Hi Phillip,
Thanks for your review of the "draft-ietf-rtgwg-srv6-egress-protection-16".
This draft indeed raises security concerns regarding the rerouting of
traffic around egress node or link failures within a single administrative
domain. However, these concerns are not unique to this proposal but are rather
common in network environments.
Specifically:
Security within a Single Administrative Domain
The assumption of a "single administrative domain" does limit certain types of
attacks since nodes within the domain are typically protected by unified
security policies. However, as you pointed out, attackers might indirectly
affect traffic paths within the target domain by launching broader network
attacks, such as denial-of-service attacks on other transit domains. Such
attack methods do not rely on the protection mechanisms proposed in the draft
but rather exploit the characteristics of network topology and routing
protocols.
Possibility of Cross-Domain Attacks
The cross-domain attack scenario you mentioned (such as BGP attacks by Country
X on Country Y) is indeed a real-world issue. The goal of such attacks is to
manipulate routing information to change traffic paths and redirect traffic to
websites or services controlled by the attacker. The root cause of these
attacks lies in the security vulnerabilities of the BGP protocol, not the SRv6
egress protection mechanism proposed in the draft. In fact, the SRv6 egress
protection mechanism is designed to quickly restore faults within the
administrative domain and is not intended to address cross-domain attack issues.
Leverage for Attackers
The mechanisms proposed in the draft do not provide new leverage for attackers.
On the contrary, they quickly switch to backup paths within the administrative
domain to reduce the impact of faults on network services. This mechanism was
designed with the security of the administrative domain in mind, such as using
stronger authentication mechanisms (like ISO10589, RFC5304, RFC5310, etc.) to
protect IS-IS and OSPFv3 protocols.
Mitigation Measures
For the attack scenarios you mentioned, mitigation measures should focus on
strengthening the security of cross-domain traffic and the authentication
mechanisms of routing protocols. For example, using strong authentication
mechanisms for BGP (such as RFC4552 and RFC7166) can prevent the spread of
malicious routing information. Additionally, network operators can reduce
dependence on single transit paths by using traffic engineering and
policy-based routing.
Best Regards!
===============================================
Tao He
Next Generation Internet Research Department
Research Institute
CHINA UNITED NETWORK COMMUNICATIONS CORPORATION LIMITED
Mobile: +86-18618484923
E-mail: he...@chinaunicom.cn
From: Phillip Hallam-Baker via Datatracker
Date: 2024-11-02 20:14
To: sec...@ietf.org
CC: draft-ietf-rtgwg-srv6-egress-protection.all; rtgwg
Subject: [secdir] Secdir early review of
draft-ietf-rtgwg-srv6-egress-protection-16
Reviewer: Phillip Hallam-Baker
Review result: Has Issues
I have reviewed this document and in general, it seems ready. While it does
raise serious security concerns, it is not clear that these are new to this
proposal or that this proposal gives more leverage to an attacker.
Specifically, the draft stipulates that 'the area is in a single administrative
domain' the security considerations describes one set of attacks arising from
customers served by the domain. However, this set of attacks may be broader
than described. Consider for instance the case where there are two domains A
and B that provide transit for ISP C. An attacker that wants to ensure C is
serviced exclusively by B might perform a denial of service attack on A so as
to increase the cost of that route so as to achieve that goal.
A real world attack that has been seen in the past is country X preparing for
an invasion of country Y, performing BGP level attacks to effectively reroute
Internet traffic within Y so that the government Web sites were serviced by
fake sites set up by X. These sites containing messages of the form 'don't
worry about the military exercises'.
_______________________________________________
rtgwg mailing list -- rtgwg@ietf.org
To unsubscribe send an email to rtgwg-le...@ietf.org
