Hi Buraglio, I am the author of draft-li-spring-srv6-security-consideration, the draft is still being worked on. We will use the draft to track the security considerations till the major standards of SRv6 to be published as RFCs, so it will be updated as needed.
To me, no matter what prefix is used in deployment, the filter MUST be adde. Even for prefix like ULA, the filter rules are needed. But it is free for operators to make some exceptions if they want to leak some SIDs outside the domain for some use cases when they think doing that will have more benefits. Thanks, Cheng From: spring [mailto:spring-boun...@ietf.org] On Behalf Of Nick Buraglio Sent: Saturday, October 8, 2022 12:41 AM To: Dale W. Carder <dwcar...@es.net> Cc: SPRING WG List <spring@ietf.org>; 6man <i...@ietf.org>; Suresh Krishnan <suresh.krish...@gmail.com> Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids On Fri, Oct 7, 2022 at 9:49 AM Dale W. Carder <dwcar...@es.net<mailto:dwcar...@es.net>> wrote: Thus spake Nick Buraglio (burag...@es.net<mailto:burag...@es.net>) on Fri, Oct 07, 2022 at 06:20:12AM -0500: > On Thu, Oct 6, 2022 at 10:15 PM Joel Halpern > <j...@joelhalpern.com<mailto:j...@joelhalpern.com>> wrote: > > > I wonder if we could / should add a sentence or two related to the address > > block noting that if an operator chooses to use other address blocks for > > the SRv6 SIDs then they need to be extra careful about configuring their > > edge filters to prevent leaks inwards or outwards? > > > > This is a large concern I have heard within the operational community and I > believe it should be noted as a best operational practice. Is draft-li-spring-srv6-security-consideration still being worked on? (I have not been able to keep up to date w/ spring) That may be a more comprehensive document to reference. Section 4.2. of draft-li-spring-srv6-security-consideration lightly touches on the filtering at the edges of an SR domain. It's seemingly still in active status. Looking around through different docs again, RFC8754 has some relevant text, and and specifically section 8.2 (SRv6 section) of 8402: SR domain boundary routers MUST filter any external traffic destined to an address within the SRGB of the trusted domain or the SRLB of the specific boundary router. External traffic is any traffic received from an interface connected to a node outside the domain of trust. could perhaps be a useful reference. Dale [图像已被发件人删除。]ᐧ
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring
