SPRING F. Yang Internet-Draft X. Zhang Intended status: Standards Track China Mobile Expires: 19 June 2026 C. Lin New H3C Technologies H. Zhang Tsinghua University 16 December 2025 SRv6 Path Verification draft-yang-spring-srv6-verification-02 Abstract SRv6 is being rapidly deployed and is currently primarily used in trusted-domain backbone networks. However, we have also observed that SRv6 is beginning to extend toward end-user devices, e.g., in SD-WAN deployments. SD-WAN can be deployed in third-party clouds or at customer sites, causing the physical boundary of SRv6 to become blurred. This introduces certain security risks, such as packet injection and path manipulation attacks. Section 6 of [I-D.draft-ietf-spring-srv6-security] identifies these risks as well, including Section 6.2.1 on Modification Attacks and Section 6.2.3 on Packet Insertion. This proposal mitigates these risks by enhancing the HMAC mechanism defined in [RFC8754]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 19 June 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. Yang, et al. Expires 19 June 2026 [Page 1] Internet-Draft SRv6 Path Verification December 2025 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. SRv6 SID Verify TLV . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4.1. SRv6 SID Verify TLV . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction SRv6 is being rapidly deployed and is currently primarily used in trusted-domain backbone networks. However, we have also observed that SRv6 is beginning to extend toward end-user devices, e.g., in SD-WAN deployments. SD-WAN can be deployed in third-party clouds or at customer sites, causing the physical boundary of SRv6 to become blurred. This introduces certain security risks, such as packet injection and path manipulation attacks. Section 6 of [I-D.draft-ietf-spring-srv6-security] identifies these risks as well, including Section 6.2.1 on Modification Attacks and Section 6.2.3 on Packet Insertion. This proposal mitigates these risks by enhancing the HMAC mechanism defined in [RFC8754]. [RFC8754] describes how to use the HMAC TLV to verify the integrity and authenticity of the SRH(Segment Routing Header) during the transmission process, and to prevent the SRH from being maliciously tampered with or forged. Although the HMAC mechanism specified in RFC 8754 can verify the integrity of the entire SID List, if we want to force the SRv6 endpoints the packet must pass through during forwarding, it is necessary to retain some information each time the packet passes through an SRv6 endpoint. This draft proposes an enhancement to HMAC specificed by RFC 8754 that provides the capability to enforce the packet's forwarding path to go through all Yang, et al. Expires 19 June 2026 [Page 2] Internet-Draft SRv6 Path Verification December 2025 or certain SRv6 endpoints in the SID List. Meanwhile, the SRv6 HMAC mechanism performs end-to-end cryptographic verification of the entire IPv6 header and SRH header, which significantly increases the processing performance and storage overhead of forwarding chips, making it challenging to implement in practical commercial deployments. This document proposes a path verification mechanism for SRv6, which adopts a hop-by-hop cryptographic computation on the destination segment identifier at each node, combined with an end-to-end verification at the last hop. Although the HMAC mechanism specified in RFC 8754 can verify the integrity of the entire SID List, if we want to force the SRv6 endpoints the packet must pass through during forwarding, it is necessary to retain some information each time the packet passes through an SRv6 endpoint. This draft proposes an enhancement to HMAC specificed by RFC 8754 that provides the capability to enforce the packet's forwarding path to go through all or certain SRv6 endpoints in the SID List. And this approach also significantly reduces the processing overhead associated with hop-by- hop path verification. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Process The improved SRv6 path verification mechanism proposed in this document follows the processing flow at the head node, intermediate nodes, and tail nodes as described below: Attack traffic: SRH (P1, P3, PE2) w/ HMAC captured from user traffic | | +----+ +---->| P2 | /+----+\ / \ +------+ +-+--+ +-+--+ +------+ | Head |------| P1 |-----| P3 |------| Tail | +---+--+ +----+ +----+ +------+ | +<---- User traffic: SRH (P1, P3, PE2) w/ correct HMAC Figure 1: Example topo Yang, et al. Expires 19 June 2026 [Page 3] Internet-Draft SRv6 Path Verification December 2025 Head Node: The head node sends an IPv6/SRv6 packet. It encrypts the destination segment identifier (i.e., the SID of the first intermediate node) using a predefined encryption algorithm (e.g., HMAC, CRC, or other generic algorithms) and a pre-shared key, generating verification information 1. This verification information 1 is then inserted into a specified field of the packet (e.g., the Segment Routing Header (SRH) label field, SRH TLV field, path segment field, or IPv6 extension header), In this document, it is assumed that the mechanism is implemented by extending the "SRv6 SID Verify TLV" and incorporating it into the SRH (Segment Routing Header). The packet, now containing verification information 1, is forwarded to the first intermediate node. Intermediate Nodes: The first intermediate node receives the IPv6/SRv6 packet from the head node, which includes verification information 1 and the destination segment identifier of the next hop (i.e., the SID of the second intermediate node). The intermediate node reads verification information 1 and the segment identifier of the next hop from the packet, and then encrypts the verification information 1 and the segment identifier of the next hop using the same predefined encryption algorithm and pre-shared key, respectively. It then sums up verification information 2 through a predefined operation (e.g., weighted summation), generating verification information 2, which will be inserted into the same specified field of the packet, which is then forwarded to the second intermediate node. Subsequent intermediate nodes repeat this process, sequentially propagating the combined results of their own and all preceding nodes' calculations. Tail Node: The tail node receives the packet from the last intermediate node, which carries the combined verification information. It will compare the combined verification information with pre-calculated path verification value. If they do not match, the packet is considered routed by unexpected path and can be discarded. If they match, the packet strictly follows the SID List carried in the packet. In case of a mismatch, tail node can compare these results with its own calculations to identify the specific node where the verification failed, enabling traceability of the verification anomaly. In summary, the algorithm works in the following way. Define ALG_n(x) = ALG(kn, x), kn is the key for node n, and x is the SID in the destination address, and Yn is the path verification information carried by the packet and updated on each hop. Suppose the SRv6 path Yang, et al. Expires 19 June 2026 [Page 4] Internet-Draft SRv6 Path Verification December 2025 starts from Node1 and ends on Node4, the path verification information would be computed as below on each node. Node1: Y1 = ALG_1(SID_2); Node2: Y2 = ALG_2(SID_3) + ALG_2(Y1); Node3: Y3 = ALG_3(SID_4) + ALG_3(Y2); Node4: Y4 = ALG_3(SID_4) + ALG_4(y3). Optionally, on last hop node, if the verication failed it can send the packet to the SDN controller. Because Yn and ALG_n(x) is known to SDN controller, it can identify which nodes has been bypassed. In this way, the intermediate nodes specified by in the SID list will not be allowed to be bypassed since every hop will have fingerpint in the Yn. 3. Extensions 3.1. SRv6 SID Verify TLV A new SRv6 SID Verify TLV is requested from "Segment Routing Header TLVs" in this document. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type(TBD) | Length | Algorithm ID | Key Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Key ID (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | // | Signature (variable) // | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (1 octets): TBD, SRv6 SID Verify TLV Length (1 octets): The length of the variable-length data in bytes. Algorithm ID(1 octets): The ID of encryption Algorithm. Key Len(1 octet): Length of pre-shared Auth Key ID: pre-shared key to encrypt the SID. Signature: encrypted SID data, variable, in multiples of 8 octets. Figure 2: SRv6 SID Verify TLV 4. IANA Considerations Yang, et al. Expires 19 June 2026 [Page 5] Internet-Draft SRv6 Path Verification December 2025 4.1. SRv6 SID Verify TLV A new SRv6 SID Verify TLV is requested from "Segment Routing Header TLVs". +=======+=====================+===============+ | Value | Description | Reference | +=======+=====================+===============+ | 0 | SRv6 SID Verify TLV | This document | +-------+---------------------+---------------+ Table 1: Code Point 5. Security Considerations This document should not affect the security of the Internet. 6. References 6.1. Normative References [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 6.2. Informative References [I-D.draft-ietf-spring-srv6-security] Buraglio, N., Mizrahi, T., tongtian124, Contreras, L. M., and F. Gont, "Segment Routing IPv6 Security Considerations", Work in Progress, Internet-Draft, draft- ietf-spring-srv6-security-09, 6 November 2025, . Authors' Addresses Yang, et al. Expires 19 June 2026 [Page 6] Internet-Draft SRv6 Path Verification December 2025 Feng Yang China Mobile China Email: yangfeng@chinamobile.com Xiaoqiu Zhang China Mobile China Email: zhangxiaoqiu@chinamobile.com Changwang Lin New H3C Technologies China Email: linchangwang.04414@h3c.com Han Zhang Tsinghua University China Email: zhhan@tsinghua.edu.cn Yang, et al. Expires 19 June 2026 [Page 7]