IETF Logo Mail Archive

Re: [Gen-art] Gen-ART Last Call review of draft-ietf-idr-bgp-extended-messages-33

Alissa Cooper <alissa@cooperw.in> Tue, 06 August 2019 17:14 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE24120478; Tue, 6 Aug 2019 10:14:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=Gwz4Yp25; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=b21EYziM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IrO2jzVqVQeq; Tue, 6 Aug 2019 10:14:07 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC0BC12049A; Tue, 6 Aug 2019 10:14:07 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 0A27621C47; Tue, 6 Aug 2019 13:14:07 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Tue, 06 Aug 2019 13:14:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=2 uV6ArLso+afzsKIzDY73+m02eTVJ6XDAlie6AMtNVY=; b=Gwz4Yp25hBiTgl0bB WCeVeoMA9WcxNNm76lW6mwADu6fkPtpYyTFgKmpJMrDj8GuvywWSCJB12soH6ZoH ZDqXHnMTDqUL7vIPg4Mp9ZX+JV+6UTDS4YyGAM3h3ti/RwP7cEAr3tbHNmpH8ghT DX5htKCVYXKvQBJ8644tFoYfAaX/SHH4w8dK9b/axnM3P7zxt1hipqOvQfqvalaz HJEHtmy4r15rDZvnADlojyPPhAgAJ0NgDNGGzhxh7897b6/Bcq7z5CKiIJYVoSXg 5hM4ehKcqVKXsSz1D1wLC0XZGulXrtOqYK9u7QotxiztLSAzV/zLmeem+XKgIHkJ RiYLA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=2uV6ArLso+afzsKIzDY73+m02eTVJ6XDAlie6AMtN VY=; b=b21EYziMBfawkVyAoI5etrfocfYQEO1erhtLuKm+FuVYTiDanl7Z30k4A qqFX82pbuQ3buJxUYdcOEwxyuNXsBg6cLaD6yC2vh0Psdpz0xlr2ZNLhrmzD/yNs rkTLSGSDr4EElwVx1jTJge1sVHMzcDgtYeVIITKpVJv2IoBG2unIkA6NBIvZsBP0 ccI60KXsnUMNKLNCOjUs/ArDy4D2F70XTU+uYuvQQHwa8h4lgQGzOEbevvDEBuSZ 3z8B9AT7jugx7bfs7625bzft7W7TBDVNRFiD4237nvMaVUu4yPHSmNOquFyuMgun oOxiHsWIWGE8VQaSMnRUKGz4dq2VQ==
X-ME-Sender: <xms:XLVJXU-Y9w73oR7BGGwnwkHBWNHlS_hfUhlbpv0U_O3n6NC9zmC_xA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddruddutddguddtlecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeetlhhi shhsrgcuvehoohhpvghruceorghlihhsshgrsegtohhophgvrhifrdhinheqnecuffhomh grihhnpehivghtfhdrohhrghenucfkphepuddtkedrhedurddutddurdelkeenucfrrghr rghmpehmrghilhhfrhhomheprghlihhsshgrsegtohhophgvrhifrdhinhenucevlhhush htvghrufhiiigvpedt
X-ME-Proxy: <xmx:XLVJXfSkhFy45hu3EAd6sivJMTEB9FkB3kJTtD_B-BFGeEjD65zIgw> <xmx:XLVJXa9ygykQWokdV6bXo0NHQF3C-rvUM18dzn2EewAJkUMu9OYEoA> <xmx:XLVJXZcsN8qWEi_WpN9286DW1bo6XczcIuLcqjo6MmDNGT_5ZTi3xA> <xmx:XrVJXeKCkwL9y3s0deid4Fn6xazwftisJnDaSMeVWTFSU9j_xDYcpg>
Received: from alcoop-m-c46z.fios-router.home (pool-108-51-101-98.washdc.fios.verizon.net [108.51.101.98]) by mail.messagingengine.com (Postfix) with ESMTPA id 61B708005B; Tue, 6 Aug 2019 13:14:04 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <m2pnmpwllf.wl-randy@psg.com>
Date: Tue, 06 Aug 2019 13:14:02 -0400
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-idr-bgp-extended-messages.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B68B0E5C-EB56-410D-9F40-B42684665FA3@cooperw.in>
References: <e96e60ca-8b54-9209-9789-189447cc1f70@alum.mit.edu> <m24l41y7q9.wl-randy@psg.com> <aceceeb3-ba85-0f32-0242-978700063954@alum.mit.edu> <m2pnmpwllf.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/Q-rqID5glRxAiewxH8MPXDvRWOM>
Subject: Re: [Gen-art] Gen-ART Last Call review of draft-ietf-idr-bgp-extended-messages-33
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 17:14:10 -0000

Paul, thanks for your review. Randy, thanks for the new text. I entered a No Objection ballot.

Alissa


> On Jul 4, 2019, at 5:12 PM, Randy Bush <randy@psg.com> wrote:
> 
>>>> 2) NIT:
>>>> 
>>>> Reading the last two security considerations in section 8 leaves me
>>>> concerned. I was expecting to see some further discussion of how these
>>>> issues can be mitigated, or why it is OK that they are not.
>>> 
>>> i am not sure if there are mitigations.
>>> 
>>> i believe that the hope is that actual message lengths are well below 4k
>>> today, and this will deploy before they really grow.  e.g. we do not
>>> expect bgpsec in more then five years, more likely ten.
>> 
>> I didn't have a good idea what to expect in the way of mitigations,
>> but the consequences seemed relatively dire.
>> 
>> Perhaps you could put in some of this explanation and stress the need
>> for support to be deployed widely before it is needed.
> 
> i will work on something.
> 
> but there is a hidden problem.  bgpsec drafts used to say extended
> message capability was mandatory.  but lack of progress of this draft
> was seen as delaying bgpsec (which,in my mind, is kinda like delaying
> ipv6:).  so the requirement was removeed.  the result is that we have
> to be careful suggesting issues with bgpsec lest we have to read 312
> emails from <characterisation deleted>.
> 
> and bgp-ls has its own yaks to shave.
> 
> but we can easily give guidance such as not packing a jillion nlri in
> an extended message when they can be spread over 4k traditional
> updates.
> 
> lemme work on this.  e.g. maybe the Operations section could have
> something such as
> 
>   During the years of incremental deployment, speakers that are capable
>   of Extended Messages should not simply pack as many NLRI in a message
>   as they can, or otherwise unnecessarily generate UPDATES above the
>   4,096 octet pre- Extended Message limit, so as not to require
>   downstream routers to decompose for peers that do not support
>   Extended Messages.  See Section 8.
> 
> then, in Sec Cons, the first threat you mention, a bit of mild snark
> may help
> 
>   If a remote attacker is able to craft a large BGP Extended Message to
>   send on a path where one or more peers do not support BGP Extended
>   Messages, peers which support BGP Extended Messages may act to reduce
>   the outgoing message, see Section 4, and in doing so allow a
>   downgrade attack.  This would only affect the attacker's message,
>   where 'downgrade' has questionable meaning.
> 
> i am not sure we can mitigate the second threat (fifth in the
> section).  if anyone has clue, do tell.
> 
> randy
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email