IETF Logo Mail Archive

Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06

Stewart Bryant <stbryant@cisco.com> Thu, 10 October 2013 17:35 UTC

Return-Path: <stbryant@cisco.com>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C2721E8117; Thu, 10 Oct 2013 10:35:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.495
X-Spam-Level:
X-Spam-Status: No, score=-110.495 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nU1hFTz+yDSM; Thu, 10 Oct 2013 10:35:11 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 07F3B21E8116; Thu, 10 Oct 2013 10:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6096; q=dns/txt; s=iport; t=1381426481; x=1382636081; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to; bh=gJUavXFfv1HSz0EN64YVsk603SNL9XnrnglqzXErRyI=; b=ANCI2GWDTbHbO70fEdiCYYLZy2CMOVIu4tKFt4rHduRrazjJNQ8vZZpP /zuL9gbjqYwGC4RHERTvOsgPubA1abX/pawKK5MJVbrtjr8B7WLONFhwa D8ED8YUeW7g65UlYhKcouqFo6D+odQsGkK3mXPNo746WPOy4fMj0kszI+ g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjEFADLkVlKQ/khM/2dsb2JhbABZgweKD7UigwOBIxZ0giUBAQEEeAEQCxgJFg8JAwIBAgFFBg0BBwEBF4druiGPRweEIwOYBZICgyU
X-IronPort-AV: E=Sophos; i="4.90,1073,1371081600"; d="scan'208,217"; a="87322232"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-2.cisco.com with ESMTP; 10 Oct 2013 17:34:39 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r9AHYYpG024465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Oct 2013 17:34:35 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id r9AHYVXb014135; Thu, 10 Oct 2013 18:34:32 +0100 (BST)
Message-ID: <5256E527.1030806@cisco.com>
Date: Thu, 10 Oct 2013 18:34:31 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Jari Arkko <jari.arkko@piuha.net>
References: <525639F6.8010503@cisco.com> <201310101354.r9ADsib8019588@cichlid.raleigh.ibm.com> <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net>
In-Reply-To: <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net>
Content-Type: multipart/alternative; boundary="------------060107010108040007010906"
Cc: Thomas Narten <narten@us.ibm.com>, "iesg@ietf.org" <iesg@ietf.org>, "status@ietf.org" <status@ietf.org>
Subject: Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2013 17:35:18 -0000

On 10/10/2013 17:39, Jari Arkko wrote:
> Thomas,
>
>> I think a key point is that with IPv6, we are talking (potentially)
>> end-to-end exposure of an attack vector. You can have arbitrary end
>> nodes anywhere on the Internet injecting traffic that potentially
>> directly invokes or impacts source routing. In contrast, one can view
>> MPLS as an L2 technology below IP. That means it's deployed in a much
>> more restricted setting and a normal sender of TCP/IP has a much more
>> restricted attack vector for doing anything that impacts MPLS directly
>> (this is key diffference). That means the threat surface for attacks
>> on MPLS are very different than for IPv6 more generally.
> Yes - a good point. That is one of those restricted cases where it is possible to provide a reasonably secure solution.
>
> But my understanding is that SPRING was at IPv6 layer as well as on MPLS layer… although the charter does not explicitly say it. Just that it is not IPv4…
>
> If SPRING is expected to run at the IPv6 layer, what is the plan to contain the vulnerability?
>
> Jari
>
> .
>
The following was just posted on the STATUS list and clarifies
intended IPv6 scope.

All,

On the topic of MPLS vs IPv6 - one being L2 hence more secure then the
other (L3) I would like to observe that any decently managed network
would already today prohibit to accept any external packets which have
as destination an infrastructure address of such network. That is the
basic protection scheme against DOS/DDOS attacks to the
infrastructure.

When such packet is detected it should be dropped - not "stripped from
explicit routes" like the above charter update would tend to suggest.

As some may recall in the past we have been working on automating such
ACLs installation based in internal IGP addresses on all border
routers under same administrative domain within single AS or number of
ASes to ease operational burden. Not sure if all vendors support such
automation today.

I think what needs to be understood that segment routing is not
internet wide source routing technology. It is carefully crafted path
engineering and packet encapsulation technique within controlled set
of domains which really do not compare to the original issues and
security concerns of source routing.

Best,
R.

I could

OLD
The initial data planes that will be considered are MPLS
and IPv6.

NEW
The initial data planes that will be considered are MPLS
and IPv6 in constrained network scopes.


END

Stewart

v2.23.0 | Report a Bug | By Email