Re: [spring] WGLC - draft-ietf-spring-srv6-network-programming

"Pablo Camarillo (pcamaril)" <pcamaril@cisco.com> Wed, 11 December 2019 20:06 UTC

Return-Path: <pcamaril@cisco.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DD41200DF; Wed, 11 Dec 2019 12:06:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XhRxfvfs; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=N8pd911k
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgJnsXNW3OZZ; Wed, 11 Dec 2019 12:06:21 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C3BB120058; Wed, 11 Dec 2019 12:06:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8626; q=dns/txt; s=iport; t=1576094780; x=1577304380; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=lpp9JchJpfXzmqNT8wXew1bPHSfPHvv8cVBXXZhx8vU=; b=XhRxfvfsE1NxLC42OoYwNm4UxASKulWuDia9Xh0ZUJVaSt93gIrba1WO MDZ2frYAGwom0pW1n1A3/WMWNp7VHR3CBRMzYHIX+rQMO0d9TQKzwDCar G3rTAtW8xbXNhq5P7Ol1NZQKxwpMcdeAsnLZi2dW+glDaac75lo80v4nj Q=;
IronPort-PHdr: =?us-ascii?q?9a23=3AxpxxGBMMIimmJGj9h00l6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBjjJ/fvZjY7GOxJVURu+DewNk0GUMs=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CDAADKS/Fd/4QNJK1lGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBEQEBAQEBAQEBAQEBgX6BS1AFbFggBAsqCoN5g0YDiwmCX4l?= =?us-ascii?q?bjiuBQoEQA1QJAQEBDAEBGA0IAgEBhEACF4FuJDgTAgMNAQEEAQEBAgEFBG2?= =?us-ascii?q?FNwyFXgEBAQECAQEBEBERDAEBLAsBCwQCAQgRAwECAQICJgICAh8GCxUICAE?= =?us-ascii?q?BBAENBSKDAAGCRgMOIAEOo0MCgTiIYXWBMoJ+AQEFgTkCg2ANC4IXAwaBDii?= =?us-ascii?q?FHIZ8GoFBP4ERJyCCTD6CG0kBAQIBgS0BEgEDgywygiyNIRyCcI8ojldDCoI?= =?us-ascii?q?vhySKL4QjG4JCh3aEQYtHhD+KC4hJghePWAIEAgQFAg4BAQWBaSJncXAVGiE?= =?us-ascii?q?qAYJBUBEUjGYMF4NQhRSFP3QBgSeLSoEiAYEPAQE?=
X-IronPort-AV: E=Sophos;i="5.69,303,1571702400"; d="scan'208";a="682244160"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Dec 2019 20:06:19 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id xBBK6Jm1031532 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 11 Dec 2019 20:06:19 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 11 Dec 2019 14:06:18 -0600
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 11 Dec 2019 14:06:17 -0600
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 11 Dec 2019 14:06:17 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NrE8OW7HBTVLUPkXjheywKmv8bWuakFjhodrfITVdCIiA8sFGY33UYq7ClvAot54MTFQtQN/Qs+hpfVeAyjfsfSU9EeQPIWszhzD/XbS9cewHRM7Ix6yY8IaGFuZmKDTf/glm42HHQX8O15LoMONT3Vn+1Bwl6Ie7n/xpqaX7C1F0fhNiMIUfbPT9WGru2EH1YK8YM7hhOXfLIt6LVnjCfmfvmJJKkHLsC+ulfGYnnc7hMjU5fhmvfVRSkFmr0oAmEvMHmCXhbehcagEt/K4Dv2u5LKXRN0JfnOoFVOn3SHi+xqm+QaFJlPnkLxHorvjm9FZBZr502wDAq35hoi0Sg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lpp9JchJpfXzmqNT8wXew1bPHSfPHvv8cVBXXZhx8vU=; b=gjFpnEYWXbbaQC3Rp3iIBcAj0d7GTVRMs/dVHtfkgSEL/gys5+K0XjZITNo83AwNoBrqUZGfylQ8xOdC0v5ECeXZAo7aMHeexO7q5nshfTjxLqEiNMAxy8/Qeij+IU+CzpdG95NpxJRn9yn06yNtjcLqiqAfe1053HWqG5Y0NKW8DoZLqIzjA9L2EtrfZYPjDQ8LGiVgJm30fHqCeLnkDF6/vuMK+tG7dzWrru+NdpS0I9HmNdPP/B6M8ifOdnL6gBGE3+W53RMMb/WIdeuCbdwznPbbm2qFK7e15LJJbm/zyj84kSwph6YGl3nCyim2eWBVI9+E3WiMRwRtNgdncw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lpp9JchJpfXzmqNT8wXew1bPHSfPHvv8cVBXXZhx8vU=; b=N8pd911kHIgP8CiIcBToT4MmoI1azs6e6BqyZNsSnGZkFarr0dpUfRxQwm39A6ZTOEOJjT7uA+F+YgKo/Kp/qAhh10WtGQP+pSu8uXKJBA+7o7FrsCgOjXwgvow3qIsFIdiCia7XrTGY97iKyhiu99SGTLY3jwCmc2f51VZB7YU=
Received: from MWHPR11MB1374.namprd11.prod.outlook.com (10.169.234.8) by MWHPR11MB1246.namprd11.prod.outlook.com (10.169.236.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.16; Wed, 11 Dec 2019 20:06:15 +0000
Received: from MWHPR11MB1374.namprd11.prod.outlook.com ([fe80::b04b:c9bb:2378:7a8d]) by MWHPR11MB1374.namprd11.prod.outlook.com ([fe80::b04b:c9bb:2378:7a8d%11]) with mapi id 15.20.2516.018; Wed, 11 Dec 2019 20:06:15 +0000
From: "Pablo Camarillo (pcamaril)" <pcamaril@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Warren Kumari <warren@kumari.net>, Bruno Decraene <bruno.decraene@orange.com>
CC: SPRING WG List <spring@ietf.org>, draft-ietf-spring-srv6-network-programming <draft-ietf-spring-srv6-network-programming@ietf.org>
Thread-Topic: WGLC - draft-ietf-spring-srv6-network-programming
Thread-Index: AdWrjZKMyJw/FcG0Qj29O28HuDn7+wDVi9GAAAS7xIAAarN3AA==
Date: Wed, 11 Dec 2019 20:06:15 +0000
Message-ID: <776B9D68-EB4D-47A5-BE07-56F4B8F9AA3A@cisco.com>
References: <17421_1575566127_5DE93B2F_17421_93_1_53C29892C857584299CBF5D05346208A48D1A3DA@OPEXCAUBM43.corporate.adroot.infra.ftgroup> <CAHw9_iJuDgDpbS9CAN2ve1dK1trGgLs6MLZAjSetvUOKvHL4og@mail.gmail.com> <97420d88-ee52-17dc-eeaa-ce7653fca48e@gmail.com>
In-Reply-To: <97420d88-ee52-17dc-eeaa-ce7653fca48e@gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pcamaril@cisco.com;
x-originating-ip: [173.38.220.51]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0bd3a539-23bf-4e50-366c-08d77e7593fc
x-ms-traffictypediagnostic: MWHPR11MB1246:
x-microsoft-antispam-prvs: <MWHPR11MB1246955D5A4C7C04326CBBADC95A0@MWHPR11MB1246.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39860400002)(396003)(346002)(136003)(13464003)(189003)(199004)(5660300002)(6486002)(2616005)(71200400001)(26005)(966005)(53546011)(6512007)(478600001)(6506007)(66556008)(66476007)(66946007)(66446008)(186003)(76116006)(33656002)(91956017)(64756008)(316002)(110136005)(54906003)(8676002)(4326008)(86362001)(8936002)(2906002)(81156014)(81166006)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR11MB1246; H:MWHPR11MB1374.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: noa/HVgHBLWxPDZLdUpyiHdhq98UGTSNzOVW9PR8S6mcDhJLBQic4OebhGsp+arqwufEC7sBqTZ7F2lZ/RI9418QIQoFVFYNf4EwcLQ3g0l9ydVRbZcmo0g2+hczC1A90lwdWCD9qIJ3AKWzRIGTxhYKVU8cyM27DV3FJpgrJPEYM7mOUHfDzlIodzdHGwgwPU2YrHZs8XdPtg8G46d8/hYpHvUswpyW8J/o2OzOlLaCY/U/7f9GqO/Q/0r9humvwaaATad7AUVmHNOB3s5QfXBJnpxugYcE4ACV+bjsyufGZM0E+AGW0aapfFXQzTBJp/pQF/2W7SCe8hde4KEcJ56ATJuC2e9adPNFKhPVjOHnV2JyPq7AeKrKb0roACwkPbIijCyfY5r9VxFNZUTNhGyYjcOFxgQb6of4WFnJvc7l/X0afjZlx0qBq3JffAI0Ad1EB3E2G9nEkEni20mdDvfL5898/ocGC1xItBRwo4/425pY3RVLNtwKH3/y6jPZc2o7NZhvb5sTZnruh8bJ2lcfu0XAb29os/qirG+Bt50=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3D42849F574F234EB59E3B8D3F066BAE@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0bd3a539-23bf-4e50-366c-08d77e7593fc
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2019 20:06:15.2388 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1gy4FHVIchA6kHsHdtS0aWEmBSSrTGjEyZSbZdcSPGaga8rUKZEXQpO9WmaaaqXdA2ucmOxOs3j5VF/dkCuNYQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1246
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/wMfsiRtZvALbfsvhGbhnMUH_ahs>
Subject: Re: [spring] WGLC - draft-ietf-spring-srv6-network-programming
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 20:06:24 -0000

Hi Warren, Brian,

Thank you for your comments.

Previous versions of this draft contained a more verbose Security section (e.g. https://tools.ietf.org/html/draft-ietf-spring-srv6-network-programming-03#section-7).
However, the content of that section was already covered in the SRH. Hence in the latest revision of SRv6 Network Programming we decided to replace those security considerations for a reference to the SRH. This was discussed during the IETF106 SPRING meeting and no-one expressed concerns about it.

The authors consider that Network Programming only defines new SID behaviors and this does not pose any threat others to those already discussed in the SRH.
I have rewritten the Security Considerations of draft-ietf-spring-srv6-network-programming in rev06 to reflect this.

Thank you,
Pablo.

-----Original Message-----
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Tuesday, 10 December 2019 at 02:11
To: Warren Kumari <warren@kumari.net>et>, Bruno Decraene <bruno.decraene@orange.com>
Cc: SPRING WG List <spring@ietf.org>rg>, draft-ietf-spring-srv6-network-programming <draft-ietf-spring-srv6-network-programming@ietf.org>
Subject: Re: WGLC - draft-ietf-spring-srv6-network-programming
Resent from: <alias-bounces@ietf.org>
Resent to: <cf@cisco.com>om>, <pcamaril@cisco.com>om>, <john@leddy.net>et>, <daniel.voyer@bell.ca>ca>, <satoru.matsushima@g.softbank.co.jp>jp>, <lizhenbin@huawei.com>
Resent date: Tuesday, 10 December 2019 at 02:11

    > I went to look in the Security Considerations section, but, well, the
    > document doesn't seem to have one?...
    
    So why on earth is this document in WGLC? It cannot possibly be sent to the IESG without that section. (And "7.  Basic security ..." seems very unlikely to pass muster even if renamed.)
    
    Regards
       Brian
    
    On 10-Dec-19 11:55, Warren Kumari wrote:
    > <no hats>
    > 
    > On Thu, Dec 5, 2019 at 12:15 PM <bruno.decraene@orange.com> wrote:
    >>
    >> Hello SPRING,
    >>
    >>
    >>
    >> This email starts a two weeks Working Group Last Call on draft-ietf-spring-srv6-network-programming [1].
    >>
    >>
    >>
    >> Please read this document if you haven't read the most recent version, and send your comments to the SPRING WG list, no later than December 20.
    >>
    >>
    > 
    > I will happily admit that I haven't been following the discussions, so
    > apologies in advance - I'm guessing I'm missing something really
    > obvious, so please point me at other documents / email threads where
    > this has already been answered...
    > 
    > RFC5095 deprecated IPv6 RH0 due to some serious security issues - it
    > was possible for an attacker to send traffic containing "instructions"
    > to make a packet ping-pong between two interfaces, steer it down
    > specific links, etc.
    > 
    > It feels to me like this re-introduces similar (and potentially more
    > scary) issues -- what's to stop an attacker spoofing traffic
    > containing a bunch of SIDs which decapsulate, push a packet into
    > another FIB, End.DT2M, etc?
    > 
    > I went to look in the Security Considerations section, but, well, the
    > document doesn't seem to have one?...
    > The word Security appears 3 times in the document - one in the section
    > title ("7. Basic security for intra-domain deployment"), once in the
    > Index, and once simply punting the reader to Section 5.1 of the SRH
    > document ("Future documents will detail inter-domain security
    > mechanisms for
    >  SRv6 ").
    > 
    > Expecting *everyone* who deploys this to perfectly apply filters which
    > blocks ingress traffic everywhere where a packet could enter a domain
    > feels like an accident just waiting to happen
    > Again, I'm guessing that I'm missing something obvious, and that the
    > entire security isn't premised on that - please point me to where this
    > is addressed.
    > 
    > "With great power comes great responsibility"
    >     -- sudo, via Peter Parker.
    > 
    > W
    > 
    >>
    >> You may copy the 6MAN WG for IPv6 related comment, but consider not duplicating emails on the 6MAN mailing list for the comments which are only spring specifics.
    >>
    >>
    >>
    >> If you are raising a point which you expect will be specifically debated on the mailing list, consider using a specific email/thread for this point.
    >>
    >> This may help avoiding that the thread become specific to this point and that other points get forgotten (or that the thread get converted into parallel independent discussions)
    >>
    >>
    >>
    >> Thank you,
    >>
    >> Bruno
    >>
    >>
    >>
    >> [1] https://tools.ietf.org/html/draft-ietf-spring-srv6-network-programming-05
    >>
    >>
    >>
    >>
    >>
    >> _________________________________________________________________________________________________________________________
    >>
    >> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
    >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
    >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
    >> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
    >>
    >> This message and its attachments may contain confidential or privileged information that may be protected by law;
    >> they should not be distributed, used or copied without authorisation.
    >> If you have received this email in error, please notify the sender and delete this message and its attachments.
    >> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
    >> Thank you.
    >>
    >> --------------------------------------------------------------------
    >> IETF IPv6 working group mailing list
    >> ipv6@ietf.org
    >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
    >> --------------------------------------------------------------------
    > 
    > 
    >