Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT)
Linda Dunbar <linda.dunbar@futurewei.com> Wed, 28 February 2024 21:17 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A73DC14F708; Wed, 28 Feb 2024 13:17:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqWk-l2eA_la; Wed, 28 Feb 2024 13:17:30 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2122.outbound.protection.outlook.com [40.107.94.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCF7BC14F6B7; Wed, 28 Feb 2024 13:17:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UEv9r+foGAvxmJQ4on95PAMCtCkut5p2TfJlrUuyGyH8vqcxISm/v0cXHfjvC2cMkWbzIuq6trmstcyiUSX7pRkGrdOLl2+DyzyYjHWFjCxoFQh5yo4Tfi7eI0wK7dWMCWRV7Nzx/ZgYA1KaF2JPZwtTXenEsmWoom899vkW6o+siSJ1FVvvVSfZPTF3No2ij+CKCKavOK7TaxYUXdz6PjP0ECZ6yz0VoMlleX0bUSecGVLjoGlWYDKSbsbZ4N49+yKYbCpJzZ58Zgz/Itd+lPJv9CKw8wj3J+GuWlSmPzjNpF4cFHf/KYl6znJn4pTMjUcfGe7kKKZvxv2H5l+pJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WIPyceyU9AOaU0wRthvBlemSRBOt2vpgihYAcszvtbg=; b=f9fyqnhD645beprl2h2l4ZTFVc/zjDItSPl5ZYZFBcSDiDYokp4AtyLEYb4g5VppTlDGTonksFaG4BqEW5PWgrsd7GVJlGALqMG94zc/nD/I81avsPQ4vxSnWJP/YeULhuhi7kBv3PcxuhoiAZsoPivk+R+gPRs3P7//5qM87ywoYgnW+vAN3zoPMmTKJNuR+Go2cmXQYUFaZ08esYyVGn7edoCrzNFDLBZkearjbzWX0y2QFNaWPbK3DP10LD+LmSplHuHi0bfM0tLs9EjQHeuZZQ3wHP6Sr+2+QD0Fc/CRJ2d25REpeC17b5z683OxGW9UJkeJDA6pveHMQC5JMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WIPyceyU9AOaU0wRthvBlemSRBOt2vpgihYAcszvtbg=; b=J0ncwYAwoL2OyJxFs3LeeQeYHi1ZlLkNFdtUXbNvogteABL5sZZ+c5Rp6+Vg+vZNgRV8Gne1MIbu+9G+ZHTPO0REMiiv9CYOUGYC5xOmmstXfzguWNMKl0Ef64ln5I3NVB0T1y7Z6jEvl5KDYdZUXZX1lCc5YgyQP+i+IBjZhBk=
Received: from CO1PR13MB4920.namprd13.prod.outlook.com (2603:10b6:303:f7::17) by BY5PR13MB3651.namprd13.prod.outlook.com (2603:10b6:a03:22e::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.39; Wed, 28 Feb 2024 21:17:25 +0000
Received: from CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::3964:b284:7035:fa48]) by CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::3964:b284:7035:fa48%6]) with mapi id 15.20.7316.037; Wed, 28 Feb 2024 21:17:25 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-bess-bgp-sdwan-usage@ietf.org" <draft-ietf-bess-bgp-sdwan-usage@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "matthew.bocci@nokia.com" <matthew.bocci@nokia.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT)
Thread-Index: AQHaadw0/yhfL4dqWkm8mrOH/+roNrEgBaWw
Date: Wed, 28 Feb 2024 21:17:25 +0000
Message-ID: <CO1PR13MB49201534B02651B51EA4F90985582@CO1PR13MB4920.namprd13.prod.outlook.com>
References: <170907974088.34245.14629449116454808085@ietfa.amsl.com>
In-Reply-To: <170907974088.34245.14629449116454808085@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR13MB4920:EE_|BY5PR13MB3651:EE_
x-ms-office365-filtering-correlation-id: 9f65d908-ec2c-4c09-3532-08dc38a2a948
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: L0fUVYya92hGm0oJz+fdWZJf9cB1F6GFPPnHuTE2SvHS+g2pwUwweSi4DkXJokZVGcOzSF0wxGK5yizveFaebyrxXl7zDrjTlAqwuo3kAdU3DEs+j/BHyxRwIKr+0A1+y5gLBG/gKY98zI8lj8Lf+W31NwhoQR1l56NVQyrwy74qHCAhZCaaAcNoP+bg92pC5XxZeCmfVDupaDNDyaaQ9Lj1O87MUnuiLyz5NAD/m1ndJ3VqBi8K6s/wN1/NzjJMcB1ONnxzLjsKNWxbjqBg/NCTu04I9dWssoHCaPvfi1KinWrVFO4tPq4i8QcKRwWkYkLAlV3QVirjySBCbDGE4u/VDp79B+A/9xrG6zqLovod8p/JXkITOEGC+qiFnsAWq4LCH3pmk3ErwzoxbcewXyciTUgRlISfw2w8i7OISuh24SCDJKBUDzhhahQ0BQG6HSnHEIMLzT0B3p0UVrVjbhgIbfi6ZaMl0UKVccTCTGI69U4BSUfy0ZCbwiEuAZPho2ywZrLkvR7ih5DIC/UjHWeg6P4VMuYXeCSgPw2Oa6fWFnZA9ArvBMxie8+jFK8bV+DztsHIB8MbaIwf2G7YfG0SGcJFYHbWsCp22klJXRDT9U7gzf74fKyohTPSpRiJFbGw4gcO4fQGNJvC2CjT4MkHwappbeRn8yrMXyGt/hOW1S/trimZzl1Kz+kRYKDog9ARlQ3G8cD0lSNLHn+0xaoHBqtKOTVePfpAIum320o=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR13MB4920.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LwtW4bj1BeH3m1ARoFYhhgx+i+EWRhlqA7XDko3SFABDL5zROmfDYTOyn2LtF4hTx2o2DGv+Xl6D+x8FrjpIiUzhWjLi5uDQyO1jBQdj19cr2JrW+udBjCJpxdaae2XsSp6dFVLmL8UaXuyvVXMIy5GXvo1mFRljeznNEzPlmgJC14J5Somov4aXPauKz0MHliy4PcH46khRWjOCzalbMOkRBHyZthCheozD7EmEP1zotNGekioXFvooySVo5+ICHFTrYOYPk4RmWrwoXEDv73+skR4yeQdH/Il22ibC3jnKyh95x/HDmqwABupD+ru2LjbGCkoJGym2FCtxLJfS9BvZc+korwBa1ZkEQehlHU/Msu0+AKFons2FLTP2LPrVYK2CuATg+rt6CpXwuTNhA5SrXeY1HJI0eo+7gT6SzNHYqHU3gYIVkNaJ8dfpn6MpZhTPYDvWoszlfe4K6uV+m05pK0GN0WzosaJXlxzZCVxCQqhsDg6MKOKqBPMcfPginSnFtueN3C/SSkW6bibKLogXqMKaEaH52Tpz1D6Vrfzt1kHIdrGKPEP8mjOufC2a5FNiSt8x6CAJI6xm9+aOL+K8LrkRUTnq2Jz0lm7FZLRNFvG+AlF3pkufGb+o1YeGUWOdqxqJMAF7bLzcYeu5OGp6kcx5K1ykYP48AeuB9iHmwXCdowcQ8d4pD3pbkm2IGHqlgHph1sKYwRYaI+h6e0WReSxB4DFI/PSigsiXUXyBwu/+4XPQdloEPQC5w8qCUt2Nob7X1LmzkMd8KYBtuJbQsxVvZdnw1tQgFl9ybcBeKYn+jPJU3t7/GIeGzVCFdTJDLvgoOcCGHD2RzUJj0Mlkx9bl0yK1HFvBbp33di1dMVE+mZhIvJmVR7Z9NwTifSXcsFedJ5yxzS8EOLuohmSF/5s2BAfFseA0wgs0pwPPVMunJ301WSFovLcVm13j1eNudLjnm91RuRhRuRqJSXWd8pswv62ZNIisNgLCPf+ZoZf16MY2kGn0+2VPft+DrbKZnDIfIoDsx46OqTBS12NPo7/tQnsIhfSdvxWziQodzO90Lv2L4rH4rLJEKXF8IzUyZl03PFTNqBXH1jE3AXtDPydT6r4FBmkhDSXW/9NAIHVxn85jaufwyGxGlR66aYLha2+XXGxf0GvFzPrOxEZWFANI+a+gVEntVPuYhxk2lWV9wx11utPD/f2DTYrzQmZMxua1vndMx4HdkRS5NA46Tm5t2ucMjZPvHHX1jNqEk8pGYGqkec3Pw+8Nus9hb4jLyK1azR2Jm6BlKhU86jMwNl2olKWGatH8Iaf0Wkb4+KNqPX3A3sWu35lCS0yhNKhD6fmLXOUO5B6AegNyHQUB/zJxx6y8zOOrXIOAzZWvmnjbCJ2eSLLx3u52mI6Wdjk5yjVeZSH/T9cvbMVQk/vT0HWsYGYepayszij0TRwZXP3TzmcVSaBTIA8aRrvOmKbsNYmB6HtC3cA6leLY7BxSfNwZd+99uPURmhxt6hH+aWxXD8XmYdi+UQq5YSzdtw3YqwS8PkIXxOOfnBYrVfsoTuRAm44qM0QodtGXJ1e44lIRwMo5t01jQofX2yf2
Content-Type: multipart/alternative; boundary="_000_CO1PR13MB49201534B02651B51EA4F90985582CO1PR13MB4920namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR13MB4920.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f65d908-ec2c-4c09-3532-08dc38a2a948
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2024 21:17:25.5481 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sB4Hf4r/3seanVjgmv2fTdxJFJ44ZrE1d0IfkVvNtGjcVe6JznDzjZrNlAM63P/NBhthKvVorMTlCuJ7J9MjSQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR13MB3651
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/afBmh3eu7fXeiM_6Fy9XwCLTTH4>
Subject: Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 21:17:34 -0000
Roman, Thank you very much for the comments. See below detailed relies. Linda -----Original Message----- From: Roman Danyliw via Datatracker <noreply@ietf.org> Sent: Tuesday, February 27, 2024 6:22 PM To: The IESG <iesg@ietf.org> Cc: draft-ietf-bess-bgp-sdwan-usage@ietf.org; bess-chairs@ietf.org; bess@ietf.org; matthew.bocci@nokia.com; matthew.bocci@nokia.com Subject: Roman Danyliw's Discuss on draft-ietf-bess-bgp-sdwan-usage-20: (with DISCUSS and COMMENT) Roman Danyliw has entered the following ballot position for draft-ietf-bess-bgp-sdwan-usage-20: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C02%7Clinda.dunbar%40futurewei.com%7Ce8527547058247aaec8108dc37f354c1%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638446765456124442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=QRe2wKoTRN8JBvVHfGx3KAkwrE5KDR9zg4%2Fe%2FxWgbuQ%3D&reserved=0 for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-bess-bgp-sdwan-usage%2F&data=05%7C02%7Clinda.dunbar%40futurewei.com%7Ce8527547058247aaec8108dc37f354c1%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638446765456133760%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6fxUOP0ZqD%2F9phgTAfft4eIiRJHLDWRYPNEI%2FvpUsro%3D&reserved=0 ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (revised position) ** Section 8. In SD-WAN deployments where no secure management channel exists between the SD-WAN controller and the SD-WAN edges, TLS or IPsec can be established to bridge the gap. While beyond the scope of this document, conducting a comprehensive analysis is imperative to ensure the security of BGP over TLS [BGP-OVER-TLS]. This text would benefit from further specificity. My feedback below is very similar to my original DISCUSS position on -15 of this document. -- Is the "secure management channel" described here the protocol that carries the BGP? [Linda] Yes. In Scenario #3 (Section 3.4 of the document), the Secure Management Channel is the VPN provider's secure private path for managing the service provider-managed VPN. -- Assuming it is, what is a "secure management channel" that would allow BGP to travel over the Internet that isn't protected by IPsec (i.e., why can't this text roughly read, "BGP over IPsec MUST be used"). When and how should the BGP communication be secured? Section 3.1.5 does mentioned that the BGP connection must be secured (i.e., "As the connection between an SD-WAN edge and its RR can be over an insecured network, an SD-WAN edge must establish a secure connection to its designated RR upon power-up. The BGP UPDATE messages must be sent over the secure channel to the RR.") [Linda] The provider VPN management channel is NOT over Internet. They are VPN provider's secure private paths. -- The imperative, comprehensive analysis of [BGP-OVER-TLS] is not sufficiently motivated and the reference to an unadopted individual document is confusing. I agree with the recommendation of the SECDIR reviewer to drop [BGP-OVER-TLS]. Can the basis for including it be explained? [Linda] There are deployments of using BGP over TLS. See the email archive: https://mailarchive.ietf.org/arch/msg/bess/exfTl1QnJ5kq-bjEteJJFRuq3os/. TLS has been widely deployed to carry sensitive data. There is no reason that BGP messages over TLS can have any security issue. ** (Missed this on my original ballot on -15) The need for "additional anti-DDoS mechanism" is mentioned in the text in Sections 6.2.2, 6.3.2, 8. Can the expected mechanisms please be clarified. [Linda] As mentioned in the reply to John Scudder comment: anti-DDoS is a commonly used tool for any interface facing ports. It is out of the scope of this document to describe the details. Is adding the following sentence helpful? "The anti-DDoS mechanism comprises numerous components, and their detailed discussion is beyond the scope of this document." ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Stephen Farrell for the SECDIR review. I support the DISCUSS position of John Scudder. ** Section 2. Editorial. If Section 3.2. defines "Homogeneous Encrypted SD-WAN" and the term isn't used prior to that. Consider if this needs the definition. [Linda] Homogeneous Encrypted SD-WAN is in the Terminology section. The more detailed description is in Section 3.2. ** Section 2. SD-WAN IPsec SA: IPsec Security Association between two WAN ports of the SD-WAN nodes or between two SD-WAN nodes. Is it "two SD-WAN nodes" or "two SD-WAN edge nodes"? If the former, what is an "SD-WAN" node that isn't an edge node? [Linda] Same. Change to "SD-WAN edge nodes. ** Section 3.1.2. This sections seems to suggest that various MEF 70.1 behavior needs to be supported. This suggests that [MEF70.1] needs to be a normative reference. [Linda] A procedure question: Can IETF use MEF70.1 as normative reference? ** Section 3.1.3. Editorial. SD-WAN Traffic Segmentation enables the separation of the traffic based on the business and the security needs of different user groups and/or application requirements. Each user group and/or application may need different isolated topologies and/or policies to fulfill the business requirements. Isn't a security need also a need of the business? Otherwise, the second sentence should read "... to fulfill the business and security requirements". [Linda] Added. ** Section 3.1.3. Editorial. The traffic from the PoS application follows a tree topology (denoted as "----" in the figure below), whereas other traffic can follow a multipoint-to-multipoint topology (denoted as "==="). In the figure, where is the PoS application, in one of the "Site #"? [Linda] PoS application is in every site. Is there an assumption that traffic "flows up" from the sites to the payment gateway? Where is the a "---" link from the "===="-connected "multi-point connection for non-payment traffic"? [Linda] This is a use case showing an SD-WAN topology for PoS application in every site to go to the Payment Gateway. "Up" is only for illustration purpose. "====" is a multi-point-multi-point connection among all sites. "----" is a hub-spoke connection between Payment Gateway to each Site. ** Section 3.1.4 - Upon power-up, the SD-WAN edge can establish the transport layer secure connection [BCP195] to its controller, whose URL (or IP address) and credential for connection request can be preconfigured on the edge device by the manufacture, external USB or secure Email given to the installer. Same feedback as provided on the ballot of the -15 version of this document: Can the last two configuration options be clarified. [Linda] Do you think it is necessary to add the detailed steps for using USB or email approach? We can add the following if you don't think it is too much: "The external USB method involves providing the installer with a pre-configured USB flash drive containing the necessary configuration files and settings for the SD-WAN device. The secure Email approach entails sending a secure email containing the configuration details for the SD-WAN device. " -- per "external USB". Do you mean a USB _drive_ of some kind that is plugged in and the edge device knows to read what ever is on the drive to configure itself? Does this mean anyone with physical access to the USB plug can power cycle the machine and can reconfigure it? -- per "secure email", does this mean that the installer configures the device based on something typed in? What's "secure" about the email? [Linda] Yes, USB Flash Drive. Neither of these mechanisms seem like "Zero Touch". They seem like the definition of human-in-the-loop. [Linda] Agree. That is what the SD-WAN industry call it. Intent of this document is to make it clear. The first sentence of the section says " SD-WAN Zero-Touch Provisioning (ZTP) allows devices to be configured and provisioned centrally without the need to dispatch a network engineer to the field to configure the remote devices." ** Section 3.1.4. My understanding of Section 3.1.* was that it was series of requirements to be fulfilled by using BGP with SDWAN. Per Zero Touch Provisioning, in what way is BGP involved in this provisioning? I'm not sure how this section fits into the scope of the document. [Linda] 3.1.4 is to explain the SD-WAN requirement. This document is to describe how BGP can make it even better. ** Section 3.2 - A small branch office connecting to its HQ offices via the Internet. All traffic to/from this small branch office must be encrypted, usually achieved by IPsec Tunnels [RFC6071]. - A store in a shopping mall may need to securely connect to its applications in one or more Cloud DCs via the Internet. A common way of achieving this is to establish IPsec SAs to the Cloud DC gateway to carry the sensitive data to/from the store. What is the technical difference between an "IPsec Tunnel" per the branch office use case and a "IPsec SA" in the store in the mall use case? [Linda] IPsec SA is to achieve the IPsec tunnel. ** Section 4.3 In the context of a BGP- controlled SD-WAN, BGP UPDATE messages can disseminate IPsec- related attribute values for each node Per the ballot on -15 of this draft, I asked "Please provide a reference to the specification which provides guidance on the BGP TLVs to provision IPsec. Is that draft-ietf-idr-sdwan-edge-discovery? This should be a normative reference." I still believe additional clarity is required. [Linda] draft-ietf-bess-bgp-sdwan-usage is supposed to describe the SD-WAN scenario, requirements, and justifications for BGP to control the SD-WAN. The draft-ietf-idr-sdwan-edge-discovery is for actual protocol extension. ** Section 5.2. In the figure below, the BGP UPDATE message from C-PE2 to RR can have the client routes encoded in the MP-NLRI Path Attribute and the IPsec Tunnel associated information encoded in the Tunnel- Encapsulation [RFC9012] Attributes. Per https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fbgp-tunnel-encapsulation%2Fbgp-tunnel-encapsulation.xhtml&data=05%7C02%7Clinda.dunbar%40futurewei.com%7Ce8527547058247aaec8108dc37f354c1%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638446765456145140%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VbnyQtFICWuyoQEOkQ9QXq%2B90AmOOxY49q8ZkHW8aa4%3D&reserved=0, is that value=25 ** [SECURE-EVPN] is referenced a few times in the course of the draft. Is the WG confident that this expired draft is appropriate to use? [Linda] we took the sub-TLVs from the [SECURE-EVPN] document as the SECURE-EVPN is not progressing. The writing is to acknowledge that we took the definitions from there. We can remove the reference. ** Section 8. Adding an Internet-facing WAN port to a C-PE can introduce the following security risks: 1) Potential DDoS attacks from the Internet-facing ports. 2) Potential risk of malicious traffic being injected via the Internet-facing WAN ports. 3) For the Differential Encrypted SD-WAN deployment model, there is a risk of unauthorized traffic injected into the Internet- facing WAN ports being leaked to the L2/L3 VPN networks. Therefore, the additional anti-DDoS mechanism must be enabled on all Internet-facing ports to prevent potential attacks from those ports. I'm having trouble understanding what is considered in-scope for these Security Considerations. I was under the impression that the focus was the use of BGP as the control plane for SD-WAN communication. Does it also include the "tunnels"/links configured by the SD-WAN via BGP. [Linda] The In-Scope Security Consideration includes the three bullets documented, because by default the PE's ports don't have those features enabled. -- If the security properties of tunnels/links configured by the SD-WAN BGP are in scope, then a reminder that links transiting non-Internet links are subject to security properties negotiated in the SLAs of that provided. [Linda] The "non-internet links" are provider managed VPN links/paths. They are considered as secure as the VPN (e.g., MPLS networks, SRv6 networks, etc.) provided by the service providers. Specifically, on -15 of this document, I previously balloted "** Section 8. The different deployment models also seem to place different levels of trust in the service providers. Consider mentioning these differences." -- Likely because I don't understand the definition of "Internet-facing ports" in the this context, I don't see a difference between risk (2) and (3). (2) seems like a more general version of (3). [Linda] the document is describing the SD-WAN expanded from the conventional VPN. In VPN, the WAN ports are facing VPN provider managed paths/trunks. -- What is the relationship between "anti-DDoS mechanism" and risk (2) of malicious traffic being injected? Malicious traffic injection isn't necessarily a DDoS. [Linda] You are correct. Most people think so. -- I observe that there are no inherited Security Considerations from IPsec or BGP mentioned here. Per the ballot on -15 of the document, "This document seems to build on a number of other technologies. Do their security considerations not apply (e.g., BGP, whatever ZTP technologies is chosen)?", this feedback still applies. [Linda] Do you want us to add: the USB flash drive could be mistaken by unauthorized personal? Isn't it obvious? Something like: "With the external USB method, it is imperative to ensure the physical security of the USB flash drive, as its loss or unauthorized access could compromise critical network information. Similarly, the secure Email approach demands robust email security measures to prevent interception or unauthorized access during transmission. Employing encryption and authentication mechanisms for the secure email ensures that the configuration details remain confidential, mitigating the risk of unauthorized parties gaining access to sensitive information". ** Section 10.1 Please provide the appropriate citation for [BCP195] [BCP195] Consists of RFC8996 and RFC9325
- [bess] Roman Danyliw's Discuss on draft-ietf-bess… Roman Danyliw via Datatracker
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Linda Dunbar