Re: [bess] Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19

Linda Dunbar <linda.dunbar@futurewei.com> Tue, 06 February 2024 18:12 UTC

From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "secdir@ietf.org" <secdir@ietf.org>
CC: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-bgp-sdwan-usage.all@ietf.org" <draft-ietf-bess-bgp-sdwan-usage.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19
Thread-Index: AQHaVeB7l9E64YzBdUijQUHOsOewprD9m8hA
Date: Tue, 06 Feb 2024 18:11:58 +0000
Message-ID: <CO1PR13MB49207C24DDCDA6DA13516DEF85462@CO1PR13MB4920.namprd13.prod.outlook.com>
References: <170688255428.29934.10272482596067024408@ietfa.amsl.com>
In-Reply-To: <170688255428.29934.10272482596067024408@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PVHhlV1jath10wj/Z3MI1rKeQ8li0u8Tp0hTonZ/hzwj1ZRYd1QjdqtEFOPCOh1XIokspztJT6TJvV6v32PVQUFWOKEgZy7b9VEB43UAJDj37Mg0oA/l4efP0YAFB6NUeno7elQItuWS/wLL0i0v2G0SGWMt5lgpw4X2DmSJLe0euAGbYeUi5UxiSuEGdbG0KR2yc30bIqI2rZs78IiosizGpxlNtEml27tgJ2Ozd5bAJP28pTpi/3KwKNRlOZBjyyIbkTj/BMKiC+f69zJUy3o19o8s2ysefLafDK1WPD4tDsg6I7WolZRX41psZSsM8xBGB5m3ZldfcN7ntcKfXrQit2M8eLQ9SJjINiLzB+sMbI6GSy+0dpDdGqAIKnV1rg7aNGPMvShuU1kiHs75mxzX1xLcOZjBHfG8wvppz7zyttHkhSWOOnOFi3/c15L1l7oYsw7D65guMNlkW5DyFomPGtV4E8AXtitI8rOBXbujolY3782nN+2NVmbeb6cpJtBvtD18YrmPe3QYzQg9NFmaUR4fXYrD4C+bsK11PVgwiDfDoh3mQmWL4QHsf9FT/o8Ha608BwCas2AqOpKdgoOpC3JRwipRuMbZd6bVSeLPxH+x29anyAmCza2xLqYSW1WcEisOOOky9n2JylompO/pb6sQWhhzLrxc27vIWy8+GFGF+zpJydIRrXT2xGHr3bEE/Q1gWxVYBHbV3rj+7i1Kezv7OdJMRVdt7Y+Zf0MjPLYQu58un+usKwYzmzv2Du8qenBvsQ+oXkwQ1les4zN4vZh+ngliuvyudVZiBEK1fV8a01t52JsP8RL3sdERQB5O/A9cRhnVNbw+Tb9JUmsW8FxiXJPGc7EQxTP+EXDE9Rb3EBrQd5P+XmI42B9Ih5OkPsI101+0Gcjb5wnkhuOFqMa1+d2B/A2Nk1aqiLOLJBywx4HAnQ99hSEXhzfMX2f+ykGCG0KQrCDz4cON9O0bSZme1dwY6hXLdwY8jxTzGG4VVzzvLSgAcufgvx1mfNCUyDNEliYPKrOjm6qnCSGwuXvf2bOEvR01HJCzOSVTn9a984yIh3VXLUBtCqx2B2mPOqOBvltZ4J6zkdLolugKEXexzkGJRZq2ZVpwOs/oM06D+eaNwwXwOF8GejiHqwXWzqm5sZC3si/klFotTEcWNChkkwQAqud6E5P2fiaElwTG9rOQkOvzEHH3kg6MgbFDIDe1jrSI0F+yEcI5VfS5XUdvq7CJUXey5f4xZvuXUCBRUyKEoJ3dWEpiFcTnmGR4sigzfUy44nj3b4+sVfJRSp7hGNgu/5Sqjz0uY/99XdzbHGDXLZUnWdhtff7HRjIXT7G1Ksb2743WOI4N1xiNkB8M2Yi3/3K3l6emT2MJNbb7lNfSW77caQSsVCy5IyudlXMRlv3zCJD5OuQI3SO+wQXwP0K9r/yV8PoB3tMhO0RN9+dIdtbrPOjltFhxPMlltuew92KxdhBr3DeV2M03B69S4i5+/Hiw7v1gIW7fGmxBwcGJQ7b6FNf5SkBJ0nC9TnsUaaAf6358wwlNWuEravMk7CzIRIHMc2Q4lhyrfXmCan7GuxUMwIZeQ1fn
Content-Type: multipart/alternative; boundary="_000_CO1PR13MB49207C24DDCDA6DA13516DEF85462CO1PR13MB4920namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR13MB4920.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b14fcb84-beae-4705-0356-08dc273f1c33
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2024 18:11:58.9140 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yL/jN5I0E0mqjPOO0P+Bf2Bd2TNREfsHMB0Q4IfvT0V/EYdrgOt7B0K1Waq/p7krNMrqQGjXhPrDvXWuhXiyng==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR13MB4619
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/1Z7_rPEw0zCMRhGRri5copy30f0>
Subject: Re: [bess] Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 18:12:42 -0000

Stephen,

Thank you very much for the comments.
Please see the resolution below.

Linda

-----Original Message-----
From: Stephen Farrell via Datatracker <noreply@ietf.org>
Sent: Friday, February 2, 2024 8:03 AM
To: secdir@ietf.org
Cc: bess@ietf.org; draft-ietf-bess-bgp-sdwan-usage.all@ietf.org; last-call@ietf.org
Subject: Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19

Reviewer: Stephen Farrell
Review result: Has Issues

I looked at the diff from -15 to -19.

I think the main security issue of depending on BGP over TLS remains - that seems almost fictional (is it?), whereas the shepherd write-up says: "...this draft is simply describing the usage of existing technologies standardised within bess to SD-WAN." I see Roman's existing discuss already covers this.

I note that https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-wirtgen-bgp-tls%2F&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C865a98f23bb64f96819f08dc23f79b99%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638424793593072100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WGKAHNvuivJbVIe6HvAU4Eeju741Dw9x70yVlpIpwH4%3D&reserved=0 was posted since I did the review of -15 of this draft, but that seems to be a fairly brief -00 individual submission. Presumably that work would have to have progressed significantly before this draft could reflect reality.

As this draft is aiming to become an informational RFC, I guess one could rewrite the sections mentioning TLS to say that BGP/TLS is needed for this to be secure, is not available today, but is something that is being developed (e.g. referring to draft-wirtgen-bgp-tls). However, doing that before adoption of a work item for BGP/TLS by some routing WG might well be considered premature and overly optimistic?

[Linda] Thank you very much for the suggestion. This draft operates under the assumption that a secure channel exists between the SD-WAN controller and the SD-WAN edges. In the context of extending an VPN network to  the SD-WAN scenario, this secure channel can leverage the operator's primary management channel designed for VPN control. Consequently, there is no strict requirement for BGP over TLS. As a result, we can remove all references to TLS from the document.

In the "Security Considerations", is it beneficial to add a discussion of the security issue of using BGP over TLS?

Linda

[bess] Secdir last call review of draft-ietf-bess… Stephen Farrell via Datatracker
Re: [bess] Secdir last call review of draft-ietf-… Linda Dunbar
Re: [bess] Secdir last call review of draft-ietf-… Stephen Farrell