[spring] Re: [nasr] Seeking feedback on the SRv6 Path Verification draft [draft-yang-spring-srv6-verification-00]

Meiling Chen <chenmeiling@chinamobile.com> Tue, 01 April 2025 14:30 UTC

Return-Path: <chenmeiling@chinamobile.com>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5AAD615D32C7; Tue, 1 Apr 2025 07:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: 0.813
X-Spam-Level:
X-Spam-Status: No, score=0.813 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NQxPoZsbfVV; Tue, 1 Apr 2025 07:30:36 -0700 (PDT)
Received: from cmccmta1.chinamobile.com (cmccmta4.chinamobile.com [111.22.67.137]) by mail2.ietf.org (Postfix) with ESMTP id 5DF1215D3131; Tue, 1 Apr 2025 07:30:21 -0700 (PDT)
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from spf.mail.chinamobile.com (unknown[10.188.0.87]) by rmmx-syy-dmz-app04-12004 (RichMail) with SMTP id 2ee467ebf87a566-07580; Tue, 01 Apr 2025 22:30:20 +0800 (CST)
X-RM-TRANSID: 2ee467ebf87a566-07580
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[123.113.230.92]) by rmsmtp-syy-appsvr04-12004 (RichMail) with SMTP id 2ee467ebf87a81c-6147f; Tue, 01 Apr 2025 22:30:20 +0800 (CST)
X-RM-TRANSID: 2ee467ebf87a81c-6147f
Date: Tue, 01 Apr 2025 22:30:20 +0800
From: Meiling Chen <chenmeiling@chinamobile.com>
To: linchangwang <linchangwang.04414@h3c.com>, spring <spring@ietf.org>, "nasr@ietf.org" <nasr@ietf.org>
References: <8da330f6243b408cb96ae9fb0957d760@h3c.com>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.9.115[cn]
Mime-Version: 1.0
Message-ID: <2025040122301978394428@chinamobile.com>
Content-Type: multipart/alternative; boundary="----=_001_NextPart335301006550_=----"
Message-ID-Hash: LE2AOESXGEOWQRIHIN3WKB6AVTHOUJXZ
X-Message-ID-Hash: LE2AOESXGEOWQRIHIN3WKB6AVTHOUJXZ
X-MailFrom: chenmeiling@chinamobile.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: [nasr] Seeking feedback on the SRv6 Path Verification draft [draft-yang-spring-srv6-verification-00]
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/pRgJEC8Ti7ZFv4rtjGZqUI1VWd4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

Hi changwang,
Thank you for sharing the draft on the topic of path verification to NASR.
I have reviewed your draft, and the SRv6 Path Verification TLV is extended to address the risk of bypass.
That is to say, 
Risk: attackers can bypass some SRv6 endpoints if they can get correct HMAC. 
Reason for risk: HMAC is calculated per SRH [RFC8754], rather than the path the packet actually forwarded.
The solution is: at each endpoint, calculate the HMAC corresponding to its SID, and then add the result to the value in the HMAC TLV.
Record and verify the actual forwarding nodes, which is highly consistent with NASR, I think this is a specific use case for NASR.
But I have a question, how can attackers obtain the correct HMAC? Is HMAC calculated at the beginning node and verified at the last node?

Best,
Meiling


From: linchangwang
Date: 2025-04-01 13:41
To: spring@ietf.org; nasr@ietf.org
Subject: [nasr] Seeking feedback on the SRv6 Path Verification draft [draft-yang-spring-srv6-verification-00]
Dear SPRINGWG and NASRWG,
This document proposes a path verification mechanism for SRv6, which
adopts a hop-by-hop cryptographic computation on the destination
segment identifier at each node, combined with an end-to-end
verification at the last hop.
Link:  https://datatracker.ietf.org/doc/draft-yang-spring-srv6-verification/
Slides: https://datatracker.ietf.org/meeting/122/materials/slides-122-spring-srv6-path-verification-01.pdf
 
Any feedback or comments are more than welcome.
 
Thanks,
Changwang
 
 
-------------------------------------------------------------------------------------------------------------------------------------
本邮件及其附件含有新华三集团的保密信息,仅限于发送给上面地址中列出
的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、
或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本
邮件!
This e-mail and its attachments contain confidential information from New H3C, which is 
intended only for the person or entity whose address is listed above. Any use of the 
information contained herein in any way (including, but not limited to, total or partial 
disclosure, reproduction, or dissemination) by persons other than the intended 
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender 
by phone or email immediately and delete it!