On Mar 28, 2023, at 11:24, Adrian Farrel <adr...@olddog.co.uk> wrote:
> [Spring cc’ed because, well, you know, SR. I wonder whether 6man and 6ops > should care as well.] SPRING cc’ed because, you know, replying to Adrian’s email. Agree that 6man and 6ops [sh|w]ould be interested. > tl;dr > I think this is a good initiative and worth discussion. Thanks > for the draft. Agree. In particular: 1. There is an acknowledged security problem. Might be worth summarizing, as it is central to this draft, but an example is in rfc 8402/section 8. Section 3 of this draft (“The SRv6 Security Problem”) doesn’t actually describe the security problem; Section 5 does, briefly. 2. The solution (using a new EtherType, SRv6-ET) is a good one. It’s sad that this wasn’t done from the get-go, as the solution is a bit “evil bit”-ish. I’d prefer to see ALL SRv6 packets (i.e., those containing SRH) use SRv6-ET. Boundary routers SHOULD drop packets with SRv6-ET that cross the boundary in either direction; all routers MUST drop packets with SRH that don’t have SRv6-ET. Yeah, difficult, but the added security is worth it. 3. Ease of secure deployment is a major consideration; this draft is a big step in that direction. 4. As Adrian said, several nits. Will send separately to authors. Kireeti
_______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area
