< draft-ietf-6man-segment-routing-header-13.txt   draft-ietf-6man-segment-routing-header-14.txt >
Network Working Group S. Previdi Network Working Group C. Filsfils, Ed.
Internet-Draft Individual Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track C. Filsfils, Ed. Intended status: Standards Track S. Previdi
Expires: November 24, 2018 Cisco Systems, Inc. Expires: December 30, 2018 Individual
J. Leddy J. Leddy
Comcast Comcast
S. Matsushima S. Matsushima
Softbank Softbank
D. Voyer, Ed. D. Voyer, Ed.
Bell Canada Bell Canada
May 23, 2018 June 28, 2018
IPv6 Segment Routing Header (SRH) IPv6 Segment Routing Header (SRH)
draft-ietf-6man-segment-routing-header-13 draft-ietf-6man-segment-routing-header-14
Abstract Abstract
Segment Routing can be applied to the IPv6 data plane using a new Segment Routing can be applied to the IPv6 data plane using a new
type of Routing Extension Header. This document describes the type of Routing Extension Header. This document describes the
Segment Routing Extension Header and how it is used by Segment Segment Routing Extension Header and how it is used by Segment
Routing capable nodes. Routing capable nodes.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 24, 2018. This Internet-Draft will expire on December 30, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Segment Routing Extension Header . . . . . . . . . . . . . . 4 2. Segment Routing Extension Header . . . . . . . . . . . . . . 4
2.1. SRH TLVs . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. SRH TLVs . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1. Padding TLVs . . . . . . . . . . . . . . . . . . . . 7 2.1.1. Padding TLVs . . . . . . . . . . . . . . . . . . . . 6
2.1.2. HMAC TLV . . . . . . . . . . . . . . . . . . . . . . 8 2.1.2. HMAC TLV . . . . . . . . . . . . . . . . . . . . . . 8
3. SR Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3. SR Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. Source SR Node . . . . . . . . . . . . . . . . . . . . . 9 3.1. Source SR Node . . . . . . . . . . . . . . . . . . . . . 9
3.2. Transit Node . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Transit Node . . . . . . . . . . . . . . . . . . . . . . 9
3.3. SR Segment Endpoint Node . . . . . . . . . . . . . . . . 10 3.3. SR Segment Endpoint Node . . . . . . . . . . . . . . . . 9
4. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 10 4. Packet Processing . . . . . . . . . . . . . . . . . . . . . . 9
4.1. Source SR Node . . . . . . . . . . . . . . . . . . . . . 10 4.1. Source SR Node . . . . . . . . . . . . . . . . . . . . . 9
4.1.1. Reduced SRH . . . . . . . . . . . . . . . . . . . . . 10 4.1.1. Reduced SRH . . . . . . . . . . . . . . . . . . . . . 10
4.2. Transit Node . . . . . . . . . . . . . . . . . . . . . . 11 4.2. Transit Node . . . . . . . . . . . . . . . . . . . . . . 10
4.3. Segment Endpoint Node . . . . . . . . . . . . . . . . . . 11 4.3. SR Segment Endpoint Node . . . . . . . . . . . . . . . . 11
4.3.1. FIB Entry Is Locally Instantiated SRv6 END SID . . . 11 4.3.1. FIB Entry Is Locally Instantiated SRv6 END SID . . . 11
4.3.2. FIB Entry is a Local Interface . . . . . . . . . . . 12 4.3.2. FIB Entry is a Local Interface . . . . . . . . . . . 13
4.3.3. FIB Entry Is A Non-Local Route . . . . . . . . . . . 13 4.3.3. FIB Entry Is A Non-Local Route . . . . . . . . . . . 13
4.3.4. FIB Entry Is A No Match . . . . . . . . . . . . . . . 13 4.3.4. FIB Entry Is A No Match . . . . . . . . . . . . . . . 13
4.4. Load Balancing and ECMP . . . . . . . . . . . . . . . . . 13 4.3.5. Load Balancing and ECMP . . . . . . . . . . . . . . . 13
5. Illustrations . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Illustrations . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Abstract Representation of an SRH . . . . . . . . . . . . 13 5.1. Abstract Representation of an SRH . . . . . . . . . . . . 14
5.2. Example Topology . . . . . . . . . . . . . . . . . . . . 14 5.2. Example Topology . . . . . . . . . . . . . . . . . . . . 15
5.3. Source SR Node . . . . . . . . . . . . . . . . . . . . . 15 5.3. Source SR Node . . . . . . . . . . . . . . . . . . . . . 15
5.3.1. Intra SR Domain Packet . . . . . . . . . . . . . . . 15 5.3.1. Intra SR Domain Packet . . . . . . . . . . . . . . . 15
5.3.2. Transit Packet Through SR Domain . . . . . . . . . . 15 5.3.2. Transit Packet Through SR Domain . . . . . . . . . . 16
5.4. Transit Node . . . . . . . . . . . . . . . . . . . . . . 15 5.4. Transit Node . . . . . . . . . . . . . . . . . . . . . . 16
5.5. SR End Node . . . . . . . . . . . . . . . . . . . . . . . 16 5.5. SR Segment Endpoint Node . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
6.1. Threat model . . . . . . . . . . . . . . . . . . . . . . 17 6.1. Threat model . . . . . . . . . . . . . . . . . . . . . . 17
6.1.1. Source routing threats . . . . . . . . . . . . . . . 17 6.1.1. Source routing threats . . . . . . . . . . . . . . . 17
6.1.2. Applicability of RFC 5095 to SRH . . . . . . . . . . 17 6.1.2. Applicability of RFC 5095 to SRH . . . . . . . . . . 18
6.1.3. Service stealing threat . . . . . . . . . . . . . . . 18 6.1.3. Service stealing threat . . . . . . . . . . . . . . . 19
6.1.4. Topology disclosure . . . . . . . . . . . . . . . . . 18 6.1.4. Topology disclosure . . . . . . . . . . . . . . . . . 19
6.1.5. ICMP Generation . . . . . . . . . . . . . . . . . . . 18 6.1.5. ICMP Generation . . . . . . . . . . . . . . . . . . . 19
6.2. Security fields in SRH . . . . . . . . . . . . . . . . . 19 6.2. Security fields in SRH . . . . . . . . . . . . . . . . . 19
6.2.1. Selecting a hash algorithm . . . . . . . . . . . . . 20 6.2.1. Selecting a hash algorithm . . . . . . . . . . . . . 21
6.2.2. Performance impact of HMAC . . . . . . . . . . . . . 20 6.2.2. Performance impact of HMAC . . . . . . . . . . . . . 21
6.2.3. Pre-shared key management . . . . . . . . . . . . . . 21 6.2.3. Pre-shared key management . . . . . . . . . . . . . . 22
6.3. Deployment Models . . . . . . . . . . . . . . . . . . . . 22 6.3. Deployment Models . . . . . . . . . . . . . . . . . . . . 22
6.3.1. Nodes within the SR domain . . . . . . . . . . . . . 22 6.3.1. Nodes within the SR domain . . . . . . . . . . . . . 22
6.3.2. Nodes outside of the SR domain . . . . . . . . . . . 22 6.3.2. Nodes outside of the SR domain . . . . . . . . . . . 22
6.3.3. SR path exposure . . . . . . . . . . . . . . . . . . 23 6.3.3. SR path exposure . . . . . . . . . . . . . . . . . . 23
6.3.4. Impact of BCP-38 . . . . . . . . . . . . . . . . . . 23 6.3.4. Impact of BCP-38 . . . . . . . . . . . . . . . . . . 23
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
7.1. Segment Routing Header Flags Register . . . . . . . . . . 24 7.1. Segment Routing Header Flags Register . . . . . . . . . . 24
7.2. Segment Routing Header TLVs Register . . . . . . . . . . 24 7.2. Segment Routing Header TLVs Register . . . . . . . . . . 24
8. Implementation Status . . . . . . . . . . . . . . . . . . . . 24 8. Implementation Status . . . . . . . . . . . . . . . . . . . . 25
8.1. Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 24 8.1. Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.2. Cisco Systems . . . . . . . . . . . . . . . . . . . . . . 25 8.2. Cisco Systems . . . . . . . . . . . . . . . . . . . . . . 25
8.3. FD.io . . . . . . . . . . . . . . . . . . . . . . . . . . 25 8.3. FD.io . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.4. Barefoot . . . . . . . . . . . . . . . . . . . . . . . . 25 8.4. Barefoot . . . . . . . . . . . . . . . . . . . . . . . . 25
8.5. Juniper . . . . . . . . . . . . . . . . . . . . . . . . . 25 8.5. Juniper . . . . . . . . . . . . . . . . . . . . . . . . . 26
9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 25 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 26
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
11.1. Normative References . . . . . . . . . . . . . . . . . . 26 11.1. Normative References . . . . . . . . . . . . . . . . . . 26
11.2. Informative References . . . . . . . . . . . . . . . . . 27 11.2. Informative References . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
Segment Routing can be applied to the IPv6 data plane using a new Segment Routing can be applied to the IPv6 data plane using a new
type of Routing Extension Header (SRH). This document describes the type of Routing Extension Header (SRH). This document describes the
Segment Routing Extension Header and how it is used by Segment Segment Routing Extension Header and how it is used by Segment
Routing capable nodes. Routing capable nodes.
The Segment Routing Architecture [I-D.ietf-spring-segment-routing] The Segment Routing Architecture [I-D.ietf-spring-segment-routing]
describes Segment Routing and its instantiation in two data planes describes Segment Routing and its instantiation in two data planes
skipping to change at page 4, line 5 skipping to change at page 4, line 5
SR with the MPLS data plane is defined in SR with the MPLS data plane is defined in
[I-D.ietf-spring-segment-routing-mpls]. [I-D.ietf-spring-segment-routing-mpls].
SR with the IPv6 data plane is defined in SR with the IPv6 data plane is defined in
[I-D.filsfils-spring-srv6-network-programming]. [I-D.filsfils-spring-srv6-network-programming].
The encoding of MPLS labels and label stacking are defined in The encoding of MPLS labels and label stacking are defined in
[RFC3032]. [RFC3032].
The encoding of IPv6 segments in the Segment Routing Extension header The encoding of IPv6 segments in the Segment Routing Extension Header
is defined in this document. is defined in this document.
Terminology used within this document is defined in detail in Terminology used within this document is defined in detail in
[I-D.ietf-spring-segment-routing]. Specifically, these terms: [I-D.ietf-spring-segment-routing]. Specifically, these terms:
Segment Routing, SR Domain, SRv6, Segment ID (SID), SRv6 SID, Active Segment Routing, SR Domain, SRv6, Segment ID (SID), SRv6 SID, Active
Segment, and SR Policy. Segment, and SR Policy.
2. Segment Routing Extension Header 2. Segment Routing Extension Header
Routing Headers are defined in [RFC8200]. The Segment Routing Header Routing Headers are defined in [RFC8200]. The Segment Routing Header
skipping to change at page 5, line 17 skipping to change at page 5, line 17
o Segments Left: Defined in [RFC8200] o Segments Left: Defined in [RFC8200]
o Last Entry: contains the index (zero based), in the Segment List, o Last Entry: contains the index (zero based), in the Segment List,
of the last element of the Segment List. of the last element of the Segment List.
o Flags: 8 bits of flags. Following flags are defined: o Flags: 8 bits of flags. Following flags are defined:
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
| U |H| U | |U U U U U U U U|
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
U: Unused and for future use. SHOULD be 0 on transmission and U: Unused and for future use. MUST be 0 on transmission and
MUST be ignored on receipt. ignored on receipt.
H-flag: HMAC flag. If set, the HMAC TLV is present and is
encoded as the last TLV of the SRH. In other words, the last
36 octets of the SRH represent the HMAC information. See
Section 2.1.2 for details on the HMAC TLV.
o Tag: tag a packet as part of a class or group of packets, e.g., o Tag: tag a packet as part of a class or group of packets, e.g.,
packets sharing the same set of properties. When tag is not used packets sharing the same set of properties. When tag is not used
at source it SHOULD be set to zero on transmission. When tag is at source it MUST be set to zero on transmission. When tag is not
not used during SRH Processing it MUST be ignored. The allocation used during SRH Processing it SHOULD be ignored. The allocation
and use of tag is outside the scope of this document. and use of tag is outside the scope of this document.
o Segment List[n]: 128 bit IPv6 addresses representing the nth o Segment List[n]: 128 bit IPv6 addresses representing the nth
segment in the Segment List. The Segment List is encoded starting segment in the Segment List. The Segment List is encoded starting
from the last segment of the SR Policy. I.e., the first element from the last segment of the SR Policy. I.e., the first element
of the segment list (Segment List [0]) contains the last segment of the segment list (Segment List [0]) contains the last segment
of the SR Policy, the second element contains the penultimate of the SR Policy, the second element contains the penultimate
segment of the SR Policy and so on. segment of the SR Policy and so on.
o Type Length Value (TLV) are described in Section 2.1. o Type Length Value (TLV) are described in Section 2.1.
skipping to change at page 6, line 20 skipping to change at page 6, line 12
Type: An 8 bit value. Unrecognized Types MUST be ignored on receipt. Type: An 8 bit value. Unrecognized Types MUST be ignored on receipt.
Length: The length of the Variable length data. It is RECOMMENDED Length: The length of the Variable length data. It is RECOMMENDED
that the total length of new TLVs be multiple of 8 bytes to avoid the that the total length of new TLVs be multiple of 8 bytes to avoid the
use of Padding TLVs. use of Padding TLVs.
Variable length data: Length bytes of data that is specific to the Variable length data: Length bytes of data that is specific to the
Type. Type.
Type Length Value (TLV) contain optional information that may be used Type Length Value (TLV) contain OPTIONAL information that may be used
by the node identified in the Destination Address (DA) of the packet. by the node identified in the Destination Address (DA) of the packet.
The information carried in the TLVs is not intended to be used by the
routing layer. Typically, TLVs carry information that is consumed by
other components (e.g.: OAM) than the routing function.
Each TLV has its own length, format and semantic. The code-point Each TLV has its own length, format and semantic. The code-point
allocated (by IANA) to each TLV Type defines both the format and the allocated (by IANA) to each TLV Type defines both the format and the
semantic of the information carried in the TLV. Multiple TLVs may be semantic of the information carried in the TLV. Multiple TLVs may be
encoded in the same SRH. encoded in the same SRH.
TLVs may change en route at each segment. To identify when a TLV TLVs may change en route at each segment. To identify when a TLV
type may change en route the most significant bit of the Type has the type may change en route the most significant bit of the Type has the
following significance: following significance:
skipping to change at page 7, line 16 skipping to change at page 7, line 5
HMAC TLV HMAC TLV
Additional TLVs may be defined in the future. Additional TLVs may be defined in the future.
2.1.1. Padding TLVs 2.1.1. Padding TLVs
There are two types of padding TLVs, pad0 and padN, the following There are two types of padding TLVs, pad0 and padN, the following
applies to both: applies to both:
Padding TLVs are optional and more than one Padding TLV MUST NOT Padding TLVs are used to pad the TLVs to a multiple of 8 octets.
appear in the SRH.
More than one Padding TLV MUST NOT appear in the SRH.
The Padding TLVs are used to align the SRH total length on the 8 The Padding TLVs are used to align the SRH total length on the 8
octet boundary. octet boundary.
When present, a single Pad0 or PadN TLV MUST appear as the last When present, a single Pad0 or PadN TLV MUST appear as the last
TLV before the HMAC TLV (if HMAC TLV is present). TLV.
When present, a PadN TLV MUST have a length from 0 to 5 in order When present, a PadN TLV MUST have a length from 0 to 5 in order
to align the SRH total length on a 8-octet boundary. to align the SRH total length on a 8-octet boundary.
Padding TLVs are ignored by a node processing the SRH TLV, even if Padding TLVs are ignored by a node processing the SRH TLV, even if
more than one is present. more than one is present.
Padding TLVs are ignored during ICV calculation. Padding TLVs are ignored during ICV calculation.
2.1.1.1. PAD0 2.1.1.1. PAD0
skipping to change at page 8, line 4 skipping to change at page 7, line 37
| Type | | Type |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
Type: to be assigned by IANA (Suggested value 128) Type: to be assigned by IANA (Suggested value 128)
A single Pad0 TLV MUST be used when a single byte of padding is A single Pad0 TLV MUST be used when a single byte of padding is
required. If more than one byte of padding is required a Pad0 TLV required. If more than one byte of padding is required a Pad0 TLV
MUST NOT be used, the PadN TLV MUST be used. MUST NOT be used, the PadN TLV MUST be used.
2.1.1.2. PADN 2.1.1.2. PADN
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Padding (variable) | | Type | Length | Padding (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// Padding (variable) // // Padding (variable) //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: to be assigned by IANA (suggested value 129). Type: to be assigned by IANA (suggested value 129).
Length: 0 to 5 Length: 0 to 5
Padding: Length octets of padding. Padding bits have no Padding: Length octets of padding. Padding bits have no
semantics. They SHOULD be set to 0 on transmission and MUST be semantics. They MUST be set to 0 on transmission and ignored on
ignored on receipt. receipt.
The PadN TLV MUST be used when more than one byte of padding is The PadN TLV MUST be used when more than one byte of padding is
required. required.
2.1.2. HMAC TLV 2.1.2. HMAC TLV
HMAC TLV is optional and contains the HMAC information. The HMAC TLV HMAC TLV is OPTIONAL and contains the HMAC information. The HMAC TLV
has the following format: has the following format:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | RESERVED | | Type | Length | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HMAC Key ID (4 octets) | | HMAC Key ID (4 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| // | //
| HMAC (32 octets) // | HMAC (32 octets) //
| // | //
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
where: where:
o Type: to be assigned by IANA (suggested value 5). o Type: to be assigned by IANA (suggested value 5).
o Length: 38. o Length: 38.
o RESERVED: 2 octets. SHOULD be unset on transmission and MUST be o RESERVED: 2 octets. MUST be 0 on transmission and ignored on
ignored on receipt. receipt.
o HMAC Key ID: 4 octets. o HMAC Key ID: 4 octets.
o HMAC: 32 octets. o HMAC: 32 octets.
o HMAC and HMAC Key ID usage is described in Section 6 o HMAC and HMAC Key ID usage is described in Section 6
The Following applies to the HMAC TLV: The Following applies to the HMAC TLV:
o When present, the HMAC TLV MUST be encoded as the last TLV of the o Local policy determines when to check for an HMAC and potentially
SRH. a requirement on where the HMAC TLV must appear (e.g. first TLV).
This local policy is outside the scope of this document. It may
o If the HMAC TLV is present, the SRH H-Flag (Figure 2) MUST be set. be based on the active segment at an SR Segment endpoint node, the
Nodes processing SRH SHOULD process the HMAC TLV only when the result of an ACL that considers incoming interface, or other
H-Flag is set, and local policy. packet fields.
o When the H-flag is set in the SRH, the router inspecting the SRH
MUST find the HMAC TLV in the last 38 octets of the SRH.
3. SR Nodes 3. SR Nodes
There are different types of nodes that may be involved in segment There are different types of nodes that may be involved in segment
routing networks: source SR nodes originate packets with a segment in routing networks: source SR nodes originate packets with a segment in
the destination address of the IPv6 header, transit nodes that the destination address of the IPv6 header, transit nodes that
forward packets destined to a remote segment, and segment endpoint forward packets destined to a remote segment, and SR segment endpoint
nodes that process a local segment in the destination address of an nodes that process a local segment in the destination address of an
IPv6 header. IPv6 header.
3.1. Source SR Node 3.1. Source SR Node
A Source SR Node is any node that originates an IPv6 packet with a A Source SR Node is any node that originates an IPv6 packet with a
segment (i.e. SRv6 SID) in the destination address of the IPv6 segment (i.e. SRv6 SID) in the destination address of the IPv6
header. The packet leaving the source SR Node may or may not contain header. The packet leaving the source SR Node may or may not contain
an SRH. This includes either: an SRH. This includes either:
A host originating an IPv6 packet. A host originating an IPv6 packet.
An SR domain ingress router encapsulating a received packet in an An SR domain ingress router encapsulating a received packet in an
outer IPv6 header, followed by an optional SRH. outer IPv6 header, followed by an optional SRH.
The mechanism through which a segment in the destination address of The mechanism through which a segment in the destination address of
the IPv6 header and the Segment List in the SRH, is derived is the IPv6 header and the Segment List in the SRH, is derived is
outside the scope of this document. For example, the Segment List outside the scope of this document.
may be obtained through local SR Policy computation, local
configuration, interaction with a controller instantiating an SR
Policy, or any other mechanism.
3.2. Transit Node 3.2. Transit Node
A transit node is any node forwarding an IPv6 packet where the A transit node is any node forwarding an IPv6 packet where the
destination address of that packet is not locally configured as a destination address of that packet is not locally configured as a
segment nor a local interface. A transit node is not required to be segment nor a local interface. A transit node is not required to be
capable of processing a segment nor SRH. capable of processing a segment nor SRH.
3.3. SR Segment Endpoint Node 3.3. SR Segment Endpoint Node
A SR segment endpoint node is any node receiving an IPv6 packet where A SR segment endpoint node is any node receiving an IPv6 packet where
the destination address of that packet is locally configured as a the destination address of that packet is locally configured as a
segment or local interface. segment or local interface.
4. Packet Processing 4. Packet Processing
This section describes SRv6 packet processing at the Source, Transit This section describes SRv6 packet processing at the SR source,
and Segment Endpoint nodes. Transit and SR segment endpoint nodes.
4.1. Source SR Node 4.1. Source SR Node
A Source node steers a packet into an SR Policy and the SRH is A Source node steers a packet into an SR Policy. If the SR Policy
created as follows: results in a segment list containing a single segment, and there is
no need to add information to SRH flag or TLV, the DA is set to the
single segment list entry and the SRH MAY be omitted.
When needed, the SRH is created as follows:
Next Header and Hdr Ext Len fields are set as specified in Next Header and Hdr Ext Len fields are set as specified in
[RFC8200]. [RFC8200].
Routing Type field is set as TBD (to be allocated by IANA, Routing Type field is set as TBD (to be allocated by IANA,
suggested value 4). suggested value 4).
The DA of the packet is set with the value of the first segment. The DA of the packet is set with the value of the first segment.
The first element of the SRH Segment List is the ultimate segment. The first element of the SRH Segment List is the ultimate segment.
The second element is the penultimate segment and so on. The second element is the penultimate segment and so on.
The Segments Left field is set to n-1 where n is the number of The Segments Left field is set to n-1 where n is the number of
elements in the SR Policy. elements in the SR Policy.
The Last Entry field is set to n-1 where n is the number of The Last Entry field is set to n-1 where n is the number of
elements in the SR Policy. elements in the SR Policy.
HMAC TLV may be set according to Section 6. HMAC TLV may be set according to Section 6.
If the segment list contains a single segment and there is no need
for information in flag or TLV, then the SRH MAY be omitted.
The packet is forwarded toward the packet's Destination Address The packet is forwarded toward the packet's Destination Address
(the first segment). (the first segment).
4.1.1. Reduced SRH 4.1.1. Reduced SRH
When a source does not require the entire SID list to be preserved in When a source does not require the entire SID list to be preserved in
the SRH, a reduced SRH may be used. the SRH, a reduced SRH may be used.
A reduced SRH does not contain the first segment of the related SR A reduced SRH does not contain the first segment of the related SR
Policy (the first segment is the one already in the DA of the IPv6 Policy (the first segment is the one already in the DA of the IPv6
skipping to change at page 11, line 22 skipping to change at page 11, line 8
NOT inspect the underneath routing header and MUST forward the packet NOT inspect the underneath routing header and MUST forward the packet
toward the DA according to its IPv6 routing table. toward the DA according to its IPv6 routing table.
When a SID is in the destination address of an IPv6 header of a When a SID is in the destination address of an IPv6 header of a
packet, it's routed through an IPv6 network as an IPv6 address. packet, it's routed through an IPv6 network as an IPv6 address.
SIDs, or the prefix(es) covering SIDs, and their reachability may be SIDs, or the prefix(es) covering SIDs, and their reachability may be
distributed by means outside the scope of this document. For distributed by means outside the scope of this document. For
example, [RFC5308] or [RFC5340] may be used to advertise a prefix example, [RFC5308] or [RFC5340] may be used to advertise a prefix
covering the SIDs on a node. covering the SIDs on a node.
4.3. Segment Endpoint Node 4.3. SR Segment Endpoint Node
Without constraining the details of an implementation, the Segment Without constraining the details of an implementation, the SR segment
Endpoint Node creates Forwarding Information Base (FIB) entries for endpoint node creates Forwarding Information Base (FIB) entries for
its local SIDs. its local SIDs.
When an SRv6-capable node receives an IPv6 packet, it performs a When an SRv6-capable node receives an IPv6 packet, it performs a
longest-prefix-match lookup on the packets destination address. This longest-prefix-match lookup on the packets destination address. This
lookup can return any of the following: lookup can return any of the following:
A FIB entry that represents a locally instantiated SRv6 SID A FIB entry that represents a locally instantiated SRv6 SID
A FIB entry that represents a local interface, not locally A FIB entry that represents a local interface, not locally
instantiated as an SRv6 SID instantiated as an SRv6 SID
A FIB entry that represents a non-local route A FIB entry that represents a non-local route
No Match No Match
4.3.1. FIB Entry Is Locally Instantiated SRv6 END SID 4.3.1. FIB Entry Is Locally Instantiated SRv6 END SID
This document, and section, defines a single SRv6 SID called END. This document, and section, defines a single SRv6 SID called END.
Future documents may define additional SRv6 SIDs. In which case, the Future documents may define additional SRv6 SIDs. In which case, the
entire content of this section will be defined in that document. entire content of this section will be defined in that document.
If the FIB entry represents a locally instantiated SRv6 SID, process If the FIB entry represents a locally instantiated SRv6 SID, process
the next header of the IPv6 header as defined in section 4 of the next header of the IPv6 header as defined in section 4 of
[RFC8200] until the upper-layer header, or "No Next Header" is [RFC8200]
reached.
The following sections describe the actions to take while processing
next header fields.
4.3.1.1. SRH Processing
When an SRH is processed { When an SRH is processed {
If Segments Left is equal to zero { If Segments Left is equal to zero {
Skip SRH Processing Proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header.
} }
Else { Else {
If Segments Left is greater than (Last Entry+1) { If local policy requires TLV processing {
Perform TLV processing (see TLV Processing)
}
max_last_entry = ( Hdr Ext Len / 2 ) - 1
If ((Last Entry > max_last_entry) or
(Segments Left is greater than (Last Entry+1)) {
Send an ICMP Parameter Problem, Code 0, message to the Send an ICMP Parameter Problem, Code 0, message to the
Source Address, pointing to the Segments Left field, and Source Address, pointing to the Segments Left field, and
discard the packet. discard the packet.
} }
Else { Else {
Decrement Segments Left by 1. Decrement Segments Left by 1.
Copy Segment List[Segments Left] from the SRH to the Copy Segment List[Segments Left] from the SRH to the
destination address of the IPv6 header. destination address of the IPv6 header.
If the IPv6 Hop Limit is less than or equal to 1 { If the IPv6 Hop Limit is less than or equal to 1 {
Send an ICMP Time Exceeded -- Hop Limit Exceeded in Send an ICMP Time Exceeded -- Hop Limit Exceeded in
skipping to change at page 12, line 33 skipping to change at page 12, line 39
} }
Else { Else {
Decrement the Hop Limit by 1 Decrement the Hop Limit by 1
Resubmit the packet to the IPv6 module for transmission Resubmit the packet to the IPv6 module for transmission
to the new destination. to the new destination.
} }
} }
} }
} }
If the upper-layer header or No Next Header is reached { 4.3.1.1.1. TLV Processing
Local policy determines how TLV's are to be processed when the Active
Segment is a local END SID. The definition of local policy is
outside the scope of this document.
For illustration purpose only, two example local policies that may be
associated with an END SID are provided below.
Example 1:
For any packet received from interface I2
Skip TLV processing
Example 2:
For any packet received from interface I1
If first TLV is HMAC {
Process the HMAC TLV
}
Else {
Discard the packet
}
4.3.1.2. Upper-layer Header or No Next Header
Send an ICMP destination unreachable to Send an ICMP destination unreachable to
the Source Address and discard the packet. the Source Address and discard the packet.
}
4.3.2. FIB Entry is a Local Interface 4.3.2. FIB Entry is a Local Interface
If the FIB entry represents a local interface, not locally If the FIB entry represents a local interface, not locally
instantiated as an SRv6 SID, the SRH is processed as follows: instantiated as an SRv6 SID, the SRH is processed as follows:
If Segments Left is zero, the node must ignore the Routing header If Segments Left is zero, the node must ignore the Routing header
and proceed to process the next header in the packet, whose type and proceed to process the next header in the packet, whose type
is identified by the Next Header field in the Routing header. is identified by the Next Header field in the Routing Header.
If Segments Left is non-zero, the node must discard the packet and If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type. Source Address, pointing to the unrecognized Routing Type.
4.3.3. FIB Entry Is A Non-Local Route 4.3.3. FIB Entry Is A Non-Local Route
Processing is not changed by this document. Processing is not changed by this document.
4.3.4. FIB Entry Is A No Match 4.3.4. FIB Entry Is A No Match
Processing is not changed by this document. Processing is not changed by this document.
4.4. Load Balancing and ECMP 4.3.5. Load Balancing and ECMP
Within an SR domain, an SR source node encapsulates a packet in an Within an SR domain, an SR source node encapsulates a packet in an
outer IPv6 header for transport to an endpoint. The SR source node outer IPv6 header for transport to an endpoint. The SR source node
MUST impose a flow label computed based on the inner packet. The MUST impose a flow label computed based on the inner packet. The
computation of the flow label is as recommended in [RFC6438] for the computation of the flow label is as recommended in [RFC6438] for the
sending Tunnel End Point. sending Tunnel End Point.
At any transit node within an SR domain, the flow label MUST be used At any transit node within an SR domain, the flow label MUST be used
as defined in [RFC6438] to calculate the ECMP hash toward the as defined in [RFC6438] to calculate the ECMP hash toward the
destination address. If flow label is not used, the transit node may destination address. If flow label is not used, the transit node may
hash all packets between a pair of SR Edge nodes to the same link. hash all packets between a pair of SR Edge nodes to the same link.
At an SR segment endpoint node, the flow label MUST be used as At an SR segment endpoint node, the flow label MUST be used as
defined in [RFC6438] to calculate any ECMP hash used to forward the defined in [RFC6438] to calculate any ECMP hash used to forward the
processed packet to the next segment. processed packet to the next segment.
5. Illustrations 5. Illustrations
This section provides illustrations of SRv6 packet processing at This section provides illustrations of SRv6 packet processing at SR
source, transit and endpoint nodes. source, transit and SR segment endpoint nodes.
5.1. Abstract Representation of an SRH 5.1. Abstract Representation of an SRH
For a node k, its IPv6 address is represented as Ak, its SRv6 SID is For a node k, its IPv6 address is represented as Ak, its SRv6 SID is
represented as Sk. represented as Sk.
IPv6 headers are represented as the tuple of (source, destination). IPv6 headers are represented as the tuple of (source, destination).
For example, a packet with source address A1 and destination address For example, a packet with source address A1 and destination address
A2 is represented as (A1,A2). The payload of the packet is omitted. A2 is represented as (A1,A2). The payload of the packet is omitted.
skipping to change at page 16, line 4 skipping to change at page 16, line 38
a reduced SRH, Router 3 encapsulates the received packet P3 in an a reduced SRH, Router 3 encapsulates the received packet P3 in an
outer header with a reduced SRH. The packet is outer header with a reduced SRH. The packet is
P6: (A3, S7)(S4; SL=1)(A1, A2) P6: (A3, S7)(S4; SL=1)(A1, A2)
5.4. Transit Node 5.4. Transit Node
Nodes 5 acts as transit nodes for packet P1, and sends packet Nodes 5 acts as transit nodes for packet P1, and sends packet
P1: (A8,S7)(A9,S7;SL=1) P1: (A8,S7)(A9,S7;SL=1)
on the interface toward node 7. on the interface toward node 7.
5.5. SR End Node 5.5. SR Segment Endpoint Node
Node 7 receives packet P1 and, using the logic in section 4.3.1, Node 7 receives packet P1 and, using the logic in section 4.3.1,
sends packet sends packet
P7: (A8,A9)(A9,S7; SL=0) P7: (A8,A9)(A9,S7; SL=0)
on the interface toward router 6. on the interface toward router 6.
6. Security Considerations 6. Security Considerations
This section analyzes the security threat model, the security issues This section analyzes the security threat model, the security issues
and proposed solutions related to the new Segment Routing Header. and proposed solutions related to the new Segment Routing Header.
The Segment Routing Header (SRH) is simply another type of the The Segment Routing Header (SRH) is simply another type of the
routing header as described in [RFC8200] and is: Routing Header as described in [RFC8200] and is:
o Added by an SR edge router when entering the segment routing o Added by an SR edge router when entering the segment routing
domain or by the originating host itself. The source host can domain or by the originating host itself. The source host can
even be outside the SR domain; even be outside the SR domain;
o inspected and acted upon when reaching the destination address of o inspected and acted upon when reaching the destination address of
the IP header per [RFC8200]. the IP header per [RFC8200].
Per [RFC8200], routers on the path that simply forward an IPv6 packet Per [RFC8200], routers on the path that simply forward an IPv6 packet
(i.e. the IPv6 destination address is none of theirs) will never (i.e. the IPv6 destination address is none of theirs) will never
inspect and process the content of the SRH. Routers whose FIB inspect and process the content of the SRH. Routers whose FIB
contains a locally instantiated SRv6 SID equal to the destination contains a locally instantiated SRv6 SID equal to the destination
address field of the IPv6 packet MUST parse the SRH and, if supported address field of the IPv6 packet MUST parse the SRH if present, and
and if the local configuration allows it, MUST act accordingly to the if supported and if the local configuration allows it, MUST act
SRH content. accordingly to the SRH content.
As specified in [RFC8200], the default behavior of a non SR-capable As specified in [RFC8200], the default behavior of a non SR-capable
router upon receipt of an IPv6 packet with SRH destined to an address router upon receipt of an IPv6 packet with SRH destined to an address
of its, is to: of its, is to:
o ignore the SRH completely if the Segment Left field is 0 and o ignore the SRH completely if the Segment Left field is 0 and
proceed to process the next header in the IPv6 packet; proceed to process the next header in the IPv6 packet;
o discard the IPv6 packet if Segment Left field is greater than 0, o discard the IPv6 packet if Segment Left field is greater than 0,
it MAY send a Parameter Problem ICMP message back to the Source it MAY send a Parameter Problem ICMP message back to the Source
skipping to change at page 18, line 40 skipping to change at page 19, line 26
intercept packets containing SRH. On the other hand, if the attacker intercept packets containing SRH. On the other hand, if the attacker
can do a traceroute whose probes will be forwarded along the SR can do a traceroute whose probes will be forwarded along the SR
Policy, then there is little learned by intercepting the SRH itself. Policy, then there is little learned by intercepting the SRH itself.
6.1.5. ICMP Generation 6.1.5. ICMP Generation
Per Section 4.4 of [RFC8200], when destination nodes (i.e. where the Per Section 4.4 of [RFC8200], when destination nodes (i.e. where the
destination address is one of theirs) receive a Routing Header with destination address is one of theirs) receive a Routing Header with
unsupported Routing Type, the required behavior is: unsupported Routing Type, the required behavior is:
o If Segments Left is zero, the node must ignore the Routing header o If Segments Left is zero, the node must ignore the Routing Header
and proceed to process the next header in the packet. and proceed to process the next header in the packet.
o If Segments Left is non-zero, the node must discard the packet and o If Segments Left is non-zero, the node must discard the packet and
send an ICMP Parameter Problem, Code 0, message to the packet's send an ICMP Parameter Problem, Code 0, message to the packet's
Source Address, pointing to the unrecognized Routing Type. Source Address, pointing to the unrecognized Routing Type.
This required behavior could be used by an attacker to force the This required behavior could be used by an attacker to force the
generation of ICMP message by any node. The attacker could send generation of ICMP message by any node. The attacker could send
packets with SRH (with Segment Left not set to 0) destined to a node packets with SRH (with Segment Left not set to 0) destined to a node
not supporting SRH. Per [RFC8200], the destination node could not supporting SRH. Per [RFC8200], the destination node could
skipping to change at page 20, line 50 skipping to change at page 21, line 36
right-hand padded with 96 bits set to 0. The authors understand that right-hand padded with 96 bits set to 0. The authors understand that
this is not secure but is ok for limited tests. this is not secure but is ok for limited tests.
6.2.2. Performance impact of HMAC 6.2.2. Performance impact of HMAC
While adding an HMAC to each and every SR packet increases the While adding an HMAC to each and every SR packet increases the
security, it has a performance impact. Nevertheless, it must be security, it has a performance impact. Nevertheless, it must be
noted that: noted that:
o the HMAC field is used only when SRH is added by a device (such as o the HMAC field is used only when SRH is added by a device (such as
a home set-up box) which is outside of the segment routing domain. a home set-top box) which is outside of the segment routing
If the SRH is added by a router in the trusted segment routing domain. If the SRH is added by a router in the trusted segment
domain, then, there is no need for an HMAC field, hence no routing domain, then, there is no need for an HMAC field, hence no
performance impact. performance impact.
o when present, the HMAC field MUST only be checked and validated by o when present, the HMAC field need only be checked and validated by
the first router of the segment routing domain, this router is the first router of the segment routing domain, this router is
named 'validating SR router'. Downstream routers may not inspect named 'validating SR router'.
the HMAC field.
o this validating router can also have a cache of <IPv6 header + o this validating SR router can also have a cache of <IPv6 header +
SRH, HMAC field value> to improve the performance. It is not the SRH, HMAC field value> to improve the performance. It is not the
same use case as in IPsec where HMAC value was unique per packet, same use case as in IPsec where HMAC value was unique per packet,
in SRH, the HMAC value is unique per flow. in SRH, the HMAC value is unique per flow.
o Last point, hash functions such as SHA-2 have been optimized for o hash functions such as SHA-2 have been optimized for security and
security and performance and there are multiple implementations performance and there are multiple implementations with good
with good performance. performance.
With the above points in mind, the performance impact of using HMAC With the above points in mind, the performance impact of using HMAC
is minimized. is minimized.
6.2.3. Pre-shared key management 6.2.3. Pre-shared key management
The field HMAC Key-id allows for: The field HMAC Key-id allows for:
o key roll-over: when there is a need to change the key (the hash o key roll-over: when there is a need to change the key (the hash
pre-shared secret), then multiple pre-shared keys can be used pre-shared secret), then multiple pre-shared keys can be used
simultaneously. The validating routing can have a table of <HMAC simultaneously. The validating SR router can have a table of
Key-id, pre-shared secret> for the currently active and future <HMAC Key-id, pre-shared secret> for the currently active and
keys. future keys.
o different algorithms: by extending the previous table to <HMAC o different algorithms: by extending the previous table to <HMAC
Key-id, hash function, pre-shared secret>, the validating router Key-id, hash function, pre-shared secret>, the validating SR
can also support simultaneously several hash algorithms (see router can also support several hash algorithms (see section
section Section 6.2.1) Section 6.2.1)
The pre-shared secret distribution can be done: The pre-shared secret distribution can be done:
o in the configuration of the validating routers, either by static o in the configuration of the validating SR routers, either by
configuration or any SDN oriented approach; static configuration or any SDN oriented approach;
o dynamically using a trusted key distribution such as [RFC6407] o dynamically using a trusted key distribution such as [RFC6407]
The intent of this document is NOT to define yet-another-key- The intent of this document is NOT to define yet-another-key-
distribution-protocol. distribution-protocol.
6.3. Deployment Models 6.3. Deployment Models
6.3.1. Nodes within the SR domain 6.3.1. Nodes within the SR domain
An SR domain is defined as a set of interconnected routers where all SR Source Nodes within an SR Domain are trusted to generate IPv6
routers at the perimeter are configured to add and act on SRH. Some packets with SRH. SR segment endpoint nodes receiving packets on
routers inside the SR domain can also act on SRH or simply forward interface that are part of the SR Domain may process any packet
IPv6 packets. destined to a local segment, containing an SRH.
The routers inside an SR domain can be trusted to generate SRH and to
process SRH received on interfaces that are part of the SR domain.
These nodes MUST drop all SRH packets received on an interface that
is not part of the SR domain, destined to a locally instantiated SID,
and containing an SRH whose HMAC field cannot be validated by local
policies. This includes obviously packet with an SRH generated by a
non-cooperative SR domain.
If the validation fails, then these packets MUST be dropped, ICMP
error messages (parameter problem) SHOULD be generated (but rate
limited) and SHOULD be logged.
6.3.2. Nodes outside of the SR domain 6.3.2. Nodes outside of the SR domain
Nodes outside of the SR domain cannot be trusted for physical Nodes outside the SR Domain cannot be trusted. SR Domain Ingress
security; hence, they need to request by some trusted means (outside routers SHOULD discard packets destined to SIDs within the SR Domain
the scope of this document) a complete SRH for each new connection (regardless of the presence of an SRH) to avoid attacks on the SR
(i.e. new destination address). The received SRH MUST include an Domain. This is accomplished via infrastructure Access Lists (iACLs)
HMAC TLV which is computed correctly (see Section 6.2). applied on domain ingress nodes. However the SR Domain may be
extended to nodes outside of it via use of the SRH HMAC.
When an outside node sends a packet with an SRH and towards an SR Nodes outside the SR Domain may request, by some trusted means
domain ingress node, the packet MUST contain the HMAC TLV (with a outside the scope of this document, a complete SRH including an HMAC
Key-id and HMAC fields) and the the destination address MUST be an TLV which is computed correctly for the SRH (see Section 6.2).
address of an SR domain ingress node .
The ingress SR router, i.e., the router with a SID equal to the SR Domain ingress routers permit traffic destined to select SIDs with
destination address, MUST verify the HMAC TLV. local policy requiring HMAC TLV processing for those select SIDs,
i.e. these SIDs provide a gateway to the SR Domain for a set of
segment lists.
If the validation is successful, then the packet is simply forwarded If HMAC validation is successful, the packet is forwarded to the next
as usual for an SR packet. As long as the packet travels within the segment. Within the SR Domain no further HMAC check need be
SR domain, no further HMAC check needs to be done. Subsequent performed. However, other segments in the SR domain MAY verify the
routers in the SR domain MAY verify the HMAC TLV when they process HMAC TLV when the SRH is processed, dependent on local policy.
the SRH (i.e. when they are the destination).
If the validation fails, then this packet MUST be dropped, an ICMP If HMAC validation fails an ICMP error message (parameter problem)
error message (parameter problem) SHOULD be generated (but rate SHOULD be generated (but rate limited) and SHOULD be logged.
limited) and SHOULD be logged.
6.3.3. SR path exposure 6.3.3. SR path exposure
As the intermediate SR nodes addresses appears in the SRH, if this The SRH contains a Segment List. If an observer outside the SR
SRH is visible to an outsider then he/she could reuse this knowledge Domain is able to inspect the SRH, they may use the segments in the
to launch an attack on the intermediate SR nodes or get some insider Segment List to launch an attack on the SR Domain or obtain knowledge
knowledge on the topology. This is especially applicable when the of the topology within the SR Domain. When the SR Source node is
path between the source node and the first SR domain ingress router outside the SR Domain and the packet traverses the public internet to
is on the public Internet. the SR Domain ingress router it is likely that others will have
access to the Segment List in the SRH.
The first remark is to state that 'security by obscurity' is never IPSec Encapsulating Security Payload (ESP), [RFC4303], cannot be use
enough; in other words, the security policy of the SR domain MUST to protect the SRH as the ESP header must appear after the routing
assume that the internal topology and addressing is known by the header (including SRH).
attacker. A simple traceroute will also give the same information
(with even more information as all intermediate nodes between SID
will also be exposed). IPsec Encapsulating Security Payload
[RFC4303] cannot be use to protect the SRH as per RFC4303 the ESP
header must appear after any routing header (including SRH).
To prevent a user to leverage the gained knowledge by intercepting Exposure of segments and TLV content to observers outside the SR
SRH, it it recommended to apply an infrastructure Access Control List Domain should be considered in any deployment. There are two methods
(iACL) at the edge of the SR domain. This iACL will drop all packets to limit exposure, and attacks on segments within the SR Domain from
from outside the SR-domain whose destination is any address of any outside the SR Domain:
router interface or SID inside the domain. This security policy
should be tuned for local operations. Limit the number of segments and the TLV data exposed in SRH from
nodes outside the SR Domain.
Restrict which SIDs may accept traffic from outside the SR Domain
to only those enforcing HMAC verification by using iACLs (as
described in Section 6.3.2).
6.3.4. Impact of BCP-38 6.3.4. Impact of BCP-38
BCP-38 [RFC2827], also known as "Network Ingress Filtering", checks BCP-38 [RFC2827], also known as "Network Ingress Filtering", checks
whether the source address of packets received on an interface is whether the source address of packets received on an interface is
valid for this interface. The use of loose source routing such as valid for this interface. The use of loose source routing such as
SRH forces packets to follow a path which differs from the expected SRH forces packets to follow a path which differs from the expected
routing. Therefore, if BCP-38 was implemented in all routers inside routing. Therefore, if BCP-38 was implemented in all routers inside
the SR domain, then SR packets could be received by an interface the SR domain, SR packets could be received by an interface which is
which is not expected one and the packets could be dropped. not the expected one, and the packets could be dropped.
As an SR domain is usually a subset of one administrative domain, and As BCP-38 is only deployed at the ingress routers of an
as BCP-38 is only deployed at the ingress routers of this administrative domain, and as Packets arriving at those ingress
administrative domain and as packets arriving at those ingress routers have been forwarded using the routing information, then there
routers have been normally forwarded using the normal routing is no reason why this ingress router should drop the SRH packet based
information, then there is no reason why this ingress router should on BCP-38. Routers inside the domain commonly do not apply BCP-38;
drop the SRH packet based on BCP-38. Routers inside the domain so, this is not a problem.
commonly do not apply BCP-38; so, this is not a problem.
7. IANA Considerations 7. IANA Considerations
This document makes the following registrations in the Internet This document makes the following registrations in the Internet
Protocol Version 6 (IPv6) Parameters "Routing Type" registry Protocol Version 6 (IPv6) Parameters "Routing Type" registry
maintained by IANA: maintained by IANA:
Suggested Description Reference Suggested Description Reference
Value Value
---------------------------------------------------------- ----------------------------------------------------------
skipping to change at page 26, line 48 skipping to change at page 27, line 18
[RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
of Type 0 Routing Headers in IPv6", RFC 5095, of Type 0 Routing Headers in IPv6", RFC 5095,
DOI 10.17487/RFC5095, December 2007, DOI 10.17487/RFC5095, December 2007,
<https://www.rfc-editor.org/info/rfc5095>. <https://www.rfc-editor.org/info/rfc5095>.
[RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain
of Interpretation", RFC 6407, DOI 10.17487/RFC6407, of Interpretation", RFC 6407, DOI 10.17487/RFC6407,
October 2011, <https://www.rfc-editor.org/info/rfc6407>. October 2011, <https://www.rfc-editor.org/info/rfc6407>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, (IPv6) Specification", STD 86, RFC 8200,
DOI 10.17487/RFC8200, July 2017, DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>. <https://www.rfc-editor.org/info/rfc8200>.
11.2. Informative References 11.2. Informative References
[I-D.filsfils-spring-srv6-interop] [I-D.filsfils-spring-srv6-interop]
Filsfils, C., Clad, F., Camarillo, P., Abdelsalam, A., Filsfils, C., Clad, F., Camarillo, P., Abdelsalam, A.,
Salsano, S., Bonaventure, O., Horn, J., and J. Liste, Salsano, S., Bonaventure, O., Horn, J., and J. Liste,
skipping to change at page 27, line 25 skipping to change at page 27, line 47
daniel.bernier@bell.ca, d., Steinberg, D., Raszuk, R., daniel.bernier@bell.ca, d., Steinberg, D., Raszuk, R.,
Matsushima, S., Lebrun, D., Decraene, B., Peirens, B., Matsushima, S., Lebrun, D., Decraene, B., Peirens, B.,
Salsano, S., Naik, G., Elmalky, H., Jonnalagadda, P., and Salsano, S., Naik, G., Elmalky, H., Jonnalagadda, P., and
M. Sharif, "SRv6 Network Programming", draft-filsfils- M. Sharif, "SRv6 Network Programming", draft-filsfils-
spring-srv6-network-programming-04 (work in progress), spring-srv6-network-programming-04 (work in progress),
March 2018. March 2018.
[I-D.ietf-spring-segment-routing-mpls] [I-D.ietf-spring-segment-routing-mpls]
Bashandy, A., Filsfils, C., Previdi, S., Decraene, B., Bashandy, A., Filsfils, C., Previdi, S., Decraene, B.,
Litkowski, S., and R. Shakir, "Segment Routing with MPLS Litkowski, S., and R. Shakir, "Segment Routing with MPLS
data plane", draft-ietf-spring-segment-routing-mpls-13 data plane", draft-ietf-spring-segment-routing-mpls-14
(work in progress), April 2018. (work in progress), June 2018.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <https://www.rfc-editor.org/info/rfc2827>. May 2000, <https://www.rfc-editor.org/info/rfc2827>.
skipping to change at page 28, line 31 skipping to change at page 29, line 7
DOI 10.17487/RFC6554, March 2012, DOI 10.17487/RFC6554, March 2012,
<https://www.rfc-editor.org/info/rfc6554>. <https://www.rfc-editor.org/info/rfc6554>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
Authors' Addresses Authors' Addresses
Stefano Previdi
Individual
Italy
Email: stefano@previdi.net
Clarence Filsfils (editor) Clarence Filsfils (editor)
Cisco Systems, Inc. Cisco Systems, Inc.
Brussels Brussels
BE BE
Email: cfilsfil@cisco.com Email: cfilsfil@cisco.com
Stefano Previdi
Individual
Italy
Email: stefano@previdi.net
John Leddy John Leddy
Comcast Comcast
4100 East Dry Creek Road 4100 East Dry Creek Road
Centennial, CO 80122 Centennial, CO 80122
US US
Email: John_Leddy@comcast.com Email: John_Leddy@comcast.com
Satoru Matsushima Satoru Matsushima
Softbank Softbank
Email: satoru.matsushima@g.softbank.co.jp Email: satoru.matsushima@g.softbank.co.jp
Daniel Voyer (editor) Daniel Voyer (editor)
Bell Canada Bell Canada
Email: daniel.voyer@bell.ca Email: daniel.voyer@bell.ca
 End of changes. 75 change blocks. 
190 lines changed or deleted 206 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/