> I went to look in the Security Considerations section, but, well, the
> document doesn't seem to have one?...
So why on earth is this document in WGLC? It cannot possibly be sent to the
IESG without that section. (And "7. Basic security ..." seems very unlikely to
pass muster even if renamed.)
Regards
Brian
On 10-Dec-19 11:55, Warren Kumari wrote:
> <no hats>
>
> On Thu, Dec 5, 2019 at 12:15 PM <bruno.decra...@orange.com> wrote:
>>
>> Hello SPRING,
>>
>>
>>
>> This email starts a two weeks Working Group Last Call on
>> draft-ietf-spring-srv6-network-programming [1].
>>
>>
>>
>> Please read this document if you haven't read the most recent version, and
>> send your comments to the SPRING WG list, no later than December 20.
>>
>>
>
> I will happily admit that I haven't been following the discussions, so
> apologies in advance - I'm guessing I'm missing something really
> obvious, so please point me at other documents / email threads where
> this has already been answered...
>
> RFC5095 deprecated IPv6 RH0 due to some serious security issues - it
> was possible for an attacker to send traffic containing "instructions"
> to make a packet ping-pong between two interfaces, steer it down
> specific links, etc.
>
> It feels to me like this re-introduces similar (and potentially more
> scary) issues -- what's to stop an attacker spoofing traffic
> containing a bunch of SIDs which decapsulate, push a packet into
> another FIB, End.DT2M, etc?
>
> I went to look in the Security Considerations section, but, well, the
> document doesn't seem to have one?...
> The word Security appears 3 times in the document - one in the section
> title ("7. Basic security for intra-domain deployment"), once in the
> Index, and once simply punting the reader to Section 5.1 of the SRH
> document ("Future documents will detail inter-domain security
> mechanisms for
> SRv6 ").
>
> Expecting *everyone* who deploys this to perfectly apply filters which
> blocks ingress traffic everywhere where a packet could enter a domain
> feels like an accident just waiting to happen
> Again, I'm guessing that I'm missing something obvious, and that the
> entire security isn't premised on that - please point me to where this
> is addressed.
>
> "With great power comes great responsibility"
> -- sudo, via Peter Parker.
>
> W
>
>>
>> You may copy the 6MAN WG for IPv6 related comment, but consider not
>> duplicating emails on the 6MAN mailing list for the comments which are only
>> spring specifics.
>>
>>
>>
>> If you are raising a point which you expect will be specifically debated on
>> the mailing list, consider using a specific email/thread for this point.
>>
>> This may help avoiding that the thread become specific to this point and
>> that other points get forgotten (or that the thread get converted into
>> parallel independent discussions)
>>
>>
>>
>> Thank you,
>>
>> Bruno
>>
>>
>>
>> [1] https://tools.ietf.org/html/draft-ietf-spring-srv6-network-programming-05
>>
>>
>>
>>
>>
>> _________________________________________________________________________________________________________________________
>>
>> Ce message et ses pieces jointes peuvent contenir des informations
>> confidentielles ou privilegiees et ne doivent donc
>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu
>> ce message par erreur, veuillez le signaler
>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
>> electroniques etant susceptibles d'alteration,
>> Orange decline toute responsabilite si ce message a ete altere, deforme ou
>> falsifie. Merci.
>>
>> This message and its attachments may contain confidential or privileged
>> information that may be protected by law;
>> they should not be distributed, used or copied without authorisation.
>> If you have received this email in error, please notify the sender and
>> delete this message and its attachments.
>> As emails may be altered, Orange is not liable for messages that have been
>> modified, changed or falsified.
>> Thank you.
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> i...@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>
>
>
_______________________________________________
spring mailing list
spring@ietf.org
https://www.ietf.org/mailman/listinfo/spring
