[spring] Comments to draft-ietf-spring-srv6-security-05.txt

[Linda Dunbar]

Dear authors:

Thank you for the clear treatment of SRv6 threats and mitigations in 
draft-ietf-spring-srv6-security-05. In parallel, I'd like to draw the WG's 
attention to the RTGWG draft "Multi-segment SD-WAN via Cloud DCs" 
(https://datatracker.ietf.org/doc/draft-ietf-rtgwg-multisegment-sdwan/ ), which 
describes an overlay pattern where a GENEVE header is added outside ESP so 
transit nodes can steer encrypted traffic. When SRH is used as a 
policy/steering carrier, it plays a very similar role to GENEVE; therefore, 
several of Multisegment-SDWAN draft's Security Considerations and mitigations 
are directly applicable here-especially authenticating the outer policy header 
across multi-admin segments, treating filtering as helpful but insufficient by 
itself, and adopting strict error-handling (drop on auth failure, discard 
malformed TLVs, rate-limit/log). Although SRH often resides within a provider 
SR domain, packets may traverse provider or inter-domain paths; the same 
integrity requirements apply in those cases.

Suggested additions:

Location: end of §7.3 "Hashed Message Authentication Code (HMAC)" :

      SRH used as a policy carrier across untrusted segments. In deployments 
where SRH conveys steering/policy information that affects forwarding, the SRH 
plays a role analogous to the GENEVE header in RTGWG's Multi-segment SD-WAN: a 
clear-text outer header whose fields guide transit behavior while payload 
confidentiality is preserved end-to-end by ESP. When such traffic may traverse 
infrastructure outside a single administrative trust boundary (e.g., provider 
domains or inter-domain paths), endpoints SHOULD enable the SRH HMAC TLV to 
provide integrity and origin authentication for the segment list, 
flags/Last-Entry, and relevant SRH TLVs, and nodes MUST drop packets that fail 
SRH-HMAC validation. Reliance on boundary filtering alone is operationally 
fragile and does not mitigate on-path modification or off-path insertion.

      Operational handling. When SRH carries policy semantics, implementations 
SHOULD (i) discard malformed SRH or invalid TLVs; (ii) drop on authentication 
failure; (iii) rate-limit and log repeated failures; and (iv) reject misrouted 
packets that lack an authorized destination/egress. These behaviors mirror the 
processing/error-handling recommended for the GENEVE policy header in 
Multi-segment SD-WAN and improve robustness when SRH crosses multi-admin paths.

Best Regards,
Linda Dunbar

-----Original Message-----
From: internet-dra...@ietf.org <internet-dra...@ietf.org>
Sent: Thursday, August 21, 2025 1:12 PM
To: i-d-annou...@ietf.org
Cc: spring@ietf.org
Subject: [spring] I-D Action: draft-ietf-spring-srv6-security-05.txt

Internet-Draft draft-ietf-spring-srv6-security-05.txt is now available. It is a 
work item of the Source Packet Routing in Networking (SPRING) WG of the IETF.

   Title:   Segment Routing IPv6 Security Considerations
   Authors: Nick Buraglio
            Tal Mizrahi
            Tian Tong
            Luis M. Contreras
            Fernando Gont
   Name:    draft-ietf-spring-srv6-security-05.txt
   Pages:   30
   Dates:   2025-08-21

Abstract:

   SRv6 is a traffic engineering, encapsulation and steering mechanism
   utilizing IPv6 addresses to identify segments in a pre-defined
   policy.  This document discusses security considerations in SRv6
   networks, including the potential threats and the possible mitigation
   methods.  The document does not define any new security protocols or
   extensions to existing protocols.

The IETF datatracker status page for this Internet-Draft is:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-spring-srv6-security%2F&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C1cf74d10e7b743c88f9b08dde0ef198a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638914039706823097%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=vLgmoPnbonryWsYA44w33VQBsLh1yIKyh64C9yKyAFU%3D&reserved=0

There is also an HTML version available at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-spring-srv6-security-05.html&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C1cf74d10e7b743c88f9b08dde0ef198a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638914039706849123%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jR%2FpIsIFFA9HilIcObTUZKdF1qxr5s7t4d8Fa%2F9V7Eg%3D&reserved=0

A diff from the previous version is available at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-spring-srv6-security-05&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C1cf74d10e7b743c88f9b08dde0ef198a%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638914039706863918%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OyMvEcPzGyD9uGL7ZvImCat%2Bkp3i%2Ba9956HfM%2Fc65FU%3D&reserved=0

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
spring mailing list -- spring@ietf.org<mailto:spring@ietf.org>
To unsubscribe send an email to 
spring-le...@ietf.org<mailto:spring-le...@ietf.org>


_______________________________________________
spring mailing list -- spring@ietf.org
To unsubscribe send an email to spring-le...@ietf.org