doc/html/draft-raviolli-intarea-trusted-domain- srv6 Abstract: SRv6 as designed has evoked interest from various parties, though its deployment is being limited by known security problems in its architecture. This document specifies a standard to create a solution that closes some of the major security concerns, while retaining the basis of the SRv6 protocol. The IETF Secretariat Internal All Employees
- Re: [spring] [Int-area] FW: New Version Notificat… Adrian Farrel
- Re: [spring] [Int-area] New Version Notification … Stewart Bryant
- Re: [spring] [Int-area] FW: New Version Notificat… Andrew Alston - IETF
- Re: [spring] [Int-area] FW: New Version Notificat… Robert Raszuk
- Re: [spring] [Int-area] FW: New Version Notificat… Andrew Alston - IETF
- Re: [spring] [Int-area] FW: New Version Notificat… Robert Raszuk
- Re: [spring] [Int-area] FW: New Version Notificat… Kireeti Kompella
- Re: [spring] [Int-area] FW: New Version Notificat… Tony Przygienda
- Re: [spring] [Int-area] FW: New Version Notificat… Krzysztof Szarkowicz
- Re: [spring] [Int-area] FW: New Version Notificat… Robert Raszuk
- Re: [spring] [Int-area] FW: New Version Notificat… Mark Smith
- Re: [spring] [Int-area] FW: New Version Notificat… Robert Raszuk
- Re: [spring] [Int-area] FW: New Version Notificat… Mark Smith
- Re: [spring] [Int-area] FW: New Version Notificat… Robert Raszuk
- Re: [spring] [Int-area] FW: New Version Notificat… Muthu Arul Mozhi Perumal
- Re: [spring] [Int-area] FW: New Version Notificat… Brian E Carpenter
- Re: [spring] [Int-area] FW: New Version Notificat… Robert Raszuk
- Re: [spring] [Int-area] FW: New Version Notificat… Joel Halpern
- Re: [spring] [Int-area] FW: New Version Notificat… Joel Halpern
- Re: [spring] [Int-area] FW: New Version Notificat… Muthu Arul Mozhi Perumal
- Re: [spring] [Int-area] FW: New Version Notificat… Tony Przygienda
- Re: [spring] [Int-area] FW: New Version Notificat… 徐小虎
- Re: [spring] [Int-area] FW: New Version Notificat… Brian E Carpenter
- Re: [spring] [Int-area] FW: New Version Notificat… Ron Bonica
- Re: [spring] [Int-area] FW: New Version Notificat… Ron Bonica
- Re: [spring] [Int-area] FW: New Version Notificat… Brian E Carpenter
- Re: [spring] [Int-area] FW: New Version Notificat… Tony Przygienda
- Re: [spring] [Int-area] FW: New Version Notificat… Brian E Carpenter
- Re: [spring] [Int-area] FW: New Version Notificat… Andrew Alston - IETF
- Re: [spring] [Int-area] FW: New Version Notificat… Tony Przygienda
- Re: [spring] [Int-area] FW: New Version Notificat… Ron Bonica