IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Chengli <c.l@huawei.com> Sat, 08 October 2022 10:49 UTC

Return-Path: <c.l@huawei.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 093EBC15257C; Sat, 8 Oct 2022 03:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52j4PlWJMckO; Sat, 8 Oct 2022 03:49:02 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99166C152574; Sat, 8 Oct 2022 03:49:02 -0700 (PDT)
Received: from fraeml737-chm.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Ml20Z0Mf4z67KY3; Sat, 8 Oct 2022 18:46:22 +0800 (CST)
Received: from dggpemm500001.china.huawei.com (7.185.36.107) by fraeml737-chm.china.huawei.com (10.206.15.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 8 Oct 2022 12:48:58 +0200
Received: from dggpemm500003.china.huawei.com (7.185.36.56) by dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Sat, 8 Oct 2022 18:48:56 +0800
Received: from dggpemm500003.china.huawei.com ([7.185.36.56]) by dggpemm500003.china.huawei.com ([7.185.36.56]) with mapi id 15.01.2375.031; Sat, 8 Oct 2022 18:48:56 +0800
From: Chengli <c.l@huawei.com>
To: "buraglio@es.net" <buraglio@es.net>, "Dale W. Carder" <dwcarder@es.net>
CC: SPRING WG List <spring@ietf.org>, 6man <ipv6@ietf.org>, Suresh Krishnan <suresh.krishnan@gmail.com>
Thread-Topic: [spring] 6MAN WGLC: draft-ietf-6man-sids
Thread-Index: AQHYymu9ptbRWJtk3k2t/Dpg9n1fUK39z6AAgAD1p4CAAAUygIADBVIAgAALVICAAId1AIAAOmiAgAAfHwCAAX4MMA==
Date: Sat, 08 Oct 2022 10:48:56 +0000
Message-ID: <751d5daa26604f8e8c6274bce6084cb3@huawei.com>
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4+N31=ggO03AAQJANv7RgHaC1eNGXRUQ9B20rLK+nJyg@mail.gmail.com> <E77D8982-11E9-45F9-81BF-3CA1E1F6B745@gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <CAM5+tA9cAybjVHFTDEAWLLq7FcKhTGzTuBDbFyfv19ARVyXEoA@mail.gmail.com> <Y0A8azCcoHMH6Nas@dwc-desktop.local> <CAM5+tA9yY0P6rNbJYS9giV5cGE8VRnukOaESoSr579UAbOiozQ@mail.gmail.com>
In-Reply-To: <CAM5+tA9yY0P6rNbJYS9giV5cGE8VRnukOaESoSr579UAbOiozQ@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.81]
Content-Type: multipart/related; boundary="_004_751d5daa26604f8e8c6274bce6084cb3huaweicom_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/llgOYztH-Ds9lojVaAbWJ_f_zO8>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2022 10:49:05 -0000

Hi Buraglio,

I am the author of draft-li-spring-srv6-security-consideration, the draft is still being worked on.
We will use the draft to track the security considerations till the major standards of SRv6 to be published as RFCs, so it will be updated as needed.

To me, no matter what prefix is used in deployment, the filter MUST be adde. Even for prefix like ULA, the filter rules are needed.
But it is free for operators to make some exceptions if they want to leak some SIDs outside the domain for some use cases when they think doing that will have more benefits.

Thanks,
Cheng


From: spring [mailto:spring-bounces@ietf.org] On Behalf Of Nick Buraglio
Sent: Saturday, October 8, 2022 12:41 AM
To: Dale W. Carder <dwcarder@es.net>
Cc: SPRING WG List <spring@ietf.org>; 6man <ipv6@ietf.org>; Suresh Krishnan <suresh.krishnan@gmail.com>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids


On Fri, Oct 7, 2022 at 9:49 AM Dale W. Carder <dwcarder@es.net<mailto:dwcarder@es.net>> wrote:
Thus spake Nick Buraglio (buraglio@es.net<mailto:buraglio@es.net>) on Fri, Oct 07, 2022 at 06:20:12AM -0500:
> On Thu, Oct 6, 2022 at 10:15 PM Joel Halpern <jmh@joelhalpern.com<mailto:jmh@joelhalpern.com>> wrote:
>
> > I wonder if we could / should add a sentence or two related to the address
> > block noting that if an operator chooses to use other address blocks for
> > the SRv6 SIDs then they need to be extra careful about configuring their
> > edge filters to prevent leaks inwards or outwards?
> >
>
> This is a large concern I have heard within the operational community and I
> believe it should be noted as a best operational practice.

Is draft-li-spring-srv6-security-consideration still being worked on?
(I have not been able to keep up to date w/ spring) That may be a more
comprehensive document to reference.

Section 4.2. of draft-li-spring-srv6-security-consideration lightly touches on the filtering at the edges of an SR domain. It's seemingly still in active status. Looking around through different docs again, RFC8754 has some relevant text, and and specifically section 8.2 (SRv6 section) of 8402:

SR domain boundary routers MUST filter any external traffic destined
to an address within the SRGB of the trusted domain or the SRLB of
the specific boundary router.  External traffic is any traffic
received from an interface connected to a node outside the domain of
trust.

could perhaps be a useful reference.

Dale
[图像已被发件人删除。]ᐧ

v2.23.0 | Report a Bug | By Email