Security Considerations for SRv6 Networks based on Deployment Experience
draft-liu-spring-srv6-security-experience-01
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Yisong Liu , Daniel Voyer , Akash Agarwal | ||
| Last updated | 2023-11-10 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-liu-spring-srv6-security-experience-01
spring Y. Liu
Internet-Draft China Mobile
Intended status: Standards Track D. Voyer
Expires: 13 May 2024 Bell Canada
A. Agarwal
Rakuten
10 November 2023
Security Considerations for SRv6 Networks based on Deployment Experience
draft-liu-spring-srv6-security-experience-01
Abstract
This document discusses the security considerations for SRv6 networks
based on the deployment experience.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 13 May 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Liu, et al. Expires 13 May 2024 [Page 1]
Internet-Draft SRv6 Security Deployment Experience November 2023
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Securing SRv6 Networks . . . . . . . . . . . . . . . . . . . 2
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 3
5.1. Normative References . . . . . . . . . . . . . . . . . . 3
5.2. Informative References . . . . . . . . . . . . . . . . . 3
Appendix A. Appendix A . . . . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
SRv6 is deployed in commercial networks (see
[I-D.matsushima-spring-srv6-deployment-status] and
[I-D.tian-spring-srv6-deployment-consideration]). The operators of
these networks include SoftBank, China Mobile, China Telecom, Iliad
Italy, LINE Corporation, China Unicom, CERNET2, MTN Uganda Ltd., NOIA
Network, Indosat Ooredoo, Rakuten, Bell Canada, Alibaba, Free France,
STC, and other undisclosed operators.
SRv6 endpoints are protected similar to other encapsulation such as
GRE, L2TPv3, VxLAN, Geneve, etc. and their infrastructure IP
endpoints (e.g., loopback and interface IPs used for BGP peerings).
2. Securing SRv6 Networks
SRv6 is deployed using an SR domain defined in [RFC8754]. The SR
domain segment IDs (SIDs) are protected as follows [RFC8754]:
* Traffic traversing the SR domain is IPv6 encapsulated for its
journey across the SR domain. This applies to both VPN traffic
and global Internet traffic traversing the domain ([RFC8754]
section 5.2).
* External Traffic destined to the SRv6 SID prefix is denied access
to the domain via two means ([RFC8754] section 5.1):
- Deploy an infrastructure ACL (IACL) at external interfaces of
the domain (e.g., links towards Internet Peering routers) to
deny packets destined to the SRv6 locator block. That is,
"deny ipv6 destination SRv6-locator-block".
Liu, et al. Expires 13 May 2024 [Page 2]
Internet-Draft SRv6 Security Deployment Experience November 2023
- Deploy an IACL at each SRv6 endpoint node to deny packets
destined to the SRv6 locator configured at that node from any
source not in the operator's infrastructure prefix block. That
is, "permit ipv6 source infrastructure-prefix-block destination
SRv6-locator-block" followed by "deny ipv6 source any
destination SRv6-locator-block"
* Use private or non-routable prefixes for SRv6 SIDs (e.g.,
[I-D.ietf-6man-sids], or ULA [RFC4193]) option is supported.
Appendix A illustrates how one operator utilizes the ACLs described
above to protect the segment endpoints within the domain.
3. Security Considerations
No new security consideration is imposed by this document.
4. IANA Considerations
This document includes no request to IANA.
5. References
5.1. Normative References
[RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J.,
Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header
(SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020,
<https://www.rfc-editor.org/info/rfc8754>.
5.2. Informative References
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
<https://www.rfc-editor.org/info/rfc4193>.
[I-D.tian-spring-srv6-deployment-consideration]
Tian, H., Zhao, F., Xie, C., Li, T., Ma, J., Mwehair, R.,
Chingwena, E., Xu, Q., Kusuma, P. H., Peng, S., Zhou, T.,
Gao, Q., and Z. Keyi, "SRv6 Deployment Consideration",
Work in Progress, Internet-Draft, draft-tian-spring-srv6-
deployment-consideration-07, 13 March 2023,
<https://datatracker.ietf.org/doc/html/draft-tian-spring-
srv6-deployment-consideration-07>.
[I-D.matsushima-spring-srv6-deployment-status]
Matsushima, S., Filsfils, C., Ali, Z., Li, Z., Rajaraman,
K., and A. Dhamija, "SRv6 Implementation and Deployment
Liu, et al. Expires 13 May 2024 [Page 3]
Internet-Draft SRv6 Security Deployment Experience November 2023
Status", Work in Progress, Internet-Draft, draft-
matsushima-spring-srv6-deployment-status-15, 5 April 2022,
<https://datatracker.ietf.org/doc/html/draft-matsushima-
spring-srv6-deployment-status-15>.
[I-D.ietf-6man-sids]
Krishnan, S., "Segment Identifiers in SRv6", Work in
Progress, Internet-Draft, draft-ietf-6man-sids-03, 11
April 2023, <https://datatracker.ietf.org/doc/html/draft-
ietf-6man-sids-03>.
Appendix A. Appendix A
SRv6 is deployed within an SR domain [RFC8754] of a single provider
which consists of one or more ASes. An SRv6 domain is depicted in
the following figure.
An SR domain
+-----------------------+
| Infrastructure block: |
| A::/64 |
| SRv6 locator block: |
| B::/64 |
| |
External-----PE1------P------P-------PE2---External
networks | | networks
| |
+-----------------------+
This section shows how a single line IACL is used to secure SR
domain.
Suppose the infrastructure prefix block is A::/64 and SRv6 locator
block is B::/64.
The following IACL is deployed at external interfaces to the SR
domain to deny packets destined to the SRv6 locator block.
access-list L1
deny B::/64, any
The following IACL is deployed at each node with an SRv6 SID
provisioned to deny packets destined to the SRv6 locator configured
at that node from any source not in the operators infrastructure
block.
Liu, et al. Expires 13 May 2024 [Page 4]
Internet-Draft SRv6 Security Deployment Experience November 2023
access-list L2
permit A::/64, B::/64
deny any, B::/64
Authors' Addresses
Yisong Liu
China Mobile
Beijing
China
Email: liuyisong@chinamobile.com
Daniel Voyer
Bell Canada
Canada
Email: daniel.voyer@bell.ca
Akash Agarwal
Rakuten
Email: akash.agrawal@rakuten.com
Liu, et al. Expires 13 May 2024 [Page 5]