On November 20, 2024 at 4:50:13 PM, Roman Danyliw wrote:
Hi Roman! > ---------------------------------------------------------------------- > BLOCK: > ---------------------------------------------------------------------- > > (1) Is the Segment Routing Architecture (RFC8402) being revised? No. > By default, Segment Routing operates within a trusted domain and > requires the enforcement of a strict boundary to prevent Segment > Routing packets from entering the trusted domain [rfc8402]. Some > deployments may involve multiple trusted domains and the use of > cross/inter-domain segments. Documents which deal with such > situations need to include a risk analysis and use mechanisms to > validate that the segment list is provided by an authorized entity > and has not been modified in transit. > > Aren’t these “deployment … involving multiple trusted domains” at odd with > the security considerations of RFC8402? Is this text rescoping SR from a > single trusted domain to effectively the Internet (i.e., what’s the > difference between the internet and cross/inter-domain segments)? No, and no. First of all, the text above is not a significant change from the current charter text, which reads: The scope of the SPRING WG work includes both single Autonomous System (AS) and multi-AS environments. Segment Routing typically operates within a single trust domain which requires the enforcement of a strict boundary and preventing Segment Routing packets from entering the trusted domain from the untrusted exterior. Certain deployments may however involve multiple trust domains which in turn may imply the use of cross/inter domain segments. Risk models associated with these various scenarios may necessitate the use of a cryptographic integrity checks to validate that the segment list is provided by an authorised entity. The new text includes a reference to rfc8402 where a "trusted domain" is introduced -- we also explicitly paraphrased the text from §8 (Security Considerations): "By default, SR operates within a trusted domain. Traffic MUST be filtered at the domain boundaries.". Also, the text about the segment list being provided by an authorized entity (last sentence) is clarified. The scope is not changed. [Note that the current charter was approved *after* the publication of rfc8402.] To your specific question... rfc8402 defines an SR domain as follows (from §2): Segment Routing domain (SR domain): the set of nodes participating in the source-based routing model. These nodes may be connected to the same physical infrastructure (e.g., a Service Provider's network). They may as well be remotely connected to each other (e.g., an enterprise VPN or an overlay). If multiple protocol instances are deployed, the SR domain most commonly includes all of the protocol instances in a network. However, some deployments may wish to subdivide the network into multiple SR domains, each of which includes one or more protocol instances. It is expected that all nodes in an SR domain are managed by the same administrative entity. The definition is important because it contemplates (1) "multiple protocol instances" (an example could be multiple BGP instances, which implies different autonomous systems), and (2) "multiple SR domains", and (3) sets the expectation that the nodes are managed "by the same administrative entity". The Security Considerations of rfc8402 includes the following text (for SRv6/§8/2 -- similar text exists for SR-MPLS): SR domain boundary routers MUST filter any external traffic destined to an address within the SRGB of the trusted domain or the SRLB of the specific boundary router. External traffic is any traffic received from an interface connected to a node outside the domain of trust. The charter text is not at odds with rfc8402 because the definitions there already include multiple autonomous systems. For multiple autonomous systems to be included in a trusted domain, the administration expectations of the SR domain should be met. IOW, multiple autonomous systems belonging to the same service provider is ok, as long as the nodes involved participate in segment routing. The difference between the Internet and cross/inter-domain segments is then that the Internet is not managed by a single administrative entity. Thanks! Alvaro. _______________________________________________ spring mailing list -- spring@ietf.org To unsubscribe send an email to spring-le...@ietf.org
