IETF Logo Mail Archive

[spring] Re: [SRv6OPS] Second WG Last Call: draft-ietf-spring-srv6-security-14 (Ends 2026-06-02)

Tom Hill <tom@ninjabadger.net> Tue, 02 June 2026 13:36 UTC

Return-Path: <tom@ninjabadger.net>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 79360F939F58; Tue, 2 Jun 2026 06:36:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780407414; bh=KQMIW8CfiaBjJZDYJ8S8db/NTpPIglG0m6XXDZdDgvU=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=sgKKjw/sWs8UV1AwoZdxEvtyuMAsWSxeT/HIMKA3Cp3H2k036vMX/Tad4Kvyreg7F TC6sLYixy5Ml75V59ONor7w3JNdOQTNq0TJRe6tLpgAu97CACscSkGdOi6v2pph6MC iVLxggBpuqIPRteaWXsYYle1oDmjVbZizy3NuRWw=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fReYbrbBuOYr; Tue, 2 Jun 2026 06:36:53 -0700 (PDT)
Received: from a-painless.mh.aa.net.uk (a-painless.mh.aa.net.uk [IPv6:2001:8b0:0:30::51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 86040F939F53; Tue, 2 Jun 2026 06:36:53 -0700 (PDT)
Received: from a-webmail.thn.aa.net.uk ([2001:8b0:0:62::22] helo=webmail.aa.net.uk) by painless-a.thn.aa.net.uk with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from <tom@ninjabadger.net>) id 1wUPI8-00000009I48-3McK; Tue, 02 Jun 2026 14:36:24 +0100
Received: from 2a10:d582:2ea:1:b97d:f97f:6fc9:bb06 by webmail.aa.net.uk with HTTP (HTTP/1.1 POST); Tue, 02 Jun 2026 13:35:56 +0000
MIME-Version: 1.0
Date: Tue, 02 Jun 2026 14:35:56 +0100
From: Tom Hill <tom@ninjabadger.net>
To: Nick Buraglio <buraglio@forwardingplane.net>
In-Reply-To: <44e252a15f7997264c59fc3591953448@ninjabadger.net>
References: <177913349668.557208.2581503410373976317@dt-datatracker-7688897f84-l74h4> <3194284ee3b2476985fcbd10925bdb91@huawei.com> <2b006a0d3b94739-00016.Richmail.00003012868091865446@chinamobile.com> <CACMsEX-a6rNg0e7kgKC1AhN7=MfN9yBAN8FO-6kEyqfK54Y6WA@mail.gmail.com> <44e252a15f7997264c59fc3591953448@ninjabadger.net>
Message-ID: <bf5cc9954330ce3332c8e155c6ac0e15@ninjabadger.net>
X-Sender: tom@ninjabadger.net
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: TPCL5X7OIBWJYLPGG5RYE27JSPSEW2RU
X-Message-ID-Hash: TPCL5X7OIBWJYLPGG5RYE27JSPSEW2RU
X-MailFrom: tom@ninjabadger.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Weiqiang Cheng <chengweiqiang@chinamobile.com>, Alvaro Retana <aretana.ietf@gmail.com>, draft-ietf-spring-sr <draft-ietf-spring-srv6-security@ietf.org>, "spring-chairs@ietf.o" <spring-chairs@ietf.org>, spring@ietf.org, zali@cisco.com, srv6ops@ietf.org, ipv6@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: [SRv6OPS] Second WG Last Call: draft-ietf-spring-srv6-security-14 (Ends 2026-06-02)
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/s2S-dGSVS5H9HGL3ZAS59sW8oCY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

On 2026-06-02 14:20, Tom Hill wrote:
> Hi Weiqiang, Nick,
> 
> On 2026-05-29 22:47, Nick Buraglio wrote:
>> On Tue, May 19, 2026 at 11:53 PM Weiqiang Cheng <
>> chengweiqiang@chinamobile.com> wrote:
>>> Two minor comments to help define scope earlier:
>>> 
>>>    1.
>>> 
>>>    Section 2 could note that inter-SR-domain scenarios are out of 
>>> scope
>>>    (as already stated in Section 4).
>>>    2.
>>> 
>>>    The point that SRv6 inherits IPv6 vulnerabilities but that this is 
>>> out
>>>    of scope (currently in Section 6.2.4) could also be mentioned in 
>>> Section 2
>>>    or the introduction.
>>> 
>> How does this sound?
>> OLD:
>> We note that SRv6 is under active development and, as such, the above
>> documents might not cover all protocols employed in an SRv6 
>> deployment.
>> 
>> NEW:
>> Inter-Domain Segment Routing scenarios are out of scope for this 
>> document
>> as are existing and future protocol specific IPv6 vulnerabilities.
>> Additionally, we note that SRv6 is under active development and, as 
>> such,
>> the above documents might not cover all protocols employed in an SRv6
>> deployment.
>> 
>> 
>> We can leave the existing statements further in the document unless 
>> the WG
>> feels that they are unnecessary.
> 
> Per RFC8402 S8, if you take that a 'domain' is the "trusted domain", 
> e.g. "By default, SR operates within a trusted domain.  Traffic MUST be 
> filtered at the domain boundaries." then by that assumption there is no 
> such definition of 'Inter-domain SRv6', because it violates Section 8 
> of RFC8402 as written.
> 
> If you take "inter-domain" to mean any EPE boundary (per RFC8402, S4.2) 
> then I don't think should be out of scope of this document, as it is 
> entirely valid for an operator to have multiple eBGP boundaries within 
> their trusted domain (for reasons of acquisition, blast radius, etc.) 
> and for us to be concerned about the security of those deployments.
> 
> Irrespective of the assumption made, I do not believe that it is for 
> this document to define "inter-domain SRv6", and thus we should not do 
> so (especially at this late stage). Detailing the security 
> considerations of SRv6 domains that exceed the trusted domains of the 
> operator would be nebulous, and there-in lies one of the reasons that 
> this document exists; it builds upon the clear statement made in S4.2 
> of RFC8402.
> 
> I do not support this proposed change to the document.

Further to the above, I think we can make the text in the last paragraph 
of Section 4 of this draft, somewhat clearer of its intention - please 
do let me know if I have perceived that intent correctly.

OLD TEXT: Inter-SR-domain scenarios are out of scope, including cases 
where
    multiple SR instances exist under the same administrative entity but
    are logically or operationally distinct; such cases are treated as
    separate SR domains for the purposes of this draft.  Specifically, an
    attack on one domain that is invoked from within a different domain
    is considered an external attack in the context of the current
    document.

NEW TEXT: SRv6 deployments that exceed their trusted domain (per 
[RFC8402, Section 4.2) including cases where multiple SR instances exist 
under the same administrative entitty, but are logically or 
operationally distinct, are out of the scope of this document. Where an 
attack originates from within a different trusted domain it is 
considered an external attack in the context of this document.

-- 

This appears to me at least to have fewer uses of ambiguous terms, and 
much more clearly defines the scope of this document.

Tom

v2.46.0 | Report a Bug | By Email | System Status