Skip to main content

Last Call Review of draft-ietf-idr-bgpls-srv6-ext-12
review-ietf-idr-bgpls-srv6-ext-12-rtgdir-lc-bryant-2022-11-27-00

Request Review of draft-ietf-idr-bgpls-srv6-ext
Requested revision No specific revision (document currently at 13)
Type Last Call Review
Team Routing Area Directorate (rtgdir)
Deadline 2022-10-31
Requested 2022-10-14
Requested by Alvaro Retana
Authors Gaurav Dawra , Clarence Filsfils , Ketan Talaulikar , Mach Chen , Daniel Bernier , Bruno Decraene
Draft last updated 2022-11-27
Completed reviews Opsdir Early review of -08 by Dan Romascanu (diff)
Rtgdir Early review of -07 by Adrian Farrel (diff)
Secdir Early review of -09 by Stephen Farrell (diff)
Rtgdir Last Call review of -12 by Stewart Bryant (diff)
Intdir Telechat review of -12 by Timothy Winters (diff)
Assignment Reviewer Stewart Bryant
State Completed
Review review-ietf-idr-bgpls-srv6-ext-12-rtgdir-lc-bryant-2022-11-27
Posted at https://mailarchive.ietf.org/arch/msg/rtg-dir/Zli0PZPtgzLtIEAhKFTRZGduhz0
Reviewed revision 12 (document currently at 13)
Result Has Issues
Completed 2022-11-27
review-ietf-idr-bgpls-srv6-ext-12-rtgdir-lc-bryant-2022-11-27-00
I apologies for the lateness of this last call review.

The routing technology in this specification seems fine, however I do have
concerns over the network security.

From the text in the introduction is says: "On similar lines, introducing the
SRv6 related information in BGP-LS allows consumer applications that require
topological visibility to also receive the SRv6 SIDs from nodes across an IGP
domain or even across Autonomous Systems (AS), as required.  This allows
applications to leverage the SRv6 capabilities for network programming."

Then in the security section it says "SR operates within a trusted domain
[RFC8402] and its security considerations also apply to BGP-LS sessions when
carrying SR information."

I am concerned that the exposure of sensitive network information outside the
network as proposed here represents a significant security risk. I am also
concerned that the increased (practically unconstrained) exposure to the threat
of hostile actors.

The "trusted domain" concept which is fundamental to SRv6 is fragile at best.
The scope of the domain and the method of policing are not well described, and
unlike MPLS which successfully operates that model, SRv6 does not have the
advantage of being able to automatically classify external traffic as being of
an alien type. With this specification the domain is expanded from the network
itself to some subset of the applications using the network. It is difficult to
see how the scope and size of the threat to the network is contained in this
operational model and I do not see text that help the operator in that regard.
Applications significantly increase the size of the code base and number of
organizations that can introduce a threat, and by their nature expand the
geographic area of risk in an unconstrained way, perhaps to the full Internet.

I believe that a more complete review of the security model is needed before
this specification is finalised.