Alissa Cooper has entered the following ballot position for draft-ietf-spring-segment-routing-13: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routing/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I ended up reading draft-ietf-6man-segment-routing-header in tandem with this document, and I have a question arising out of that. The trust model for SRv6 outlined in this document appears to be one of reliance on the fact that an SRH will only ever be inserted and appear within a single administrative domain. But Section 5.2.2 of draft-ietf-6man-segment-routing-header talks about an SRH being inserted by a device outside of the segment routing domain. Which is correct? I think this is an important question because the whole trust model for the SR information seems to rely on out-of-band trust between participating nodes. I also think this is important because there is no discussion in this document of the impact of the inclusion of the SR metadata on the fingerprinting of the device that inserted it. Section 5.1.4 of draft-ietf-6man-segment-routing-header sort of alludes to this but seems to equate the capabilities of an active attacker (who can conduct a traceroute) with a passive attacker who could passively collect topology/fingerprinting information simply by observing SRHes flowing by on the network. If the limitation to a single administrative domain is meant to prevent such a passive attack (not sure if that is really true, but perhaps the document assumes it?), that's another reason that the existence of such a limitation needs to be clarified. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Per my DISCUSS comment, I think this document needs to include some considerations concerning the additional metadata that SRv6 adds to the packet. This has implications not just for passive observers but also for any node that logs the SRH. _______________________________________________ spring mailing list [email protected] https://www.ietf.org/mailman/listinfo/spring
