[spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)

Dhruv Dhody <dhruv.ietf@gmail.com> Mon, 19 August 2024 16:29 UTC

Return-Path: <dhruv.ietf@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4F4C17C8A5; Mon, 19 Aug 2024 09:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSx-0K4Y0ER3; Mon, 19 Aug 2024 09:29:26 -0700 (PDT)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 322FCC169434; Mon, 19 Aug 2024 09:29:26 -0700 (PDT)
Received: by mail-vs1-xe2b.google.com with SMTP id ada2fe7eead31-495d1a6db75so1492214137.1; Mon, 19 Aug 2024 09:29:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724084965; x=1724689765; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4nMBeW3tZJupPc9P1I8RbqtNYkd9wJha1KtOF0/Hsqo=; b=JFlRr19t2sQu6S7MXyUVzNOSJE6amft9ayM7wdvbPr+Og/h5dxFVPy18GFopSJUv+h ezFFsXGNxy7Wn9e6AaR4wePkPIAV3t0Tgl/1u3AtAWI7cLvcHrgyeboDn+GnyBHPrekI qcm88mNscEGINKwC+V/WDgkM4FJkHfpvilWHXzpB24ayP+6ttDrcfxAmhU8ufP6gn2S9 YgotqCsELk60yqaJeTmjBDJwGKr4dQgHZrpUD+9C/ybYWA7vOJJK42+so2C8LTAqT+1+ abQh3SymEh4QzqrwKKVzoe1W6oU0jATgHiYusQG8XnLdhPhTJCFKvwPfVJ+7r4uEN88d mOeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724084965; x=1724689765; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4nMBeW3tZJupPc9P1I8RbqtNYkd9wJha1KtOF0/Hsqo=; b=PyPapQ/QS5b8aPncjtQuEPowA95uDmzg52PBnP5RaRF+KqGPSFm0ozLudxVVxqRCVD HUl423w04Htl2h4UEWQAv602JnwsipSX/LIkhRZaGghVz9WAHovwOu08AHGdD/ZB6py7 U7ndFwoHw1IrVcWi2HDahPa7s4idot4FllsKLK/WTnJD2hj2BjuL3hxoT8ojtXQxx9Hy hwjZdXXtNGUZa31ABIMvhpef2gBZ1ixZJnnBoWWwda13hfYs790STrl0ktUeq4LEIrUa 2oSu8ov+AwnUiFV+fBBOggs6OJURtPhd3e8cxskEc98BPkl47N9v4H2JeFnTZ4qg/fxi KtHQ==
X-Forwarded-Encrypted: i=1; AJvYcCW80pfgVvaTvrI5MdheHw9Z/DjkiNcOACjndBwe2OXdMdUOO+u+ewMs7sPVFpPBMjS2pNNnDc5FFENlJAou4A==@ietf.org, AJvYcCWWxHx00Dfcqn1LPna6QHFw26pSQ9ztGPVroB4snEdIs4skNIWrgpEG8OyM2LZ+CCemt0rIXU8S8p4uL8Qh/O3I0u0e/Xc6kB/XRQPmrtp/4JA=@ietf.org
X-Gm-Message-State: AOJu0YwytUhQLAXtrxbl1yJz6zLlRkQxBA/xcXmf1WNjLyzgMcrTZngM IGC8k1Z+5ZuABRYaWKc9m5xVrz6qswNWcbg465sq8Unry9TPwJBH8cpCICbql+c2juql1YWWIcu iMPk0mB8955EnlByjlTu9tFnvleMXhapL
X-Google-Smtp-Source: AGHT+IF0UIhNXCh3+XEIvjDcUyzqyeQ2AzyduDI9vf2/zFf/x9ZbfSnBc/h2fWpfi8ETOAtjUXTpm2sofhpfq6dOwBU=
X-Received: by 2002:a05:6102:c93:b0:494:4fdb:f42a with SMTP id ada2fe7eead31-497799a0c9bmr11982416137.26.1724084964738; Mon, 19 Aug 2024 09:29:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESsyA1iPN7b1RhgW6ajFcG6m0f07Q072jxQn3q2729W3xzw@mail.gmail.com>
In-Reply-To: <CAMMESsyA1iPN7b1RhgW6ajFcG6m0f07Q072jxQn3q2729W3xzw@mail.gmail.com>
From: Dhruv Dhody <dhruv.ietf@gmail.com>
Date: Mon, 19 Aug 2024 21:58:47 +0530
Message-ID: <CAB75xn7_aHKxacGFZKCdamDtw0rBnctqC2rQMNMi_TSMacY6hg@mail.gmail.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e2cebc06200bcf47"
Message-ID-Hash: XYDLSVSZDSJZIJFDXW3ZFXJVQ73EC2IL
X-Message-ID-Hash: XYDLSVSZDSJZIJFDXW3ZFXJVQ73EC2IL
X-MailFrom: dhruv.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: SPRING WG <spring@ietf.org>, draft-bdmgct-spring-srv6-security@ietf.org, "spring-chairs@ietf.org" <spring-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [spring] Re: WG Adoption Call for draft-bdmgct-spring-srv6-security (ends Aug/19)
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/h8u2ZrG8AuPv5nIGNgw_j_Ign-o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Hi,

I support adoption. Please find some non-blocking comments that authors can
work on.

# Minor

- Should you call out RFC 8986 Network programming in the Introduction?

- Section 2, it gives the impression that the control and management plane
are not in scope but we do have section 6.4. Update this section to include
text about the control and management plane.

- Section 4; It would be good to be explicit about what it means for the SR
domain to be cryptographically secured. It is not clear if HMAC (section
7.3) is an example or THE technique that makes an SRv6 domain
cryptographically secure.

- Section 5; for Masquerade the reference provided is RFC 9088 but that RFC
does not use the term.

- Section 6.2.4 to Section 6.2.6; I guess these subsections were supposed
to be under a section heading (recon attack) that is missing?

- Section 6.4; Should one also mention compromised PCE or SDN controller?
It seems the current focus is mainly on IGP? In this text - "Injection can
be performed by off-path attackers, while removal, replaying and listening
require on-path access."; if this is about injection of control plane
packets, is it wise to use on-path and off-path?

- Section 7.1; I wonder if we should say more about the operational side of
these filtering techniques. For section 7.1.2, should we also include
RFC-to-be 9602 (draft-ietf-6man-sids)?

- Delete sections 12 and 13, they are duplicates!

# Nits

- Expand SRv6 in the title and abstract

- Add reference for Segment Routing Header (SRH) as [RFC8754]

- s/reliance of a new header/reliance on a new header/

- Section 3.2 can also include - SR, LUA, GUA, DA

- s/applied baed on/applied based on/

- s/using LUA addresses/using ULA addresses/

- s/from the last entry in the ./from the last entry in the SRH./ (?)

- s/keeeping/keeping/

- s/do not posses/do not possess/

- s/PE device a as source address/PE device as source address/

- Please run the text through a grammar check, many issues that I did not
list!

Thanks!
Dhruv


On Mon, Aug 5, 2024 at 6:35 PM Alvaro Retana <aretana.ietf@gmail.com> wrote:

> Dear WG:
>
> This message starts a two-week adoption call for
> ddraft-bdmgct-spring-srv6-security, ending on August/19. From the
> Abstract:
>
>    This document discusses security considerations in SRv6 networks,
>    including the potential threats and the possible mitigation methods.
>    The document does not define any new security protocols or extensions
>    to existing protocols.
>
>
>    https://datatracker.ietf.org/doc/draft-bdmgct-spring-srv6-security/
>
>
> Please review the draft and consider whether you support its adoption
> by the WG. Please share any thoughts with the list to indicate support
> or opposition -- this is not a vote.
>
> If you are willing to provide a more in-depth review, please state it
> explicitly to give the chairs an indication of the energy level in the
> working group willing to work on the document.
>
> WG adoption is the start of the process. The fundamental question is
> whether you agree the proposal is worth the WG's time to work on and
> whether this draft represents a good starting point. The chairs are
> particularly interested in hearing the opinions of people who are not
> authors of the document.
>
> Note that the IESG requested that the WG deliver a document covering
> security considerations for SRv6. This document is intended to satisfy
> that request.
>
> Thanks!
>
> Alvaro (for the Chairs)
>
> _______________________________________________
> spring mailing list -- spring@ietf.org
> To unsubscribe send an email to spring-leave@ietf.org
>