Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Gert Doering <gert@space.net> Mon, 25 October 2021 21:47 UTC

Return-Path: <gert@space.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5BF3A08DC for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 14:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2B8z3x2aRaLG for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 14:47:09 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 310823A0881 for <v6ops@ietf.org>; Mon, 25 Oct 2021 14:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1635198430; x=1666734430; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=GeRDp7e6w6/HJ6rr23MAxuncgz5RIOBHUCFSgRwtY5Q=; b=UEtfDJyGg/uiy5U+QHbHlXxaaLx9sseEXMU705bImgzqOCopXS6tiW+u JNldjENgsNCQGSdEf1Jpf8c0GOOiOQXtKxqANIV/xjXqLHNfbYEiTDcte v6hw+Y29Pt5bw+0r1cJntGc3m21JheOqAE4kqCgS+XM6xSYcEjzBEjEmI Ztppe2pyZ1OAod6yWcae+fT+Oy2sSVZSoGaub5hIZUzqxciw8mnGLFP0R tjEquSSx7ofJiA84PkmduSSemvYpmxuLQHly1iuIXbMtThD3DsfId3bp2 BkUxsWfsCB3SQ53glepkMKRSU7fsWtBo7Cw0LRdcdIMJqcjq0pzC+FoUG A==;
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2021 23:47:07 +0200
X-Original-To: v6ops@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id F209E43880 for <v6ops@ietf.org>; Mon, 25 Oct 2021 23:47:06 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 8F455436BF; Mon, 25 Oct 2021 23:47:06 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 88EF614AB; Mon, 25 Oct 2021 23:47:06 +0200 (CEST)
Date: Mon, 25 Oct 2021 23:47:06 +0200
From: Gert Doering <gert@space.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Gert Doering <gert@space.net>, Warren Kumari <warren@kumari.net>, "v6ops@ietf.org" <v6ops@ietf.org>
Message-ID: <YXcl2iQMvZe8ggLs@Space.Net>
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com> <YXciHYMNa6KJUohp@Space.Net> <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="PJnd6X0ff7B2oQ8B"
Content-Disposition: inline
In-Reply-To: <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/MV6mzmI_MrLPJmWjEbjsrvY9448>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 21:47:14 -0000

Hi,

On Tue, Oct 26, 2021 at 10:44:32AM +1300, Brian E Carpenter wrote:
> On 26-Oct-21 10:31, Gert Doering wrote:
> > On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
> >> I somewhat like the idea of having a well known prefix for "limited
> >> domains"
> 
> fc00::/7 works well. RFC8994 is a worked example.

So how would that work for an ISP network trying to run SR6, protecting
its network from rogue hosts inside?  Without having GUAs on the SR6
routers that would happily decapsulate incoming SR6 packets, and 
without violating lots of rules about "do not leak ULAs outside
your network" (traceroute and other ICMP errors)?

I lack imagination today...

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279