IETF Logo Mail Archive

Re: [bess] Secdir telechat review of draft-ietf-bess-bgp-sdwan-usage-20

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 15 February 2024 20:37 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 352DAC14F6FE; Thu, 15 Feb 2024 12:37:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0AyJ08CAoP8; Thu, 15 Feb 2024 12:37:10 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2102.outbound.protection.outlook.com [40.107.22.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 204D5C1CAF5E; Thu, 15 Feb 2024 12:37:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZWeefmm7ZpXrJTMqIfk1iy0c2wm5NuD7jFpz51OnjxSP7CssNsNibnysCpbfSiqqX1F/ckdlhclWLkC193AMBSUuZTQ/5dg8/ub5ajw6qcfv264d1+OkNnCJOuUZmhTCZKn9feldqbQWqw9Jru6UbUuGuI8kQp5/ox/9Jt4sWg8Fn4tPNTMtHkffEXlhcCk1/Jv+bgA4QbYk++OlA0NUZ5BNLxLKJSgNJhcZezcbmsJW528qeHBTwNHVUQEQMZzPfKW8crQ8P9JLMxjiArZBHwhWxxS3Wf+lWYkFTCUbnqGpOYvjWzXLTU0Z7OpFpamYryKm2JHn8Jf5rsx4QY7J9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iiwWwUZrbk5WJ56riAfn1/K3h/t57DM1Mnrgs9mYf28=; b=lv4Inrpjj3Q8nZHZdjUh2HM1W9LCiSh1uaw95JxA2LE8xRFvOb/ohMqcEX+wbl6Po4CN+R2S7BVU0kGzsilhrAHh3dF5OP3f/qXpp6Rg4nLuJjR2PRZ/RtqhXvh+T7llRsxsvWWePa/7cD+yOtCRrlHMxq2+0WJgEllxf4sdh7JIDH0tT8elexMN+6aTX9a6bQEVV27cGV0IEgN5u5hE3SbydM+nSN4oDXc8Rbs26hyppKaXIZiXkMUDOXFdlbPxO8tN3o8Dym6X453XFSwzmjIiWbsBRBVRL7/bdRgk2UKYBIwibFceTvshPeOCOvoy+tx7xPGHFXhF8pUGpOCDDg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iiwWwUZrbk5WJ56riAfn1/K3h/t57DM1Mnrgs9mYf28=; b=eLydVeBeoUYpYrxgwBPIYHs3sPnJ8i2LP8gPrP9gnqqaGtd8anrvWv7dBdGU8NS1UxRx5f2Rxj/Wu204HJrvtcQ4CzkXMt+mZY96LjCQBlZE2smvWcanN/zjyRazmeR3u7sBiR370dmUjkXgRIRylyHDJX8sfKidnurldV314dgIO4bwa/0upYg00JqaRrru4Jzj5qUsJy7J4ClENSpiZe+lxs/7tmzQ1PjtbjFwCmpqxjJ7vofjoFMbnCA2zw/aT2GAUqhnaOZVBEbI3UXxlTnqnKVPt82znzI5ef7Fo3ra7vilirsEpFk/Oki7l1NaEaXwpz+GS4hz1Z3rjzshXA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS2PR02MB9668.eurprd02.prod.outlook.com (2603:10a6:20b:5e8::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.26; Thu, 15 Feb 2024 20:37:04 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::29da:8147:6e33:c2b7]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::29da:8147:6e33:c2b7%4]) with mapi id 15.20.7292.029; Thu, 15 Feb 2024 20:37:04 +0000
Message-ID: <5d44c832-03b9-4fac-80c9-b5e5fafa59ef@cs.tcd.ie>
Date: Thu, 15 Feb 2024 20:37:01 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Linda Dunbar <linda.dunbar@futurewei.com>, "secdir@ietf.org" <secdir@ietf.org>
Cc: "bess@ietf.org" <bess@ietf.org>, "draft-ietf-bess-bgp-sdwan-usage.all@ietf.org" <draft-ietf-bess-bgp-sdwan-usage.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
References: <170801460098.63559.14958554152761679042@ietfa.amsl.com> <CO1PR13MB4920B20694AEF350AD0D372C854D2@CO1PR13MB4920.namprd13.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CO1PR13MB4920B20694AEF350AD0D372C854D2@CO1PR13MB4920.namprd13.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------WjzQB0xLtCH6q0rRiG0QQU7w"
X-ClientProxiedBy: DBBPR09CA0017.eurprd09.prod.outlook.com (2603:10a6:10:c0::29) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS2PR02MB9668:EE_
X-MS-Office365-Filtering-Correlation-Id: 71478012-82ee-4b5b-4414-08dc2e65de42
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jdvVGuqE8Za7il2y4LZlylCChS0scHuJ++AbfysMDauCoxbxuBYhmJ/6nrfiNjjog7ce8D8qZIC31u73Htd7YvGcJP6LMGlQYuqARuNvFIr84Vd647z5x/OQs6tMX09UPNArHjmj91JwAlpQ/VTaIWzhrOQNqwTG4Q5tAlw+fpSHvfz7siRQrTwJJT78gtpYGJnq5fo/wuGQJp85AK2lCbwq04jVD9/PlKFp9SClFvlxfjyhGU1EYT7JbfHLhOpgIb6XKiYjKBvxdvcWf5B13R8wZepjelRfUoI31t6cYrOr8erpQ4jL0YyKgr3x2HyJJ2xb8YuBqCqsIsK76uLMxu2tcsNSEBepRjvUIRlMiGR3/1IcC4xvxXHAhDV9kWBNxyJsBtBAL/9d4xeXWihbwxrBNzZmNDWV7PiWFH56e5q+ktIerB+Oy7rqYl0rb3sVOBf/69d1hVr3QTwGNdSr1zJ9l5JMsYBj0W+2TdKzyUthd9BgwAqzF4wtAFxQ9hHDtvFlDWj/5QXOlATOdjiAp8cIZj4syGum1JostM0YB1DRgrFoBpxR1T8P0RgP09Sh
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(396003)(346002)(366004)(39860400002)(136003)(230922051799003)(451199024)(1800799012)(186009)(64100799003)(31686004)(45080400002)(6512007)(6486002)(478600001)(6666004)(41300700001)(8936002)(8676002)(44832011)(2906002)(235185007)(4326008)(5660300002)(6506007)(786003)(66556008)(33964004)(53546011)(110136005)(54906003)(66946007)(316002)(66476007)(2616005)(83380400001)(86362001)(21480400003)(31696002)(38100700002)(36756003); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: f3M+29Bi8diOAkdaQYfrgKVg+mptrT6zmwZF4jd2Y+CuH4EY+Vlw/mpbEomJInAqeJGdZgJ4QhvQ8q3DYrGzUxjSh3MuX38RiDd5NkriHDVvjtgyr4fsV/4bhgaPZoWzH0VBUvjv9+gOraHorDjEjSr49NY48dTIYaAe3Z7oo3RGr1nQFHryuTDTC2CeiHmNo2R3TLNw4gFMhO7z0BlonxUxwF2XRPpuXDFIT/yci1+8ySG5LTg3gp4QWCyWmtRZBV91NyRFaxDy1Hp8cxtQnsFD050MqCU77LBDmvd7xuGXqleFNeRqOLKx9W9wxg8gcomzbKWwASl7MSbWJX1Zdalh2K6JBTC/jmviAbp3j/dQjnbUGQwC/iV8Mn8+PPW91Q1Q0p+6+3wfyAASJZUXFvXo+wQxPUISPpkoiXztLsoHRE2qvs+ZsTeS5GICSVvUVXX6BWSz3cHu8GwrdH9/8Ql2CaYKq3HFQJwuceuCvrwYRQ4am5PWCi1R/0nUB2FmFLJb9oYt2CV5VXtzWgLupu6JM+ZBGKdYurFuRm8SzW766BJIoRCH2LyNKpzGqqcR1RxNveeIoax3w1oQAs2pjnic6Nre+3qrRk1W3kNdRJU0w6Q7GIQDguxUQ/XZSLgRbhKcaVinZmzotkNgRESX6/1Esjhk5hMSJE4+CprvqoeKAcN++PEo4PIT1lpiVsFAWR2CWQ9NJlk7XSbTiieiCWqbVdSXeTPAPkcWaSHV10QMJTF3Zxnzsow2OHJZus+6BEqKp4kt18pR8pqnoKjQwIfBkBcuLhWMv+c/oWUniVuKgbHm1xM9vE03bZQCVe9W1XWV+dBFw/Z6ugIVqH6b+KcpwKXiasQ4GdoQQznRjsmequSyc0FEMVeDnxDSVYry8EEkVpCHHRQ3+E0+W/Rxw/Xy5ugxRv0BJv7V0lO3RPqRyDzlfDRyHunbBH22SI1/6CwoTr23MKHGypJRGUoQ7OmJbPoILunQVVUCQ7XsVNbJOBNwELgx8vbUKjXgxBg66OnVpULUMsT2Y2VatbDOr02oQyYTHYaeZ8YxKlOUeDSimrdxrHCkQ61W15YrYNH4pu/ArbJlZbpltFHzitQbwOTZ6BME+JNMnPOA5urt2iVAv5vrK3NEP7IbUbnXhKF+8bdhzny3Den8DN1tcfxO3J/ewTtkb65+hVAU4JzpHmeLgcYnx9BuSvGITdxWFzx8ukFe+NhmGyFYlkY8EH5V0163TqP78nZo+78BhyBCq5Gf6d7NGwhtOu39uzrucqRjw8XeLA6XhscExlMoMW/+R2I822/23ilVsefIEgJpT4baRTBN5Witoh/dnUqYUvmMf1+xXu+76XvuMnVHxritDo3N8cWhDmhmBevDY6upyaCX3YiGatHaiTg4p9eQ+JPd4N2zkLbgtTSrritN1pj1CQM3elxwEWAt4ixuB6hqc9dutHQLS0/BWv/IgGPJd/J1ngl4n7tAvQW8ksg119iBFJEJcw0MxWbNlAdvRxDyB5uhPYwE52XcyeZxLGbPqPkOSMu25Ig6rwzfWAiygscI3Zv1sh/wg+18YMH36zhpSWpVgXH4p/T6o+b+XKdswLmtEWb6Pqm6GdlB3mq02Pvx9NVlQ+scsnWt0BF03k7h9gPKd4i4o411fMtowq8KHVs6
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 71478012-82ee-4b5b-4414-08dc2e65de42
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2024 20:37:04.1353 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: /KzpcomvoeeAm6STuJuaFczL07YqSKTpjS/L7lzDjGZYtVlSX/Zf3Ithf+NHVGsV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR02MB9668
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/BH-8sOrJlByezLZl9ArS7KPF5T0>
Subject: Re: [bess] Secdir telechat review of draft-ietf-bess-bgp-sdwan-usage-20
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 20:37:14 -0000

Hiya,

On 15/02/2024 17:54, Linda Dunbar wrote:
> Stephen,
> 
> BGP/TLS has been deployed  (see the attached email from Robert Razuk on using BGP over TLS in  Sproute's SDWAN solution for years) even though there is only a 00 draft for BGP over TLS in IETF.

That's good news. Be even better if it could be done in an
interoperable fashion, and/or had been written up so that
others could benefit from whatever experience has been
accumulated.

> The document states that analysis of BGP over TLS is beyond the scope.

Well, it seems to both say that and to depend on BGP/TLS
for security.

> Is the following sentence better?
>        While beyond the scope of this document, conducting a comprehensive analysis might be needed to ensure the security of BGP over TLS [BGP-OVER-TLS]
> 

Seems the same to me, i.e. saying BGP/TLS is "not our job" but also
"needed for security" so I don't think that wording does the job.

That said, you're probably better off discussing this with some AD
if they ballot DISCUSS - while you and I could end up with some words
we like, you'd only risk having to re-do that to get something an AD
liked even better;-) So given this is on a telechat soon, I'd say
better you want for the ballots there to see what's needed.

Cheers,
S.

> 
> Thank you,
> Linda
> -----Original Message-----
> From: Stephen Farrell via Datatracker <noreply@ietf.org>
> Sent: Thursday, February 15, 2024 10:30 AM
> To: secdir@ietf.org
> Cc: bess@ietf.org; draft-ietf-bess-bgp-sdwan-usage.all@ietf.org; last-call@ietf.org
> Subject: Secdir telechat review of draft-ietf-bess-bgp-sdwan-usage-20
> 
> Reviewer: Stephen Farrell
> Review result: Has Issues
> 
> Draft-20 seems to dial-back the call for BGP/TLS, but OTOH adds text in the security considerations saying that BGP/TLS "is imperative." I'm not sure of the security pitfalls that might arise if one followed the guidance here whilst BGP/TLS is still just a non-wg -00 draft (and hence aspirational), but it seems to me like a possibly dangerous implement.
> 
> 
>

v2.23.0 | Report a Bug | By Email