China Mobile

No.32 XuanWuMen West Street Beijing 100053 China duzongpeng@foxmail.com

Routing Area Spring Working Group SRH This document describes an encryption mechanism for the SRv6 function in the SRv6 nodes. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

In , a trusted network path mechanism based on SRv6 is proposed to enable the path verification. To protect the path information, when forwarding a packet with an encrypted SRH header, each intermediate router needs to replace the source and destination filed of IPv6 Header with itself IPv6 address and its downstream router's IPv6 address and then forward it. However, it is more straightforward that we still maintain the IPv6 header as usual, and just encrypt the function part of each SID. Thus, the attacker will only know where the packet would be forwarded to, and will not know what function would be executed in the next destination. This document proposes an encryption mechanism for the SRH header to enhance the SRv6 security and protect the personal privacy in an SRv6 network.

According to , an SRv6 SID can contain LOC, FUNCT, and ARG parts, where a locator (LOC) is routeable in the network, and the function (FUNCT) and arguments (ARG) will trigger the specific behavior on the corresponding node. The ARG can also be regarded as part of the FUNCT, which may or maynot appear in an SRv6 SID. In this document, we suggest that we can encrypt the FUNCT part, and the ARG part if included. In the scenario, every node that supports the additional security of the function in the segment list, should have a key for the encryption. The encrypted SIDs should be marked, so that the node can decrypt the FUNCT part, and trigger the proper behavior. A general procedure called option 1 in this document is described as follows: The network element that makes up the SID list, for example the controller or the Headend node, should have the keys of the nodes along the path. When scheduling the SID list, the network element can encrypt the FUNCT part of an SID by using the key of the node related to the SID. Hence, the LOC part in the SID list is plaintext，and the FUNCT part is ciphertext. If the FUNCT part is encrypted, a flag should also be marked for it. The Headend node sends out the packet containing the encrypted SID and the flag. When an intermediate router receives the packet and the LOC part in the DA can be matched, it will see the flag and decrypt the FUNCT part. After that, the SID will be looked up in the SID table. The key should be the same as the one that is used to make up the SID. The intermediate router executes the function, and if the current SID is not the last one, the intermediate router forwards the packet to the next destination. Alternatively, we can also encrypt the LOC part of the next SID, so as to protect the path information. Another procedure called option 2 in this docuanment is described as follows: The network element that makes up the SID list, for example the controller or the Headend node, should have the keys of the nodes along the path. When scheduling the SID list, the network element can encrypt the FUNCT part of an SID and the LOC part of the next SID if present by using the key of the node related to the current SID. Hence, the LOC part of the first SID is plaintext, the LOC part of the other SID is ciphertext, and the FUNCT part of all SIDs is ciphertext. If the FUNCT part is encrypted, a flag should be marked for it. The Headend node sends out the packet containing the encrypted SID and the flag. When an intermediate router receives the packet and the LOC part in the DA can be matched, it will see the flag and decrypt the FUNCT part, and the LOC part of the next SID if present. After that, the decrypted SID will be looked up in the SID table. The key used for the decryption should be the same as the the one that is used to make up the SID. The intermediate router executes the function, and if the current SID is not the last one, the intermediate router forwards the packet to the next destination. For the traditional mechanism, option 1, and option 2, three figures are shown as below.

| P |<----->| P |<----->| PE | +----------+ +----------+ +----------+ +----------+ Traditional: underlayIP underlayIP underlayIP = = = with SRH=( with SRH=( with SRH=( Egress::F3, Egress::F3, Egress::F3, P2::F2, P2::F2, P2::F2, P1::F1, P1::F1, P1::F1, SL=2 SL=1 SL=0 ) ) ) overlayIP overlayIP overlayIP = = = ]]>

In Figure 1, the packet from a client enters the provider network, and is encapsulated with another IP header with an SRH containing three SIDs. The Ingress PE is the Headend node, and the P1 and P2 nodes are the intermediate routers.

| P |<----->| P |<----->| PE | +----------+ +----------+ +----------+ +----------+ Option1: underlayIP underlayIP underlayIP = = = with SRH=( with SRH=( with SRH=( Egress::EF3, Egress::EF3, Egress::EF3, P2::EF2, P2::EF2, P2::EF2, P1::EF1, P1::EF1, P1::EF1, SL=2 SL=1 SL=0 ) ) ) overlayIP overlayIP overlayIP = = = ]]>

In Figure 2, the format of the packet is similar to the traditional one, but the function part is encrypted. For example, after the P1 node receives the EF1, it will be decrypted to F1, and then trigger the proper function.

| P |<----->| P |<----->| PE | +----------+ +----------+ +----------+ +----------+ Option2: underlayIP underlayIP underlayIP = = = with SRH=( with SRH=( with SRH=( EEgress::EF3, EEgress::EF3, EEgress::EF3, EP2::EF2, EP2::EF2, EP2::EF2, P1::EF1, P1::EF1, P1::EF1, SL=2 SL=1 SL=0 ) ) ) overlayIP overlayIP overlayIP = = = ]]>

In Figure 3, the format of the packet is similar to the option 1. Additionally, the LOC part is also encrypted except the first SID. After the P1 node receives the EF1, it will be decrypted to F1, and then trigger the proper function. Meanwhile, the P1 node will also decrypt the EP2 to P2, so as to make up the next DA as P2::EF2, which is routeable, instead of the EP2::EF2.

TBD.

TBD.

TBD.