IETF Logo Mail Archive

[spring] Re: I-D Action: draft-ietf-spring-srv6-security-09.txt

"jmh.direct" <jmh.direct@joelhalpern.com> Thu, 06 November 2025 19:17 UTC

Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: spring@mail2.ietf.org
Delivered-To: spring@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A2E7984A305B for <spring@mail2.ietf.org>; Thu, 6 Nov 2025 11:17:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id voC8z4v3HdmR for <spring@mail2.ietf.org>; Thu, 6 Nov 2025 11:17:22 -0800 (PST)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BA40084A3054 for <spring@ietf.org>; Thu, 6 Nov 2025 11:17:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1762456642; bh=vmdekuAuOkRYaszRctLjJ03aqSftMOwWMQ+YZIlqD0U=; h=Date:Subject:In-Reply-To:From:To:Cc:From; b=VHexBvfi2IjFcRtioIuNjFCgNAhiTo/C1+iyGPxsgkjIzhypbzXVpZinXCxk1KQdE HYLsox86xZZ8B+G7/Hnhqfv4HQU6TWoo3akxtnfL9Mx7fUABKNmcqgEqUDNuSsoKmV eGGL/yd3+JtgXt8FPBxLzXY5D35+YL85zVSqe8Pw=
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 4d2X4y0f4Tz6LPPd; Thu, 6 Nov 2025 11:17:22 -0800 (PST)
X-Quarantine-ID: <kHJxYkmr5jnW>
X-Virus-Scanned: Debian amavis at a2.tigertech.net
Received: from [IPv6:2001:67c:1232:144:4b6:58b7:afb7:8ee] (unknown [IPv6:2001:67c:1232:144:4b6:58b7:afb7:8ee]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 4d2X4x2V7pz6GvLY; Thu, 6 Nov 2025 11:17:21 -0800 (PST)
SavedFromEmail: jmh.direct@joelhalpern.com
Date: Thu, 06 Nov 2025 14:17:19 -0500
In-Reply-To: <CACMsEX-LO2_fTChWWKUoqtE8qHHyNRB2U75Ps7TmaRdtwxDKzQ@mail.gmail.com>
Importance: normal
From: "jmh.direct" <jmh.direct@joelhalpern.com>
To: Nick Buraglio <buraglio@forwardingplane.net>, Joel Halpern <jmh@joelhalpern.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.samsung.android.email_2630439679713210"
Message-Id: <4d2X4x2V7pz6GvLY@maila2.tigertech.net>
Message-ID-Hash: 2PCN7J73N5DFUXJ5YRDOZR7MHWNIHXKJ
X-Message-ID-Hash: 2PCN7J73N5DFUXJ5YRDOZR7MHWNIHXKJ
X-MailFrom: jmh.direct@joelhalpern.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: spring@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [spring] Re: I-D Action: draft-ietf-spring-srv6-security-09.txt
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/wMDAROpPF3oOSNnbHamkLGVPGPU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>

If that replaced the last edit, that would resolve my concern.Yours,JoelSent via the Samsung Galaxy S20 FE 5G, an AT&T 5G smartphone
-------- Original message --------From: Nick Buraglio <buraglio@forwardingplane.net> Date: 11/6/25  1:44 PM  (GMT-05:00) To: Joel Halpern <jmh@joelhalpern.com> Cc: spring@ietf.org Subject: Re: [spring] Re: I-D Action: draft-ietf-spring-srv6-security-09.txt Joel, Would Suresh's text aid in that clarification? Following the direction of [RFC8402], the current document assumes that SRv6 is deployed within a trusted domain and that the traffic is filtered at the domain boundaries. Traffic MUST be filtered at the domain boundaries. Thus, most of the attacks described in this document are limited to within the domain (i.e., internal attackers).On Thu, Nov 6, 2025 at 12:22 PM Joel Halpern <jmh@joelhalpern.com> wrote:

  
    
  
  
    From where I sit, I can't see how the detailed text in 7.1 (MUST
      be filtered) comports with the new text that says that the trust
      boundary can be policy without mechanism.
    Yours,
    Joel
    On 11/6/2025 12:16 PM, Nick Buraglio
      wrote:
    
    
      
      Joel, 
        
        In section 7.1 we provide a fair amount of detail surrounding
        filtering a trusted domain. For example: 
        
        7.1.  Trusted Domains and Filtering
          
          7.1.1.  Overview
          
             As specified in [RFC8402]:
          
              By default, SR operates within a trusted domain.  Traffic
          MUST be
              filtered at the domain boundaries.
              The use of best practices to reduce the risk of tampering
          within the
              trusted domain is important.  Such practices are discussed
          in
              [RFC4381] and are applicable to both SR-MPLS and SRv6.
          
             Following the spirit of [RFC8402], the current document
          assumes that
             SRv6 is deployed within a trusted domain.  Traffic MUST be
          filtered
             at the domain boundaries.  Thus, most of the attacks
          described in
             this document are limited to within the domain (i.e.,
          internal
             attackers).
        
        There is quite a lot dedicated to protecting the TD and what it
        means if it isn't. 
        Would that be sufficient? 
        
        
        nb
        
        
      
      
      
      
        On Thu, Nov 6, 2025 at 9:48 AM
          Joel Halpern <jmh@joelhalpern.com>
          wrote:
        
        Speaking
          strictly as a participant, I don't see how a trust domain 
          boundary can exist purely as a polciy demarcation without
          enforcement 
          mechanism.  An organization may have a boundary on where it
          wants to run 
          SRv6 by policy..  But there needs to be an enforced boundary
          (either at 
          or around that policy boundary) or folks who are not trusted
          will be 
          able to send in SRv6 packets with arbitrary SRH, destination,
          etc.    
          This change to the wording does not seem to me as a
          participant to be 
          correct.
          
          Yours,
          
          Joel
          
          On 11/6/2025 9:38 AM, internet-drafts@ietf.org
          wrote:
          > Internet-Draft draft-ietf-spring-srv6-security-09.txt is
          now available. It is
          > a work item of the Source Packet Routing in Networking
          (SPRING) WG of the
          > IETF.
          >
          >     Title:   Segment Routing IPv6 Security Considerations
          >     Authors: Nick Buraglio
          >              Tal Mizrahi
          >              Tian Tong
          >              Luis M. Contreras
          >              Fernando Gont
          >     Name:    draft-ietf-spring-srv6-security-09.txt
          >     Pages:   30
          >     Dates:   2025-11-06
          >
          > Abstract:
          >
          >     SRv6 is a traffic engineering, encapsulation and
          steering mechanism
          >     utilizing IPv6 addresses to identify segments in a
          pre-defined
          >     policy.  This document discusses security
          considerations in SRv6
          >     networks, including the potential threats and the
          possible mitigation
          >     methods.  The document does not define any new
          security protocols or
          >     extensions to existing protocols.
          >
          > The IETF datatracker status page for this Internet-Draft
          is:
          > https://datatracker.ietf.org/doc/draft-ietf-spring-srv6-security/
          >
          > There is also an HTML version available at:
          > https://www.ietf.org/archive/id/draft-ietf-spring-srv6-security-09.html
          >
          > A diff from the previous version is available at:
          > https://author-tools.ietf.org/iddiff?url2=draft-ietf-spring-srv6-security-09
          >
          > Internet-Drafts are also available by rsync at:
          > rsync.ietf.org::internet-drafts
          >
          >
          > _______________________________________________
          > I-D-Announce mailing list -- i-d-announce@ietf.org
          > To unsubscribe send an email to i-d-announce-leave@ietf.org
          
          _______________________________________________
          spring mailing list -- spring@ietf.org
          To unsubscribe send an email to spring-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status