Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Andrew Alston <Andrew.Alston@liquidtelecom.com> Mon, 25 October 2021 09:31 UTC

Return-Path: <andrew.alston@liquidtelecom.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5624D3A0945 for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 02:31:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.108
X-Spam-Level:
X-Spam-Status: No, score=-3.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=liquidtelecom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnFxeHkb-Ab3 for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 02:31:50 -0700 (PDT)
Received: from eu-smtp-delivery-182.mimecast.com (eu-smtp-delivery-182.mimecast.com [185.58.86.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E6473A0908 for <v6ops@ietf.org>; Mon, 25 Oct 2021 02:31:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liquidtelecom.com; s=mimecast20210406; t=1635154303; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=eYNA/8xKRnZp5r3QtFwIOMXWx1/2qCAuXyWnn9LzZGc=; b=OLCNp9gvPqvXa5fV/0ADRF1Kjvj1hBZPCfEOSaZeZ1v5O9GA1poLmSeomFqXsSyLOEA86D i5aHCJ1vZ8HtslNPIV0XISglDovyAE5IThag4kUtWwY362eiMefNmG6PEi8fJRYHYN1tGb kEu4j9LzLNudaLbdq/DI/lijBq2fE3Y=
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05lp2105.outbound.protection.outlook.com [104.47.17.105]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-105-eLSIHS83NzONtvYxufAu6w-1; Mon, 25 Oct 2021 10:31:39 +0100
X-MC-Unique: eLSIHS83NzONtvYxufAu6w-1
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com (2603:10a6:20b:346::6) by AS8PR03MB8020.eurprd03.prod.outlook.com (2603:10a6:20b:42b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.16; Mon, 25 Oct 2021 09:31:38 +0000
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9]) by AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9%6]) with mapi id 15.20.4628.020; Mon, 25 Oct 2021 09:31:38 +0000
From: Andrew Alston <Andrew.Alston@liquidtelecom.com>
To: Brian Carpenter <brian.e.carpenter@gmail.com>
CC: Ole Troan <otroan@employees.org>, Warren Kumari <warren@kumari.net>, IPv6 Ops WG <v6ops@ietf.org>
Thread-Topic: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Thread-Index: AQHXxp4zP+qugBEUYEKpNlrZT9uUPqvfT9WAgAQhrYCAAACKsIAABicAgAAAh3A=
Date: Mon, 25 Oct 2021 09:31:38 +0000
Message-ID: <AS8PR03MB762262B7F820C6FB679BA4A6EE839@AS8PR03MB7622.eurprd03.prod.outlook.com>
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <AS8PR03MB7622CBFEE6C16B9230C593A9EE839@AS8PR03MB7622.eurprd03.prod.outlook.com> <CANMZLAbt40ic692mwxEfv0_6CQvhZzVbYn8B-hoFJT6TmG16KQ@mail.gmail.com>
In-Reply-To: <CANMZLAbt40ic692mwxEfv0_6CQvhZzVbYn8B-hoFJT6TmG16KQ@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 95e28910-b0f1-4679-90fe-08d9979a3eff
x-ms-traffictypediagnostic: AS8PR03MB8020:
x-microsoft-antispam-prvs: <AS8PR03MB8020E7F1717B866A70ABF5C1EE839@AS8PR03MB8020.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: v7tbw439mZC0bKavAMIA1Fv88crVm9ysxYuEpSwlW8BYNHHnZ2a6B2MyLe6zTk9l1dnbwJ92BYQnKUkpESJxLdBe/4tkYjQCRtu8Jm/hlm3FEN/2ZkCgZXVFAnAC9qWs/0YVleya31+DCYAPoz+TCmq+E+NhOJDUS1qJVBjZuOZOt2Au2gp85KPYenUo4W8d5SM7X/H/qvkpNhILpj70ZHzrJq5h7UOeOn6Hv4sTjyWLf400Sx4HzjggI5ZEIK6vFRbXptwoW8quL32c0JlY7O5DVdWhtlIpNAo8zEpB14LE/05v9cMDx/IE4rNjeUz3/qZ3vmXZvu9Jkp3CKl9o3m1waNcrKYo/mTWlluRnHClSM0ARPbYZDRJbh4AbMGmVRWAl+yqpzl0SPrIXErxooBs0E0ADSG8x81fjvyO0vXI7hHrVtEzWB8Ln18s2ZasyeOubjMv780/w3muxWrVaoxThjZz+9yoV9Zfqab4Xg0jOjUXTu8llkWPgyddALIczF3fmwfp76URF4LxYxKgfWxcABcCRRpi4GXzSKJCh3WI85dXWWLj4fRSLOG+jLGMfeXNSWbpDr96fWPQZELYfzCel+juMSkt0BnQhUiYW9jfaU60aH8sEJ0I4yu05z2H5WYUT3emxGdmWxdevDt50Iy619XTCDgGBZ4+0Gn4k/S9hPOMQq7VI9GHTdfQfXHwMQMxKFvkze/iSSfXTzgQzP8g+kVOel7qphqq6XDA67nDUkSm+hrhJoEDvhAZmIGlNkHxinnhulIGOeapJWlXRpTe8+/7ALP3QkMOMxl0BQ7Cb/MDeXhTg2UcsnLDqlQrSx8jRKPJCL5kHpvApIhr2Og==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR03MB7622.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(64756008)(66446008)(166002)(76116006)(53546011)(66574015)(83380400001)(7696005)(66556008)(122000001)(6506007)(6916009)(66476007)(66946007)(8676002)(33656002)(186003)(966005)(9686003)(86362001)(8936002)(2906002)(5660300002)(38070700005)(52536014)(38100700002)(55016002)(54906003)(71200400001)(4326008)(15650500001)(316002)(508600001); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?VEZ4TS9SNUpBeUwybGlhLzJzU3IwNUhVZTZ1ZTN3UXFQQkRFdEFEZncxME5o?= =?utf-8?B?c01tMU5UeEhvcmdBclY5dUNTdWJxaWkyRUg1YSttTGZYNlNMdDJCU25RK1p3?= =?utf-8?B?QW9uWkdJWVBkdVZha3pPY1RjZTBkZUU5cGxnVjFTUmFYdlRsQTVuRmRkbGxu?= =?utf-8?B?MDVMTnpkV25ocGdzREVsRmFsaEREYUFuWDYxOURzNDh4ZXVjaDg5VUNYWnRP?= =?utf-8?B?c0doT0JWSlROSml1amFhempJSW53a1pBS1Z6bDhBM2tnREpVMTJ2anNEZ2JH?= =?utf-8?B?cDRIN3ZBMmszSFVnWTZGc0hzOGhXWHJtSFdNVGJVYmtteEtVTkpUdDJ3KzBR?= =?utf-8?B?MUFXeUZCcWtPNmx0anBXSUV6OEx4MVhqUnFJaGlDckhmYXRkS1psd21rOTVp?= =?utf-8?B?U3FLZUVIQnNJUFowR3Q5VHZ1c09kTWgwSVZCbE11NFd2RWpXMkZEN0xxMFlB?= =?utf-8?B?SDVJd3l0YnpheWhLZFlkSHBmS0tuWEVteUVXTk5rRkNuczJmNVNIb3JnQ3pR?= =?utf-8?B?aCs3M1RucDBQeE9yY2UvVFROVHF0MGh4WVEyOFprVlZYQmhpZUpERWN2bnZH?= =?utf-8?B?M0oycVFPTU5zbVgyUXVZK1dqeWp6Uk80U3JFY1JVcGNyOU9pbVNiZEQvVHdS?= =?utf-8?B?djVDN0VuZU4rdDk2eUEwYXc3WVQzbWhpbHg1RDY3Z2ZsNzVGa3FLSUlmeXRJ?= =?utf-8?B?dTArSjlLVFhNd0trVGdKZ01wc0QwRC9FSjRpTjg2aDFjNy96VmdGc0RMQTNJ?= =?utf-8?B?SEswYVRMbklPOUNIT0toWmt3czZ3WHo5cVppRVYxSW5Nem5YZUQ5elo4SGlS?= =?utf-8?B?V2ZrQlhaYVNUVU5WU2QyR2laeHNwTGNoSTQrQUtvNHNxMFliNUdQL0wreVB6?= =?utf-8?B?S3ErQ0ZoNVpUOUx5dHl2QVN3MzZlNmZ1U0lZbmdqVHA3ODJMNVJZSXFFYlVa?= =?utf-8?B?ZU8rWXJRRU1tUk42RmprSEpGUmFEaGtkT1VjL3lvS1pINjVzZVpmcTFJeFgr?= =?utf-8?B?ZElHRnpvZm1UdmhaYWRvanM5WjZURkRJUzZldS9QdXY0a3RpZnFVcmZzU3R5?= =?utf-8?B?QWl3dDZrQ0M3RFVJeHpQSXFpTWpKWjFhSm5EQ2QvUXhsWjJLeVJWclhqK1lG?= =?utf-8?B?eUpNZ1JNR2hyMWtjRzBoWGdlQzlMLzlmT3ExRlo1aU9qRi9GMUVuUFdTdVM2?= =?utf-8?B?YlZsMndJUUlnV3ZhTFd5UmIzOG5WdFZBczU0SlVpcCsxdWR2Y0ZueHlDLzha?= =?utf-8?B?STZuN0ZzZFhxTFR3aFgwdk9RRzJTU0N0MFRqeitDQy9pNkF3TnRYb1I4c3Jy?= =?utf-8?B?ZElIeFViQVhEVE05aDY4Y1BvNXNXOEszZW14TnZtZ2Q5T0VraEpMb0hDUThO?= =?utf-8?B?T0dUa042bDNXSXhQZng0VWtXd1BIZGRrNUtEaDFUSlFDVWxkTFN3cktKTlU0?= =?utf-8?B?d1JoRklMRXJjVGpocXlFN1ZaTU81SjVBdHNEQnlxNk56dEsvWTVUaTJpWk1T?= =?utf-8?B?VVBMSDAxOHF1c0FTSUR3M0QvVGJtdGg2K2tub2tpeWlBTFlTVEZtd1NzaHhR?= =?utf-8?B?YjdjM0NqL0ZuekhqOUhMR2xVSGlsTWJnQlZUMzFiVUp6Z0ZVdDNENzFnbFRI?= =?utf-8?B?SFdaTXR4OHNEekpISVlLbjVPYlJ4cVJGNTVEbmlORkNlTjlpeEZTeW1Fb1l2?= =?utf-8?B?RysvNFZsMGlTNzZiSDBsUHN2Sm4wVkMwME9yYWNoVi9kUDFXTjhqYWZrNngz?= =?utf-8?B?UzZGV2pON3dRTDN3YUFBbTN6OFY0MXVWeW04dzd6UnkwWDJON0JlaXdrWmZB?= =?utf-8?B?QWkvUG4wWVNsT1VzbzBDMldnUkoyZ0Zmc2hSYXVucFhNQW95aDQrMkRtbnRn?= =?utf-8?B?TXhjRVlLczNWWXdaZTBwMGhtTm9OWUxPOEp2S3dPQm9VVmJBc251WFg1UnU2?= =?utf-8?B?QXFaYmpFaHFHRENZNU5JanBhc1JHVkN6ZTlKK2I3cFBvdDRLWmxkMDFwejc1?= =?utf-8?B?L1lMVHFMUk9vMFNZOHExQ0s2ZWNjNHorZDEyeXZDT0g2WVpPNlJzaU5IckZ4?= =?utf-8?B?VHZHaUZUd0dvbng4cC81Z01xa0RlNlYzNEZBdTNpS3VKeHhWbzBqVmFnL2ZJ?= =?utf-8?B?ZytUcmhnYTlUOVNyT0dxVTY3azZXZUEvTjBHTm1XRjYrR25YRTZGdnZZZDcy?= =?utf-8?B?QmNZWm9ZWld6K3dKcjUrUXNqL1RjcHBTVU9SVTY3cVdwMVdJc1Vac29vcDFJ?= =?utf-8?B?bG4yTnh2Ry95VXQ2dFJtQjN6QjFwalI5Sk1leVZpU1NQaUd6cHY5YnRBb2Nl?= =?utf-8?Q?HpO5Koh7IG3ktSotPe?=
MIME-Version: 1.0
X-OriginatorOrg: liquidtelecom.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR03MB7622.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 95e28910-b0f1-4679-90fe-08d9979a3eff
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2021 09:31:38.6632 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68792612-0f0e-46cb-b16a-fcb82fd80cb1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KQSlwwqyhkZBhAZO/7A/ZlNMINUIUpspC1ecDH5ZdYt5fUuaRURuT2L2R0v/qxOhKQ6FtetbE1jDgE2Nlz+yDKVxxRq5J0bocGpXID79ca4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB8020
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C82A168 smtp.mailfrom=andrew.alston@liquidtelecom.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: liquidtelecom.com
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_AS8PR03MB762262B7F820C6FB679BA4A6EE839AS8PR03MB7622eurp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/IzawiRGYpHfoVF3K3oQDDfZ-Sno>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 09:31:56 -0000

So Brian,

Let me ask you this – would you say that, in your opinion, that SRv6 falls into the definition of limited-domain as per that document.  I’m still going through it closely to make up my own mind – but I’m curious as to your perspective on this

Andrew


From: Brian Carpenter <brian.e.carpenter@gmail.com>
Sent: Monday, October 25, 2021 12:29 PM
To: Andrew Alston <Andrew.Alston@liquidtelecom.com>
Cc: Ole Troan <otroan@employees.org>rg>; Warren Kumari <warren@kumari.net>et>; IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Andrew,
That's what https://www.rfc-editor.org/rfc/rfc8799.html#name-functional-requirements-of-<https://www.rfc-editor.org/rfc/rfc8799.html#name-functional-requirements-of-> is getting at. We need more precision indeed, and that requirements list was intended as a starting point. (We also have an example: RFC8994.)
Regards,
    Brian Carpenter
    (via tiny screen & keyboard)

On Mon, 25 Oct 2021, 22:12 Andrew Alston, <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org<mailto:40liquidtelecom.com@dmarc.ietf.org>> wrote:
Ole,

My problem here is that "limited domain" has become a vague and obscure term used to justify the violation of pretty much anything.

Furthermore - I would argue that in the case of srv6 - the concept of domain boundary has become so obscure and so vague as to be meaningless.  When limited domain used to have limited edge devices connecting to other networks - you could kinda get away with this - when your limited domain is now extended into a hybrid server/network world - and your domain edge is so vague and fuzzy as to encompass pretty much every port on the network - then the concept of limited domain is, in my view as an operator, meaningless.

I actually think it would be interesting to potentially form another working group in the IETF - to specifically look at the operational impact of ideas being proposed but on a "localized" basis - so while GROW is chartered to look at the impact of things on the wider internet - perhaps we need to start thinking about something that can analyze the impact of proposals from the perspective of a "limited domain" - inside that domain - and perhaps this could also be the place where we define what a "limited domain" really means - and what the boundaries of this really mean.

Might be something worth considering...

Andrew


-----Original Message-----
From: v6ops <v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org>> On Behalf Of otroan@employees.org<mailto:otroan@employees.org>
Sent: Monday, October 25, 2021 12:05 PM
To: Warren Kumari <warren@kumari.net<mailto:warren@kumari.net>>
Cc: v6ops@ietf.org<mailto:v6ops@ietf.org>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Warren,

> The way I see this playing out is operators quickly moving along the lines of:
> If I'm expected to filter "RH type 4 (SRH)" on all of my external interfaces in case someone else decides to run SRH, what else should I filter? Clearly 5 and 6 (CRH-16/32)... and 7, 8, ... 255.
> I need to be ready *before* you enable $insert_new_protocol_here, so the only sensible thing for me to do is filter all RH/43. Oh, and I don't know what sort of new uses there might be for Hop-by-Hop that might affect me, so I should clearly just filter all protocol 0 (perhaps in the future I might allow specific ones... maybe). HIP? I don't use that, but I might in the future, and I certainly don't have time to follow all of the new things being proposed in the IETF/by vendors, so obviously I should filter that everywhere...
> Actually, why am I bothering to write this long filter list? I'll just allow TCP and UDP, and call it done...
>
> (When I started writing the above I thought I would need to add a "Warning: Hyperbole ahead" marker -- but I'm no longer sure that that's the case).

Proposal for a principle: "If Internet traffic is carried across a limited domain, the technology used in the limited domain must not hinder end to end transparency."

You are welcome to suggest more concise ways of saying that.

In the above example, filtering packets with the SRH RH type _and_ destined towards your own limited domain prefix would adhere to that.

Cheers,
Ole

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops<https://www.ietf.org/mailman/listinfo/v6ops>