Andrew, While I cannot solve all your concerns about SRv6 security in general, we have added some text to about potential security implications (like DoS attacks) for replication in the new revision of the draft.
I hope you can review the new text, -Rishabh On Wed, Jul 5, 2023 at 11:31 AM Andrew Alston via Datatracker < nore...@ietf.org> wrote: > Andrew Alston has entered the following ballot position for > draft-ietf-spring-sr-replication-segment-15: Abstain > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I've been back and forth on this having read the document several times - > and I > have to join Warren in an abstention here - for very similar reasons. > While I > view the security issues in this document as stemming from a former > document > (RFC8402) - the way I see it, we're building on quicksand here. > > Yes, RFC8402 says that SRv6 must run in a trusted domain - however, the > practical methods of enforcing the trusted domain seem woefully lacking, > and > then, in addition to that when dealing with replication we then compound > the > issues created by potential packet injection. I simply cannot see how I can > no-object to this, however, I also fully understand the criteria for > discuss > ballots, and since these issues stem from RFC8402 I do not feel that I'm on > solid ground balloting discuss. As such, I must abstain. > > > > _______________________________________________ > spring mailing list > spring@ietf.org > https://www.ietf.org/mailman/listinfo/spring >
_______________________________________________ spring mailing list spring@ietf.org https://www.ietf.org/mailman/listinfo/spring
