Dear authors:
Thank you for the clear treatment of SRv6 threats and mitigations in
draft-ietf-spring-srv6-security-05. In parallel, I'd like to draw the WG's
attention to the RTGWG draft "Multi-segment SD-WAN via Cloud DCs"
(https://datatracker.ietf.org/doc/draft-ietf-rtgwg-multisegment-sdwan/ ), which
describes an overlay pattern where a GENEVE header is added outside ESP so
transit nodes can steer encrypted traffic. When SRH is used as a
policy/steering carrier, it plays a very similar role to GENEVE; therefore,
several of Multisegment-SDWAN draft's Security Considerations and mitigations
are directly applicable here-especially authenticating the outer policy header
across multi-admin segments, treating filtering as helpful but insufficient by
itself, and adopting strict error-handling (drop on auth failure, discard
malformed TLVs, rate-limit/log). Although SRH often resides within a provider
SR domain, packets may traverse provider or inter-domain paths; the same
integrity requirements apply in those cases.
Suggested additions:
Location: end of ยง7.3 "Hashed Message Authentication Code (HMAC)" :
SRH used as a policy carrier across untrusted segments. In deployments
where SRH conveys steering/policy information that affects forwarding, the SRH
plays a role analogous to the GENEVE header in RTGWG's Multi-segment SD-WAN: a
clear-text outer header whose fields guide transit behavior while payload
confidentiality is preserved end-to-end by ESP. When such traffic may traverse
infrastructure outside a single administrative trust boundary (e.g., provider
domains or inter-domain paths), endpoints SHOULD enable the SRH HMAC TLV to
provide integrity and origin authentication for the segment list,
flags/Last-Entry, and relevant SRH TLVs, and nodes MUST drop packets that fail
SRH-HMAC validation. Reliance on boundary filtering alone is operationally
fragile and does not mitigate on-path modification or off-path insertion.
Operational handling. When SRH carries policy semantics, implementations
SHOULD (i) discard malformed SRH or invalid TLVs; (ii) drop on authentication
failure; (iii) rate-limit and log repeated failures; and (iv) reject misrouted
packets that lack an authorized destination/egress. These behaviors mirror the
processing/error-handling recommended for the GENEVE policy header in
Multi-segment SD-WAN and improve robustness when SRH crosses multi-admin paths.
Best Regards,
Linda Dunbar
-----Original Message-----
From: [email protected] <[email protected]>
Sent: Thursday, August 21, 2025 1:12 PM
To: [email protected]
Cc: [email protected]
Subject: [spring] I-D Action: draft-ietf-spring-srv6-security-05.txt
Internet-Draft draft-ietf-spring-srv6-security-05.txt is now available. It is a
work item of the Source Packet Routing in Networking (SPRING) WG of the IETF.
Title: Segment Routing IPv6 Security Considerations
Authors: Nick Buraglio
Tal Mizrahi
Tian Tong
Luis M. Contreras
Fernando Gont
Name: draft-ietf-spring-srv6-security-05.txt
Pages: 30
Dates: 2025-08-21
Abstract:
SRv6 is a traffic engineering, encapsulation and steering mechanism
utilizing IPv6 addresses to identify segments in a pre-defined
policy. This document discusses security considerations in SRv6
networks, including the potential threats and the possible mitigation
methods. The document does not define any new security protocols or
extensions to existing protocols.
The IETF datatracker status page for this Internet-Draft is:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-spring-srv6-security%2F&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C1cf74d10e7b743c88f9b08dde0ef198a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638914039706823097%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=vLgmoPnbonryWsYA44w33VQBsLh1yIKyh64C9yKyAFU%3D&reserved=0
There is also an HTML version available at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-spring-srv6-security-05.html&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C1cf74d10e7b743c88f9b08dde0ef198a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638914039706849123%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jR%2FpIsIFFA9HilIcObTUZKdF1qxr5s7t4d8Fa%2F9V7Eg%3D&reserved=0
A diff from the previous version is available at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-spring-srv6-security-05&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C1cf74d10e7b743c88f9b08dde0ef198a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638914039706863918%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OyMvEcPzGyD9uGL7ZvImCat%2Bkp3i%2Ba9956HfM%2Fc65FU%3D&reserved=0
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
spring mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
_______________________________________________
spring mailing list -- [email protected]
To unsubscribe send an email to [email protected]
