|Internet-Draft||SRv6 Security Considerations||March 2023|
|Li, et al.||Expires 7 September 2023||[Page]|
- Intended Status:
Security Considerations for SRv6 Networks
SRv6 inherits potential security vulnerabilities from Source Routing in general, and also from IPv6. This document describes various threats and security concerns related to SRv6 networks and existing approaches to solve these threats.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Segment Routing (SR) [RFC8402] is a source routing paradigm that explicitly indicates the forwarding path for packets at the source node by inserting an ordered list of instructions, called segments. A segment can represent a topological or service-based instruction.¶
When segment routing is deployed on IPv6 [RFC8200] dataplane, called SRv6 [RFC8754], a segment is a 128 bit value, and can the IPv6 address of a local interface but it does not have to. For supporting SR, a new type of Routing Extension Header is defined and called the Segment Routing Header (SRH). The SRH contains a list of SIDs and other information such as Segments Left. The SRH is defined in [RFC8754]. By using the SRH, an ingress router can steer SRv6 packets into an explicit forwarding path so that many use cases like Traffic Engineering, Service Function Chaining can be deployed easily by SRv6.¶
However, SRv6 also brings some new security concerns. This document describes various threats to networks deploying SRv6. SRv6 inherits potential security vulnerabilities from source routing in general, and also from IPv6 [RFC9099].¶
- SRv6 makes use of the SRH which is a new type of Routing Extension Header. Therefore, the security properties of the Routing Extension Header are addressed by the SRH. See [RFC5095] and [RFC8754] for details.¶
- SRv6 consists of using the SRH on the IPv6 dataplane which security properties can be understood based on previous work [RFC4301], [RFC4302], [RFC4303] and [RFC4942].¶
In this document, we will consider the dangers from the following kinds of threats:¶
The rest of this document describes the above security threats in SRv6 networks and existing approaches to mitigate and avoid the threats.¶
This document uses the terminology defined in [RFC5095] and [RFC8754].¶
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
3. Security Principles of SRv6 Networking
As with other similar source-routing architectures, an attacker may manipulate the traffic path by modifying the packet header. SPRING architecture [RFC8402] allows clear trust domain boundaries so that source-routing information is only usable within the trusted domain and never exposed to the outside world. It is expected that, by default, explicit routing is only used within the boundaries of the administered domain. Therefore, the data plane does not expose any source-routing information when a packet leaves the trusted domain. Traffic is filtered at the domain boundaries [RFC8402].¶
Unless otherwise noted, the discussion in this document pertain to SR networks which can be characterized as "trusted domains", i.e., the SR routers in the domain are presumed to be operated by the same administrative entity without malicious intent and also according to specifications of the protocols that they use in the infrastructure.¶
This document assumes that the SR-capable routers and transit IPv6 routers within the SRv6 trusted domains are trustworthy. Hence, the SRv6 packets are treated as normal IPv6 packets in transit nodes and the SRH will not bring new security problem. The security considerations of IPv6 networks are out of scope of this document.¶
4. Types of Vulnerabilities in SR Networks
This section outlines in details the different types of vulnerabilities listed in Section 1. Then, for each type, an attempt to determine whether or not the vulnerability exists in a trusted domain is made.¶
4.1. Eavesdropping Vulnerabilities in SRv6 Networks
As with practically all kinds of networks, traffic in an SRv6 network may be vulnerable to eavesdropping.¶
- Threats: Eavesdropping¶
- Solutions: Encapsulating Security Payload (ESP, [RFC4303]) can be used in order to prevent Eavesdropping. The ESP header is either inserted between the IP header and the next layer(transport) protocol header, or before an encapsulated IP header (tunnel mode). ESP can be used in order to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and (limited) traffic flow confidentiality. The set of services provided depends on the selected options at the time of the Security Association (SA) establishment and on the location of the implementation in a network topology.(add reference to the different points explained in this paragraph).¶
- Conclusion: In tunnel mode of ESP, packets are encrypted and cannot be eavesdropped in a trusted SRv6 domain. In transport mode of ESP, the payloads of packets are encrypted and cannot be eavesdropped in a trusted SRv6 domain, even if the IPv6 and SRH headers are not encrypted.¶
- Gaps: The IPv6 and SRH headers are not encrypted in transport mode of ESP which may be eavesdropped by attackers.¶
4.2. Packet Falsification in SRv6 Networks
As SRv6 domain is a trusted domain, there is no Packet Falsification within the SRv6 domain.¶
As the packets from outside of SRv6 domain cannot be trusted, an Integrity Verification policy is typically deployed at the external interfaces of the ingress SRv6 routers in order to verify the incoming packets (i.e., from outside of SRv6 domain [RFC8986]). Also, the packets with SRH sent from hosts within the SRv6 domain should be verified in order to prevent the falsification between the host and the ingress router. [RFC8986].¶
- Threats: Packet Falsification¶
- Solutions: The packets from outside cannot be trusted, so Integrity Verification policy should be deployed at the external interfaces by using, e.g., IPSec [RFC4301] (AH [RFC4302], ESP [RFC4303] ) or HMAC [RFC2104]. AH [RFC4302], ESP [RFC4303] and HMAC [RFC2104] can provide Integrity Verification for packets, while the ESP can encrypt the payload in order to provide higher security. However, it has been noted that the AH and ESP are not directly applicable in order to reduce the vulnerabilities of SRv6 due to the presence of mutable fields in the SRH. In order to solve this problem, [RFC8754] defines a mechanism in order to carry HMAC TLV in the SRH so to verify the integrity of packets including the SRH fields. The HMAC TLV is usually processed based on the local policy, only at the ingress router. Within the SRv6 domain, the packets are trusted, so HMAC TLV is typically ignored. In other words, the segment list is mutable within the SRv6 domain but cannot be changed before processing the HMAC TLV.¶
- Conclusions: There is no Packet Falsification within a trusted SRv6 domain. Integrity Verification policy like HMAC processing should be deployed at the external interfaces of the ingress SRv6 routers filtering SRH packets from outside the trusted domain and SRH packets from hosts within the SRv6 domain.¶
- Gaps: IPsec cannot provide verification for SRH.¶
4.3. Identity Spoofing in SRv6 Networks
The same as for Packet Falsification, there is no Identity Spoofing possible within the boundaries of a SRv6 trusted domain where all nodes are under control of the same administrative organization.¶
Authentication policy should be deployed at the external interfaces of the ingress SRv6 routers in order to validate the packets from outside of SRv6 domain [RFC8986]. Also, the packets with SRH sent from hosts inside the SRv6 domain should be validated in order to prevent the Identity Spoofing [RFC8986].¶
- Threats: Identity Spoofing¶
- Solutions: IPSec [RFC4301] (AH [RFC4302], ESP [RFC4303] ) or HMAC [RFC2104] can be used for Authentication. AH, ESP and HMAC can provide Authentication of source node, while the ESP can encrypt the payload in order to provide higher security. Same as section 3.2. To ensure that the source node uses a permitted source address for sending packets, Source Address Validation (SAV) like BCP 84 [RFC3704] can be taken.¶
- Conclusion: There is no Identity Spoofing within a trusted SRv6 domain. Identity Spoofing policy should be deployed on the external interfaces of the ingress SRv6 routers for the packets from outside and the packets with SRH from hosts within the SRv6 domain.¶
4.4. Packet Replay in SRv6 Networks
There are no new Packet Replay threat brought by SRH. ESP can be applied to SRv6 in order to prevent Packet replay attacks.¶
4.5. DoS/DDoS in SRv6 Networks
The generation of ICMPv6 error messages may be used in order to attempt DoS(Denial-Of-Service)/DDoS(Distributed Denial-Of-Service) attacks by sending an error-causing destination address or SRH in back-to-back packets [RFC8754]. An implementation that correctly follows Section 2.4 of [RFC4443] would be protected by the ICMPv6 rate-limiting mechanism also in the case of packets with an SRH.¶
The IPv6 addresses/prefixes representing SIDs in the trusted domain may be advertised through route messages to outside. The devices owned the SIDs can be the attack targets of DoS/DDoS. If the attacked devices received extremely many DoS/DDoS packets, the normal services for users will be largely impacted.¶
- Threats: DoS/DDoS¶
- Solutions: The ICMPv6 rate-limiting mechanism as defined in [RFC4443] can be used locally for preventing ICMPv6-based attacks. The DoS/DDoS mitigation tools such as Remotely Triggered Black Hole (RTBH) [RFC3882] and FlowSpec [RFC8956] can also be enabled at ingress devices for filtering/rate-limiting/redirecting traffic of any kind of detected DoS/DDoS attacks. SAV mechanisms can also be deployed at ingress points so that source address spoofing-based DoS/DDoS attacks can be blocked.¶
- Conclusions: There are no DoS/DDoS threats within SRv6 domain, the threats come from outside of the domain, and can be prevented by ICMPv6 rate-limiting mechanism.¶
5. Security Policy Design
The basic security for intra-domain deployment is described in [RFC8986] and the enhanced security mechanism is defined in [RFC8754].¶
In [RFC8986], additional basic security mechanisms are defined. For easier understanding, a easy example is shown in Figure 5.¶
- A-E: SRv6 Routers inside the SRv6 domain, A and E are the edge router, can be called Ingress router instead.¶
- F: Router F outside the SRv6 domain.¶
- h1: A host outside the SRv6 domain connects to the Router A.¶
- h2: A host within SRv6 domain, which connects to the Router D.¶
- (1): Security policy 1: ACL for External Interface.¶
- (2): Security policy 2: ACL for Internal Interfaces.¶
- (3): Security policy 3: Policy for processing HMAC, should be deployed at the ingress nodes.¶
5.1. Basic Security Design
5.1.1. ACL for External Interfaces
Typically, in any trusted domain, ingress routers are configured with Access Control Lists (ACL) filtering out any packet externally received with SA/DA having a domain internal address. An SRv6 router typically comply with the same rule.¶
A provider would generally do this for its internal address space in order to prevent access to internal addresses and in order to prevent spoofing. The technique is extended to the local SID space. However, in some use cases, Binding SID can be leaked outside of SRv6 domain. Detailed ACL should be then configured in order to consider the externally advertised Binding SID.¶
5.1.2. ACL for Internal Interfaces
An SRv6 router MUST support an ACL with the following behavior:¶
1. IF (DA == LocalSID) && (SA != internal address or SID space) : 2. drop¶
This prevents access to locally instantiated SIDs from outside the operator's infrastructure. Note that this ACL may not be enabled in all cases. For example, specific SIDs can be used to provide resources to devices that are outside of the operator's infrastructure.¶
5.1.3. SID Instantiation
As per the End definition [RFC8986], an SRv6 router MUST only implement the End behavior on a local IPv6 address if that address has been explicitly enabled as an SRv6 SID.¶
Packets received with destination address representing a local interface that has not been enabled as an SRv6 SID MUST be dropped.¶
5.2. Enhanced Security Design
HMAC [RFC2104] is the enhanced security mechanism for SRv6 as defined in [RFC8754]. HMAC is used for validating the packets with SRH sent from hosts within SRv6 domain.¶
Since the SRH is mutable in computing the Integrity Check Value (ICV) of AH [RFC8754], so AH cannot be directly applicable to SRv6 packets. HMAC TLV in SRH is used for making sure that the SRH fields like SIDs are not changed along the path. While the intra SRv6 domain is trustworthy, so HMAC will be processed at the ingress nodes only, and could be ignore at the other nodes inside the trusted domain.¶
6. Security Considerations
This document attempts to give an overview of security considerations of operating an SRv6 network. The document itself does not import security issues.¶
7. IANA Considerations
This document has no IANA actions.¶
Manty thanks to Charles Perkins and Stefano Previdi's valuable comments.¶
9.1. Normative References
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
- Abley, J., Savola, P., and G. Neville-Neil, "Deprecation of Type 0 Routing Headers in IPv6", RFC 5095, DOI 10.17487/RFC5095, , <https://www.rfc-editor.org/info/rfc5095>.
- Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
- Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, , <https://www.rfc-editor.org/info/rfc8200>.
- Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, , <https://www.rfc-editor.org/info/rfc8402>.
- Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header (SRH)", RFC 8754, DOI 10.17487/RFC8754, , <https://www.rfc-editor.org/info/rfc8754>.
9.2. Informative References
- Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, , <https://www.rfc-editor.org/info/rfc2104>.
- Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, , <https://www.rfc-editor.org/info/rfc3704>.
- Turk, D., "Configuring BGP to Block Denial-of-Service Attacks", RFC 3882, DOI 10.17487/RFC3882, , <https://www.rfc-editor.org/info/rfc3882>.
- Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, , <https://www.rfc-editor.org/info/rfc4301>.
- Kent, S., "IP Authentication Header", RFC 4302, DOI 10.17487/RFC4302, , <https://www.rfc-editor.org/info/rfc4302>.
- Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, , <https://www.rfc-editor.org/info/rfc4303>.
- Conta, A., Deering, S., and M. Gupta, Ed., "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", STD 89, RFC 4443, DOI 10.17487/RFC4443, , <https://www.rfc-editor.org/info/rfc4443>.
- Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/Co-existence Security Considerations", RFC 4942, DOI 10.17487/RFC4942, , <https://www.rfc-editor.org/info/rfc4942>.
- Loibl, C., Ed., Raszuk, R., Ed., and S. Hares, Ed., "Dissemination of Flow Specification Rules for IPv6", RFC 8956, DOI 10.17487/RFC8956, , <https://www.rfc-editor.org/info/rfc8956>.
- Filsfils, C., Ed., Camarillo, P., Ed., Leddy, J., Voyer, D., Matsushima, S., and Z. Li, "Segment Routing over IPv6 (SRv6) Network Programming", RFC 8986, DOI 10.17487/RFC8986, , <https://www.rfc-editor.org/info/rfc8986>.
- Vyncke, É., Chittimaneni, K., Kaeo, M., and E. Rey, "Operational Security Considerations for IPv6 Networks", RFC 9099, DOI 10.17487/RFC9099, , <https://www.rfc-editor.org/info/rfc9099>.