Warren, Though I cannot address SR in general, we have added some text about possible DoS attacks in the Security section of the new revision of the draft. I hope you can review it.
Thanks, -Rishabh On Wed, Jul 5, 2023 at 11:19 AM Warren Kumari via Datatracker < nore...@ietf.org> wrote: > Warren Kumari has entered the following ballot position for > draft-ietf-spring-sr-replication-segment-15: Abstain > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I am balloting Abstain (in the "I oppose this document but understand that > others differ and am not going to stand in the way of the others." sense) > on > this document as I cannot in good conscience ballot NoObj. > > The Security Consideration hinge on "An SR domain operates within an > assumed > trust domain as specified in Security Considerations of RFC 8402. Traffic > must > be filtered at SR domain boundaries to prevent malicious replication of > packets." Firstly I'll note that this isn't really what the Security > Considerations section of RFC8042 actually says (it is really short, but > says: > "**By default**, SR operates within a trusted domain. Traffic MUST be > filtered > at the domain boundaries." (emphasis mine)), but secondly, this talks about > replication of traffic (AKA a DoS amplifier). I believe that the document > (and > SR in general) needs to do a much better job of discussing the security / > DoS > implications of what happens when an attacker is able to inject traffic > into > the SR domain (e.g because they have 0wned a node within the network. > > I'm balloting Abstain instead of DISCUSS because I've raised this objection > multiple times on multiple document, and no longer have the stomach to have > this fight yet again. > > > > _______________________________________________ > spring mailing list > spring@ietf.org > https://www.ietf.org/mailman/listinfo/spring >
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring
