IETF Logo Mail Archive

[SRv6OPS] Re: [spring] Second WG Last Call: draft-ietf-spring-srv6-security-14 (Ends 2026-06-02)

Mikael Abrahamsson <swmike@swm.pp.se> Tue, 02 June 2026 15:17 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: srv6ops@mail2.ietf.org
Delivered-To: srv6ops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6BE58F948863; Tue, 2 Jun 2026 08:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1780413472; bh=KoZOH1vF+AEix566nuD27VIHt6k3hn3RwFa/2f6xGjs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=hjA/RxH8d4RQfS9mNXoWc83U5HXePY0TeXv4dMAuHchLcx98l+6oUIxPvLp/PXZoU NbgdTCBVrVeCPAqbD1lEoHaOc2v7llDissPagXdh8JEz6dnkkHM0aDTNBpaDLoRXUZ u0/kvQJQHSYvBPBIJOSqeBAIUHfgB2DIgIWJUx/8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8-3FjTL3R83; Tue, 2 Jun 2026 08:17:51 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [IPv6:2001:678:394:100::1:168]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B7D93F94885E; Tue, 2 Jun 2026 08:17:51 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id F1B5F9A; Tue, 2 Jun 2026 17:17:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1780413464; bh=KoZOH1vF+AEix566nuD27VIHt6k3hn3RwFa/2f6xGjs=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=qPzjc7SK0h4+D+yobkTMdpGdQuy0yLL0I15D5xVeshC9VIOk6rxq40ZtbxM51yfMS goVV67Zuej+8dicBbAFHMp8uV7XdIiViAqlXRFjn72iw50TNsiQSLQ8jAvna+gH5pE 4fbcSVI/loj3FNoboKRBPou3kUV+Jr1E2uuvb1Ms=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id F065788; Tue, 2 Jun 2026 17:17:43 +0200 (CEST)
Date: Tue, 02 Jun 2026 17:17:43 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <177913349668.557208.2581503410373976317@dt-datatracker-7688897f84-l74h4>
Message-ID: <c1477e28-192e-4034-822b-b64614ee653e@swm.pp.se>
References: <177913349668.557208.2581503410373976317@dt-datatracker-7688897f84-l74h4>
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-ID-Hash: XDZ4LQRF4ZVCDBUVCIH6Y7KSKMZSV5ST
X-Message-ID-Hash: XDZ4LQRF4ZVCDBUVCIH6Y7KSKMZSV5ST
X-MailFrom: swmike@swm.pp.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-spring-srv6-security@ietf.org, spring-chairs@ietf.org, spring@ietf.org, zali@cisco.com, srv6ops@ietf.org, ipv6@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [SRv6OPS] Re: [spring] Second WG Last Call: draft-ietf-spring-srv6-security-14 (Ends 2026-06-02)
List-Id: "SRv6 Operations (SRv6OPS) Working Group List" <srv6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/srv6ops/YAx1pdpliVplZs3xJPgru2951og>
List-Archive: <https://mailarchive.ietf.org/arch/browse/srv6ops>
List-Help: <mailto:srv6ops-request@ietf.org?subject=help>
List-Owner: <mailto:srv6ops-owner@ietf.org>
List-Post: <mailto:srv6ops@ietf.org>
List-Subscribe: <mailto:srv6ops-join@ietf.org>
List-Unsubscribe: <mailto:srv6ops-leave@ietf.org>

I'm aware that I'm late to the game here so I am not going to oppose the 
LC of this draft, but I would say it's a missed opportunity to not give 
clear guidance to users and vendors of SRv6 enabled equipment to put in 
two very strong recommendations/requirements:

1. Put your customers in VRFs.

2. Vendor must make sure that packets sent to SIDs on interfaces that are 
in a VRF, should not be processed as SRv6 packets.

The whole focus on users implementing filtering to protect the SRv6 domain 
is operationally fragile. To me it's surprising this is still the main 
recommendation.

For MPLS, there was a knob one enabled on the interface to "enable MPLS 
frame processing". Without it, MPLS frames are supposed to be dropped. 
SRv6 has, as far as I can tell, no such thing. Instead the operator is 
supposed to make sure there are ACLs on each and every interface where 
SRv6 packets aren't expected.

I would never ever ever deploy SRv6 without first making sure that all 
non-SRv6 interfaces were in a VRF, and verify that the vendor equipment 
didn't process SRv6 packets received on a VRF enabled interface.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

v2.46.0 | Report a Bug | By Email | System Status