]> Huawei

Beijing China c.l@huawei.com

Huawei

Beijing China gengnan@huawei.com

China Telecom

Beijing China xiechf@chinatelecom.cn

CAICT

Beijing China tianhui@caict.ac.cn

China Unicom

Beijing China tongt5@chinaunicom.cn

Huawei

Beijing China lizhenbin@huawei.com

Huawei

Beijing China MaoJianwei@huawei.com

Routing Spring Internet-Draft SRv6 inherits potential security vulnerabilities from source routing in general, and also from IPv6. This document describes various threats and security concerns related to SRv6 networks and existing approaches to solve these threats.

Introduction Segment Routing (SR) is a source routing paradigm that explicitly indicates the forwarding path for packets at the source node by inserting an ordered list of instructions, called segments. A segment can represent a topological or service-based instruction. When segment routing is deployed on IPv6 dataplane, called SRv6 , a segment is a 128-bit value, and can the IPv6 address of a local interface but it does not have to. For supporting SR, a new type of Routing Extension Header is defined and called the Segment Routing Header (SRH). The SRH contains a list of SIDs and other information such as Segments Left. The SRH is defined in . By using the SRH, an ingress router can steer SRv6 packets into an explicit forwarding path so that many use cases like Traffic Engineering, Service Function Chaining can be deployed easily by SRv6. Note that, in some cases, a SRv6 packet may contain no SRH (see Section 3.1 in ). SRv6 inherits potential security vulnerabilities from source routing in general and also from IPv6 . There are also some new vulnerabilities faced by SRv6.

• SRv6 makes use of the SRH which is a new type of Routing Extension Header. Therefore, the security properties of the Routing Extension Header are addressed by the SRH. See and for details.
• SRv6 consists of using the SRH on the IPv6 dataplane which security properties can be understood based on previous work , , and .

This document describes various threats to SRv6 networks and also presents existing approaches to avoid or mitigate the threats.

Terminology This document uses the terminology defined in and .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Security Implications in SRv6 Networks

Vulnerabilities of SIDs/SRH SRv6 has similar vulnerabilities to source routing. The SIDs or SRH without protection or exposed to the external may be leveraged to launch attacks. The attackers can intercept/modify/falsify/abuse SIDs or SRH, which results in the following threats:

• DoS/DDoS attacks. The attacks can be launched by constructing segment lists to make packets be forwarded repeatedly between two or more routers or hosts on specific links . The generation of ICMPv6 error messages may also be used in order to attempt DoS/DDoS attacks by sending an error-causing destination address or SRH in back-to-back packets .
• Escaping security check such as access control or firewall. A segment list can be tailored to specify a particular path so that the malicious packets can bypass the firewall devices or reach otherwise-unreachable Internet systems .
• Traffic interception. Unprotected SIDs can be used to intercept traffic. This threat can also be used for man-in-the-middle attacks.
• Topology discovery. SRH may leak network information such as topology, traffic flows, and service usage. points out that the disclosure is less relevant to SR because an attacker has other means of learning topology, flows, and service usage.
• Identity Spoofing. An attacker spoofs other hosts' identity to use an authorized service.

The above threats have been documented in previous work including , , , and , and there are already some mechanisms to deal with these threats.

Vulnerabilities Inherited from IPv6 SRv6 inherits potential security vulnerabilities from IPv6. A detailed analysis of IPv6 security considerations can be found in . Some common threats will also exist in SRv6 networks such as:

• Eavesdropping of service data
• Packet Falsification
• Identity Spoofing
• Packet Replay
• DoS/DDoS

The above threats are not specific to SRv6, existing IPv6 and IPv4 networks all need to cope with them.

Implications on Security Devices Firewall devices need to take care of SRv6 packets. Particularly, the stateful firewall needs to record the packet information (e.g., source and destination addresses) of the traffic from inside to outside. When receiving the returned flow, the stateful firewall checks whether such a flow exists in the record table. If not, the flow will be rejected. However, the source address of SRv6 packets can be any of the source node's address like a loopback address (depending on configuration). As a result, the address information of SR packets may be asymmetric (i.e., the source address of the forward packet is not the destination address of the returned packet), which leads to failed validation. The related problem has been analyzed and solved in . Another problem is that the destination address of a SRv6 packet is changing during forwarding because SRv6 hides the real destination address into the segment list. Boundary security devices may not learn the real destination address and fail to take access control on some SRv6 traffic. Besides, the hidden destination address possibly also result in asymmetric address information mentioned above and thus negatively impacts the effectiveness of security devices.

Security Advice on SRv6 Networks SPRING architecture allows clear trust domain boundaries so that source-routing information is only usable within the trusted domain and never exposed to the outside world. It is expected that, by default, explicit routing is only used within the boundaries of the administered domain. Therefore, the data plane does not expose any source routing information when a packet leaves the trusted domain. Traffic is filtered at the domain boundaries . Maintaining such a trust boundary will efficiently avoid most of the threats described in . This section will present the detailed advice on trust domain operations. In most cases, the SR routers in the trust domain can be presumed to be operated by the same administrative entity without malicious intent and also according to specifications of the protocols that they use in the infrastructure. Hence, the SR-capable routers and transit IPv6 routers within the SRv6 trusted domains are trustworthy. The SRv6 packets are treated as normal IPv6 packets in transit nodes and the SRH will not bring new security problem. Of course, the above assumption is not always true in practice. Some normal security operations like those for IPv6 security are still recommended to be taken.

Basic Traffic Filtering The basic security for maintaining a trust domain is described in and . For easier understanding, a simple example is shown in .

SRv6 Security Policy Design

• A-E: SRv6 Routers inside the SRv6 domain. A and E are the edge routers which can also be called ingress router instead.
• F: Router F outside the SRv6 domain.
• h1: A host outside the SRv6 domain connects to Router A.
• h2: A host within the SRv6 domain, which connects to Router D.
• (1): The filtering point at external interfaces.
• (2): The filtering point at internal interfaces connecting to routers.
• (3): The filtering point at internal interfaces connecting to internal hosts.

ACL-based Filtering for External Interfaces Typically, in any trusted domain, ingress routers MUST be configured with ACL at (1) in . Any packet externally received with SA/DA having a domain internal address will be filterred out. An SRv6 router typically comply with the same rule. A provider would generally do this for its internal address space in order to prevent access to internal addresses and in order to prevent spoofing. The technique is extended to the local SID space. It should be noted that, in some use cases, Binding SIDs can be leaked outside of SRv6 domain. Detailed ACL SHOULD be then configured at (1) in in order to allow the externally advertised Binding SIDs. The advertisement scope should be controlled to reduce security risks.

ACL-based Filtering for Internal Interfaces An SRv6 router MUST support an ACL at (2) in with the following behavior: This prevents access to locally instantiated SIDs from outside the operator's infrastructure. Such ACL configuration should work for most cases except some particular ones. For example, specific SIDs can be used to provide resources to devices that are outside of the operator's infrastructure.

SID Instantiation As per the End definition , an SRv6 router MUST only implement the End behavior on a local IPv6 address if that address has been explicitly enabled as an SRv6 SID. Thus, a local SID must be explicitly instantiated and explicitly bound to a behavior. The SRv6 packets received with destination address being a local address that has not been enabled as an SRv6 SID MUST be dropped.

Operational Considerations of Basic Traffic Filtering The internal device addresses such as SIDs and interface addresses are usually allocated from specific address blocks. That is, SIDs are from a SID block, and interface addresses belong to another address block. The internal device addresses are clearly distinct from IPv6 addresses allocated for end users, systems, and external networks ( and ). Therefore, conducting the above basic traffic filtering policies for maintaining the security of the SRv6 domain will not induce much operational overhead. Only a small number of ACLs need to be configured for matching seldom changing prefixes at specific interfaces . Different routers typically comply with the same ACL rules. In addition, particular upgrades on devices are not required for supporting the basic traffic filtering policies. There are also some tools for flexible SID filtering ( and ), which will further simplifies SID control.

HMAC TLV HMAC is the enhanced security mechanism for SRv6 as defined in . An operator of an SRv6 domain may delegate SRH addition to a host node within the SR domain. The SRv6 packets sent by the host can contain an HMAC TLV in SRH. The HMAC TLV can be used to ensure that 1) the SRH in a packet was applied by an authorized host, 2) the segments are authorized for use, and 3) the segment list is not modified after generation. HMAC processing can only happen at the ingress nodes (i.e., (3) in ), and other nodes inside the trusted domain could ignore the HMAC TLV. Note that, the SRH is mutable in computing the Integrity Check Value (ICV) of AH , and AH header is processed after SRH as recommended in . Therefore, AH cannot be directly applied to SRv6 packets for securing SRH, and HMAC TLV is needed.

Source Address Validation The ingress filtering mechanisms as defined in BCP 84 ( and ) are RECOMMENDED to be used for preventing source address spoofing. With packets carrying legitimate source addresses, many threats such as identity spoofing and source address spoofing-based DoS/DDoS can be avoided, and it will also benefit tracing back or locating malicious hosts or networks. Deploying source address validation is a common recommendation in the Internet .

Control Plane Security Operations SRv6 information like SIDs can be advertised through various control plane protocols. The security of control plane should be considered. Existing authentication, encryption, filtering, and other security mechanisms of control plane protocols can be taken to ensure the security of SRv6 information. Segment Routing does not define any additional security mechanisms in existing control plane protocols . From a perspective of trust domain, any information related to internal prefixes (like SIDs) and topology SHOULD NOT be exposed to the outside of the domain. Necessary filtering policies like route filtering need to be configured to prevent information leakage.

ICMPv6 Rate-Limiting The ICMPv6 rate-limiting mechanism as defined in can be used locally for preventing ICMPv6-based attacks (e.g., ICMPv6-based DoS/DDoS described in ). ICMPv6 rate-limiting is a popular security action in IPv6 networks.

IPSec IPSec (AH , ESP ) can be used for authentication, encryption, and integrity protection. To some extent, the attacks including eavesdropping, packet falsification, identity spoofing, and packet replay can be avoided or mitigated through IPSec. Note that, IPSec cannot effectively protect SRH. As recommended in , the processing order of SRH (also routing header) is higher than that of AH/ESP extension header. Besides, the SRH is mutable during forwarding process. Therefore, IPSec cannot be directly used to deal with source routing-related attacks.

Operations Related to Security Devices When computing segment lists for normal forwarding or path protection, make sure that the SRv6 path does not bypass the required security devices like firewall . In some cases, stateful security devices (e.g., stateful firewall) are difficult to learn the accurate traffic state due to asymmetric address or hidden destination address (see ). To cope with the issues, operators SHOULD intentionally configure symmetric addresses on routers, e.g., a source address in a outbound packet is set to the destination address in the inbound packet. Besides, the stateful security devices SHOULD be able to figure out the real destination address of SRv6 flow, so that the recorded state can accurately detect the returned flow.

Security Considerations This document attempts to give an overview of security considerations of operating an SRv6 network. The document itself does not import security issues.

IANA Considerations This document has no IANA actions.

Acknowledgements Manty thanks to Charles Perkins and Stefano Previdi's valuable comments.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in light of this security concern. [STANDARDS-TRACK] RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Segment Routing (SR) leverages the source routing paradigm. A node steers a packet through an ordered list of instructions, called "segments". A segment can represent any instruction, topological or service based. A segment can have a semantic local to an SR node or global within an SR domain. SR provides a mechanism that allows a flow to be restricted to a specific topological path, while maintaining per-flow state only at the ingress node(s) to the SR domain. SR can be directly applied to the MPLS architecture with no change to the forwarding plane. A segment is encoded as an MPLS label. An ordered list of segments is encoded as a stack of labels. The segment to process is on the top of the stack. Upon completion of a segment, the related label is popped from the stack. SR can be applied to the IPv6 architecture, with a new type of routing header. A segment is encoded as an IPv6 address. An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header. The active segment is indicated by the Destination Address (DA) of the packet. The next active segment is indicated by a pointer in the new routing header. Segment Routing can be applied to the IPv6 data plane using a new type of Routing Extension Header called the Segment Routing Header (SRH). This document describes the SRH and how it is used by nodes that are Segment Routing (SR) capable. This document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460. Informative References This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401 (November 1998). [STANDARDS-TRACK] This document describes an updated version of the IP Authentication Header (AH), which is designed to provide authentication services in IPv4 and IPv6. This document obsoletes RFC 2402 (November 1998). [STANDARDS-TRACK] This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK] The transition from a pure IPv4 network to a network where IPv4 and IPv6 coexist brings a number of extra security considerations that need to be taken into account when deploying IPv6 and operating the dual-protocol network and the associated transition mechanisms. This document attempts to give an overview of the various issues grouped into three categories: o issues due to the IPv6 protocol itself, o issues due to transition mechanisms, and o issues due to IPv6 deployment. This memo provides information for the Internet community. This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind This document describes the format of a set of control messages used in ICMPv6 (Internet Control Message Protocol). ICMPv6 is the Internet Control Message Protocol for Internet Protocol version 6 (IPv6). [STANDARDS-TRACK] BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document identifies a need for and proposes improvement of the unicast Reverse Path Forwarding (uRPF) techniques (see RFC 3704) for detection and mitigation of source address spoofing (see BCP 38). Strict uRPF is inflexible about directionality, the loose uRPF is oblivious to directionality, and the current feasible-path uRPF attempts to strike a balance between the two (see RFC 3704). However, as shown in this document, the existing feasible-path uRPF still has shortcomings. This document describes enhanced feasible-path uRPF (EFP-uRPF) techniques that are more flexible (in a meaningful way) about directionality than the feasible-path uRPF (RFC 3704). The proposed EFP-uRPF methods aim to significantly reduce false positives regarding invalid detection in source address validation (SAV). Hence, they can potentially alleviate ISPs' concerns about the possibility of disrupting service for their customers and encourage greater deployment of uRPF techniques. This document updates RFC 3704. The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header. Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet. This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization. Knowledge and experience on how to operate IPv4 networks securely is available, whether the operator is an Internet Service Provider (ISP) or an enterprise internal network. However, IPv6 presents some new security challenges. RFC 4942 describes security issues in the protocol, but network managers also need a more practical, operations-minded document to enumerate advantages and/or disadvantages of certain choices. This document analyzes the operational security issues associated with several types of networks and proposes technical and procedural mitigation techniques. This document is only applicable to managed networks, such as enterprise networks, service provider networks, or managed residential networks. "Dissemination of Flow Specification Rules" (RFC 8955) provides a Border Gateway Protocol (BGP) extension for the propagation of traffic flow information for the purpose of rate limiting or filtering IPv4 protocol data packets. This document extends RFC 8955 with IPv6 functionality. It also updates RFC 8955 by changing the IANA Flow Spec Component Types registry. China Mobile New H3C Technologies In SRv6 network, the SRv6 packets usually use loopback address as source address. However, when there is symmetric traffic requirement for bidirectional flow, or there is requirement for traffic source validation, using loopback address as source address is not sufficient. This document proposes using SID as source address for SRv6 traffic, also identifies solution for several use cases. Huawei Huawei Futurewei Next Layer Communications Verizon Inc. Casa Systems China Telecom Fujitsu Volta Networks This document proposes extensions to BGP Flow Specification for SRv6 for filtering packets with a SRv6 SID that matches a sequence of conditions. Huawei Technologies Huawei Technologies China Telecom Juniper Networks Inc. Topology Independent Loop-free Alternate Fast Re-route (TI-LFA) aims at providing protection of node and adjacency segments within the Segment Routing (SR) framework. A key aspect of TI-LFA is the FRR path selection approach establishing protection over the expected post-convergence paths from the point of local repair. However, the TI-LFA FRR path may skip the node even if it is specified in the SID list to be traveled. This document defines Enhanced TI-LFA(TI-LFA+) by adding a No-bypass indicator for segments to ensure that the FRR route will not bypass the specific node, such as firewall. Also, this document defines No- bypass flag and No-FRR flag in SRH to indicate not to bypass nodes and not to perform FRR on all the nodes along the SRv6 path, respectively.