Last Call Review of draft-ietf-idr-bgpls-srv6-ext-12
review-ietf-idr-bgpls-srv6-ext-12-rtgdir-lc-bryant-2022-11-27-00
| Request | Review of | draft-ietf-idr-bgpls-srv6-ext |
|---|---|---|
| Requested revision | No specific revision (document currently at 14) | |
| Type | Last Call Review | |
| Team | Routing Area Directorate (rtgdir) | |
| Deadline | 2022-10-31 | |
| Requested | 2022-10-14 | |
| Requested by | Alvaro Retana | |
| Authors | Gaurav Dawra , Clarence Filsfils , Ketan Talaulikar , Mach Chen , Daniel Bernier , Bruno Decraene | |
| I-D last updated | 2022-11-27 | |
| Completed reviews |
Opsdir Early review of -08
by Dan Romascanu
(diff)
Rtgdir Early review of -07 by Adrian Farrel (diff) Secdir Early review of -09 by Stephen Farrell (diff) Rtgdir Last Call review of -12 by Stewart Bryant (diff) Intdir Telechat review of -12 by Timothy Winters (diff) |
|
| Assignment | Reviewer | Stewart Bryant |
| State | Completed | |
| Request | Last Call review on draft-ietf-idr-bgpls-srv6-ext by Routing Area Directorate Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/rtg-dir/Zli0PZPtgzLtIEAhKFTRZGduhz0 | |
| Reviewed revision | 12 (document currently at 14) | |
| Result | Has issues | |
| Completed | 2022-11-27 |
review-ietf-idr-bgpls-srv6-ext-12-rtgdir-lc-bryant-2022-11-27-00
I apologies for the lateness of this last call review. The routing technology in this specification seems fine, however I do have concerns over the network security. From the text in the introduction is says: "On similar lines, introducing the SRv6 related information in BGP-LS allows consumer applications that require topological visibility to also receive the SRv6 SIDs from nodes across an IGP domain or even across Autonomous Systems (AS), as required. This allows applications to leverage the SRv6 capabilities for network programming." Then in the security section it says "SR operates within a trusted domain [RFC8402] and its security considerations also apply to BGP-LS sessions when carrying SR information." I am concerned that the exposure of sensitive network information outside the network as proposed here represents a significant security risk. I am also concerned that the increased (practically unconstrained) exposure to the threat of hostile actors. The "trusted domain" concept which is fundamental to SRv6 is fragile at best. The scope of the domain and the method of policing are not well described, and unlike MPLS which successfully operates that model, SRv6 does not have the advantage of being able to automatically classify external traffic as being of an alien type. With this specification the domain is expanded from the network itself to some subset of the applications using the network. It is difficult to see how the scope and size of the threat to the network is contained in this operational model and I do not see text that help the operator in that regard. Applications significantly increase the size of the code base and number of organizations that can introduce a threat, and by their nature expand the geographic area of risk in an unconstrained way, perhaps to the full Internet. I believe that a more complete review of the security model is needed before this specification is finalised.