Browse Prior Art Database

A TIME-BASED SRv6 SID RESOLUTION MECHANISM TO ENABLE SECURE SID ADVERTISEMENTS

IP.com Disclosure Number: IPCOM000247710D
Publication Date: 2016-Sep-28
Document File: 8 page(s) / 344K

Publishing Venue

The IP.com Prior Art Database

Related People

Clarence Filsfils: AUTHOR [+2]

Abstract

A mechanism is provided that allows the dynamic change of IPv6 Security Identifiers (SIDs). Each SID is structured with a fixed and stable portion followed by a dynamically changed portion. The change occurs automatically in an Interior Gateway Protocol (IGP) advertisement over a period of time configurable by the operator. Changing the SID value over time increases the difficulty for any malicious system to send traffic to these SIDs. Controller and Border Gateway Protocol (BGP) extensions can use these time-dependent SIDs.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 35% of the total text.

Page 01 of 8

A TIME-BASED SRv6 SID RESOLUTION MECHANISM TO ENABLE SECURE SID ADVERTISEMENTS

AUTHORS:

Clarence Filsfils
Stefano Previdi

CISCO SYSTEMS, INC.

ABSTRACT

    A mechanism is provided that allows the dynamic change of IPv6 Security Identifiers (SIDs). Each SID is structured with a fixed and stable portion followed by a dynamically changed portion. The change occurs automatically in an Interior Gateway Protocol (IGP) advertisement over a period of time configurable by the operator. Changing the SID value over time increases the difficulty for any malicious system to send traffic to these SIDs. Controller and Border Gateway Protocol (BGP) extensions can use these time-dependent SIDs.

DETAILED DESCRIPTION

    An IPv6 Security Identifier (SID) resolution mechanism is provided in which the IPv6 SID is advertised in the various routing protocols as a symbolic name. When the complete (e.g., 128-bit) SID is required in order to build the segment list, the symbolic name is resolved into a IPv6 (e.g., 128-bit) address SID. Multiple resolution mechanisms are possible, e.g., routing protocols, Domain Name System (DNS), Path Computation Element (PCE), and Controllers. The IPv6 SID value dynamically changes over time for the same symbolic name. Thus, the resolution process results in different SID values at different times for the same symbolic name. Therefore, even if SIDs are exposed externally, their validity and usefulness is very limited in time, making their disclosure harmless. This mechanism can be generalized to address multiple cases for which critical

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 8

and sensible network information needs to be preserved from any disclosure or leaking outside the operator's domain, e.g. Border Gateway Protocol (BGP) next-hop addresses.

    Current Interior Gateway Protocol (IGP) and BGP protocol extensions allow an operator to advertise, network-wide, the IPv6 SIDs the operator has provisioned for nodes and adjacencies. It is critical that the information related to the SIDs is not leaked outside the operator company. If this happens, a malicious system may send traffic using valid IPv6 SIDs and create a security breach in the operator network. However, very often, configurations of routers are exposed to external entities. This may occur through, for example, documentation, troubleshooting reporting, presentations, and publications, where portions of configurations are documented and exposed externally. Currently, operators are very careful not to publish or disclose any internal information; however, a more secure and reliable mechanism can help to mitigate possible leakage or disclosure of SID information.

    The SRv6 SID resolution system can be defined and implemented into Intermediate System to Intermediate System (IS-IS) routing protocol. The same system may be implemented with other protocols, such as Open Shortest Path First (OSPF) and BGP, as well as other resolution mechanisms such as DNSs. As defined in segm...