spring Y. Liu Internet-Draft China Mobile Intended status: Standards Track D. Voyer Expires: 13 May 2024 Bell Canada A. Agarwal Rakuten 10 November 2023 Security Considerations for SRv6 Networks based on Deployment Experience draft-liu-spring-srv6-security-experience-01 Abstract This document discusses the security considerations for SRv6 networks based on the deployment experience. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 13 May 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Liu, et al. Expires 13 May 2024 [Page 1] Internet-Draft SRv6 Security Deployment Experience November 2023 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Securing SRv6 Networks . . . . . . . . . . . . . . . . . . . 2 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 5.1. Normative References . . . . . . . . . . . . . . . . . . 3 5.2. Informative References . . . . . . . . . . . . . . . . . 3 Appendix A. Appendix A . . . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction SRv6 is deployed in commercial networks (see [I-D.matsushima-spring-srv6-deployment-status] and [I-D.tian-spring-srv6-deployment-consideration]). The operators of these networks include SoftBank, China Mobile, China Telecom, Iliad Italy, LINE Corporation, China Unicom, CERNET2, MTN Uganda Ltd., NOIA Network, Indosat Ooredoo, Rakuten, Bell Canada, Alibaba, Free France, STC, and other undisclosed operators. SRv6 endpoints are protected similar to other encapsulation such as GRE, L2TPv3, VxLAN, Geneve, etc. and their infrastructure IP endpoints (e.g., loopback and interface IPs used for BGP peerings). 2. Securing SRv6 Networks SRv6 is deployed using an SR domain defined in [RFC8754]. The SR domain segment IDs (SIDs) are protected as follows [RFC8754]: * Traffic traversing the SR domain is IPv6 encapsulated for its journey across the SR domain. This applies to both VPN traffic and global Internet traffic traversing the domain ([RFC8754] section 5.2). * External Traffic destined to the SRv6 SID prefix is denied access to the domain via two means ([RFC8754] section 5.1): - Deploy an infrastructure ACL (IACL) at external interfaces of the domain (e.g., links towards Internet Peering routers) to deny packets destined to the SRv6 locator block. That is, "deny ipv6 destination SRv6-locator-block". Liu, et al. Expires 13 May 2024 [Page 2] Internet-Draft SRv6 Security Deployment Experience November 2023 - Deploy an IACL at each SRv6 endpoint node to deny packets destined to the SRv6 locator configured at that node from any source not in the operator's infrastructure prefix block. That is, "permit ipv6 source infrastructure-prefix-block destination SRv6-locator-block" followed by "deny ipv6 source any destination SRv6-locator-block" * Use private or non-routable prefixes for SRv6 SIDs (e.g., [I-D.ietf-6man-sids], or ULA [RFC4193]) option is supported. Appendix A illustrates how one operator utilizes the ACLs described above to protect the segment endpoints within the domain. 3. Security Considerations No new security consideration is imposed by this document. 4. IANA Considerations This document includes no request to IANA. 5. References 5.1. Normative References [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, . 5.2. Informative References [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, . [I-D.tian-spring-srv6-deployment-consideration] Tian, H., Zhao, F., Xie, C., Li, T., Ma, J., Mwehair, R., Chingwena, E., Xu, Q., Kusuma, P. H., Peng, S., Zhou, T., Gao, Q., and Z. Keyi, "SRv6 Deployment Consideration", Work in Progress, Internet-Draft, draft-tian-spring-srv6- deployment-consideration-07, 13 March 2023, . [I-D.matsushima-spring-srv6-deployment-status] Matsushima, S., Filsfils, C., Ali, Z., Li, Z., Rajaraman, K., and A. Dhamija, "SRv6 Implementation and Deployment Liu, et al. Expires 13 May 2024 [Page 3] Internet-Draft SRv6 Security Deployment Experience November 2023 Status", Work in Progress, Internet-Draft, draft- matsushima-spring-srv6-deployment-status-15, 5 April 2022, . [I-D.ietf-6man-sids] Krishnan, S., "Segment Identifiers in SRv6", Work in Progress, Internet-Draft, draft-ietf-6man-sids-03, 11 April 2023, . Appendix A. Appendix A SRv6 is deployed within an SR domain [RFC8754] of a single provider which consists of one or more ASes. An SRv6 domain is depicted in the following figure. An SR domain +-----------------------+ | Infrastructure block: | | A::/64 | | SRv6 locator block: | | B::/64 | | | External-----PE1------P------P-------PE2---External networks | | networks | | +-----------------------+ This section shows how a single line IACL is used to secure SR domain. Suppose the infrastructure prefix block is A::/64 and SRv6 locator block is B::/64. The following IACL is deployed at external interfaces to the SR domain to deny packets destined to the SRv6 locator block. access-list L1 deny B::/64, any The following IACL is deployed at each node with an SRv6 SID provisioned to deny packets destined to the SRv6 locator configured at that node from any source not in the operators infrastructure block. Liu, et al. Expires 13 May 2024 [Page 4] Internet-Draft SRv6 Security Deployment Experience November 2023 access-list L2 permit A::/64, B::/64 deny any, B::/64 Authors' Addresses Yisong Liu China Mobile Beijing China Email: liuyisong@chinamobile.com Daniel Voyer Bell Canada Canada Email: daniel.voyer@bell.ca Akash Agarwal Rakuten Email: akash.agrawal@rakuten.com Liu, et al. Expires 13 May 2024 [Page 5]