On Fri, Oct 7, 2022 at 9:49 AM Dale W. Carder <dwcar...@es.net> wrote:
> Thus spake Nick Buraglio (burag...@es.net) on Fri, Oct 07, 2022 at > 06:20:12AM -0500: > > On Thu, Oct 6, 2022 at 10:15 PM Joel Halpern <j...@joelhalpern.com> > wrote: > > > > > I wonder if we could / should add a sentence or two related to the > address > > > block noting that if an operator chooses to use other address blocks > for > > > the SRv6 SIDs then they need to be extra careful about configuring > their > > > edge filters to prevent leaks inwards or outwards? > > > > > > > This is a large concern I have heard within the operational community > and I > > believe it should be noted as a best operational practice. > > Is draft-li-spring-srv6-security-consideration still being worked on? > (I have not been able to keep up to date w/ spring) That may be a more > comprehensive document to reference. > > Section 4.2. of draft-li-spring-srv6-security-consideration lightly touches on the filtering at the edges of an SR domain. It's seemingly still in active status. Looking around through different docs again, RFC8754 has some relevant text, and and specifically section 8.2 (SRv6 section) of 8402: *SR domain boundary routers MUST filter any external traffic destinedto an address within the SRGB of the trusted domain or the SRLB ofthe specific boundary router. External traffic is any trafficreceived from an interface connected to a node outside the domain oftrust.* could perhaps be a useful reference. > Dale > ᐧ
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring