IETF Logo Mail Archive

Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01.txt

Tobias Fiebig <tobias@fiebig.nl> Fri, 26 January 2024 10:56 UTC

Return-Path: <tobias@fiebig.nl>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9947CC14CEE3 for <grow@ietfa.amsl.com>; Fri, 26 Jan 2024 02:56:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiebig.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lb6q_xSWnmJb for <grow@ietfa.amsl.com>; Fri, 26 Jan 2024 02:56:37 -0800 (PST)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A412C14F619 for <grow@ietf.org>; Fri, 26 Jan 2024 02:56:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiebig.nl; s=key01; t=1706266591; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=dGZsyhK/0tEN88weztvmqIraJl0XYC9vE8d+VjJiHCA=; b=PF1HXCBbTv3TNGCj115PlwaFCwTxscXX6Mtpr/zigtXUJEANKnYbuAyTMaySmTVjsrMczC quRpj9g/DGG25Zobyp/nYnPpQAPykSRf7X3Xkp1ekxWwQVAfCuU/ShnMhHnUWgGvWtmbds ouobdYnO+6cqUd7RWNktaPZ7VK18MPHzgNjx3ZbbBJSirmwOhDHt4uRQRmW2y0KXbAMCMP /yjB0XRk68ndN9Ql2nm6b1E8g4gmmyhoxof1MH2JOA14OfP/5vOABhIb1ykuHcIAnt0jtQ y3iUnXpaBdpB4yOXgjAGGOMeoE67UcczG+HrORvNhENCTVqgH7QbSK2f0+bYqQ==
Received: by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id cd7f2c53 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=tobias@aperture-labs.org for <grow@ietf.org>; Fri, 26 Jan 2024 10:56:31 +0000 (UTC)
Message-ID: <3f2f38b66f70e2322ac7fad4924be799cfca0494.camel@fiebig.nl>
From: Tobias Fiebig <tobias@fiebig.nl>
Reply-To: tobias@fiebig.nl
To: grow@ietf.org
Date: Fri, 26 Jan 2024 11:56:30 +0100
In-Reply-To: <170626626863.46209.4188888465009101179@ietfa.amsl.com>
References: <170626626863.46209.4188888465009101179@ietfa.amsl.com>
Autocrypt: addr=tobias@fiebig.nl; prefer-encrypt=mutual; keydata=mQGNBGNJ8U0BDADceBfKESVuZd2+zqPwwlFnAo2BSoGK8ptzDqZk7VZBlNiLj4IC2qTLmDbfmXPfPSnbSBNenivAa0xneWfzBPjrtJAFvj9uo/kx69s8LWs3j4U9m7HbHk02X4fpkF3/+l23Au+wCbwCzI6jSlDaoh49bZjtE5Yt+PtDwsLqpLmfxO4BcEvwwQnGdjXEk44gRLOOveaB0RbteXDcHnJFZ6Jbg0XFGZUiUbmEDD6wo82LIZ3SJDyConvg/qAYLotEG/qGh0VwLpOcmV74wrJ3hVGoKoojmB4NBzE13pS403CAkL1EJxswBMiFinQSZ1ZEIZKfiRwFRLBPUIeYzfQxXtAtwf3tWuWu2TklJMqfnCCPjo9HLXQgeId5H0ifQkhvRhXS+j1wKu6dJMhUvj+C5cY5lO8gI4PaAYt/ExXwxXwckcsjgFYork9x2UlKKQ1OZA5B/wEaXCGv/tBLTL22xcXDa204ma1JpqNYp+MMxU/6SbnULrz57Mfyse+WA5jMGtkAEQEAAbQgVG9iaWFzIEZpZWJpZyA8dG9iaWFzQGZpZWJpZy5ubD6JAdQEEwEKAD4WIQSvzK3/vKWFg/2MITsKEQe4B8MYFAUCY0nxTQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAKEQe4B8MYFHmhDACUjHE+VjqgMUsHy7xQxjxN1Gw8dxLudilxGQWW3a4zFb+oEscIi+oCMLvyoriZ4aNIgdZuQST3RtroR/i6YgtAZuH8P0gxQhbUYPs7hI/Yp4cwp/jxRrkb5YDRDjxiYtl3ABARV20px92FfC9kUZ29kI2eA83pVumTz0r4HLiXB+B8neaAwC/Hx76ZBPw/4LaKmS1ONZwgdXnCuwlUjvbpxC84Ffe4a0+KD1hNH6Amei+B7vUXnE5SkS5Xm++EZHZpezIykdaiF5ezTAoF2CODrLpSQgSVFRLPo/flF BdOKl8zQtdTQQ/6z2Psr0N2qUbsStZoiQ03yK7CVSsLZkzxtd2FDkvpu4XNtPKwJcG/ew8X8u45yLRQJbf1TFKEBvPRnTwJOpcDzY6WPS9AcyUa47BoBxmMzbs9zYzeau3LjwwCs2OqnpQ9ZVVXSEHE+0zfTXfNu2irIwZOyleopfNMRPGCp4A5EEejP9ZUy7m3po5AGpkFzwwYaT0clV3lo7q5AY0EY0nxTQEMAPmhWXNCfb4AVf0QWE91fz+xzWmjDc+BpJDfB7yCmq1fj6iRiBVCx4BOzGvkPd5B6D4mTBgwO1wDEyEwNmD2NiaJNSB0UKHtC1aEcy7mPZdx9OxBOsADzzaH9rYYXPHKtMOkZJss+lvYLtEDWpzBocw/X0IrhG/zXsyDO9Eqc+UPRLHDW0bGJduBwO/ZPxOXg6IpnS4zu2Tn9+cG80pJh65zMzQFFt5cCmCyAiytwuhvoG81s/4sRYeP1JgO/Ci36vb52MgtVSyeb+JzaxlpPzDHi/kpY/DlbCy9+mJa3+kPcUfNV6+SPW4YNDR6COvVOsnfq37rTT3jL+KKZ8FodMF+JgwBu2hhP+LrHuKC5Uk4oxxnwaGrIAbQk6BRjgheArgjr2Bt65qVfAKpJUJMFp/dkSG2D+bQS1HcfduJ1KYRIWWFenuUnpmRBUpJA5D94BYs9AhrKqvFfxF6YziaJBpRgQWjFUMvJxERTe2nimnZDlDalghUO4pSdmbRRkq6owARAQABiQG8BBgBCgAmFiEEr8yt/7ylhYP9jCE7ChEHuAfDGBQFAmNJ8U0CGwwFCQPCZwAACgkQChEHuAfDGBQfowwAmVgDCn+w9rscAH3ZvbMjKo7JdwjxWfAo+iszY3K6aM3ayCLD/D4uF91k6JnuOvDHVsq4M5+YNB437zn8SB8fqYtfKPB+reMCR+MOgb+5+zU4tD6oIwBVL0Sou/hVBdVdWNVy/xFqZkY5J5V1acExUxNDdue4QqwgAY IB447EsOtnYVZ/giuLoaJYz6BRuDvaYTjy82DwZYdw6x3lwXx1W3/cRw99jggTp3a1iw1RtNesKzi9ssHo7/WSM90E23mYRvp7aajRkQydXJQndCbvi81Vf7sjXWRBLGujER1RdKXtDW3NBRbEEJz5gOFLM3Y+zfSY4nSs4h9n5tTarauJLq2YDB1KgCCJLllvEorFlgxOidHM6+1rFDVQt/pVQg7hNDbcEkecfQbSqj/ZEkuN8CoraLn1kcmaRkheVppfSZDW1S4BwPHn/BHOKYvYE7OAZYA+UilEkBgam3hHSuE5E/wM7qRqOeQ9yD+AYj5mMY0GNHfH5xB/IZiXgHu38mET
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.50.2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/7Fypt1Q65l0lHNUaAp58Nmrx--Q>
Subject: Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01.txt
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2024 10:56:41 -0000

Moin,
after just importing the adopted draft last week, I now added all
feedback I received since 117 to the document and submitted -01.

I would appreciate additional feedback on the new iteration of the
draft either on the list, or directly as a ticket here:
https://github.com/ichdasich/draft-ietf-grow-bgpopsecupd/issues

Changes from -00 include:
# Changes:
- Clarified scope (excl. DC BGP)
- Addressed comments on TCP-AO
- Addressed comments on VRF confinement/OOB/IB for  
Controllplane Protection
- Contextualized iBGP TCP Auth
- Added note on using a VRF for IXP peerings
- Expanded on AS_PATH filtering/manipulation
- Added extended communities to scrubbing, added in/out scrubbing
- Expand attribute scrubbing, add attribute healing
- Included note on not using communities to signal validation state
- Clarified connection between ASPA and OTC
- Added note on filter Idempotency
- Added section on behavior at IXPs, incl. not using LOCAL_PREF and
  honoring GSHUT
- Explicitly reference issues with MED induced route oscilation
- Shortened abstract
- Fixed a logic-error in the reference to ASPA
- Set the document to obsolete RFC7545, if approved

# Nits:
- Fixed reference to workinggroup
- Aligned some terms

The full diff can be found here:
https://github.com/ichdasich/draft-ietf-grow-bgpopsecupd/compare/draft-ietf-grow-bgpopsecupd-00...draft-ietf-grow-bgpopsecupd-01


With best regards,
Tobias

On Fri, 2024-01-26 at 02:51 -0800, internet-drafts@ietf.org wrote:
> Internet-Draft draft-ietf-grow-bgpopsecupd-01.txt is now available.
> It is a
> work item of the Global Routing Operations (GROW) WG of the IETF.
> 
>    Title:   Updated BGP Operations and Security
>    Author:  Tobias Fiebig
>    Name:    draft-ietf-grow-bgpopsecupd-01.txt
>    Pages:   55
>    Dates:   2024-01-26
> 
> Abstract:
> 
>    The Border Gateway Protocol (BGP) is the protocol almost
> exclusively
>    used in the Internet to exchange routing information between
> network
>    domains.  Due to this central nature, it is important to
> understand
>    the security and reliability measures that can and should be
> deployed
>    to prevent accidental or intentional routing disturbances.
> 
>    Previously, security considerations for BGP have been described in
>    RFC7454 / BCP194.  Since the publications of RFC7454 / BCP194,
>    several developments and changes in operational practice took
> place
>    that warrant an update of these best current practices.  This
>    document replaces RFC7454 / BCP194, reiterating the best practices
>    for BGP security from that document and adding new practices and
>    recommendations that emerged since its publication.
> 
>    This document provides a comprehensive list of Internet specific
> BGP
>    security and reliability related best practices as of the time of
>    publication.  It specifically does not cover other uses of BGP,
> e.g.,
>    in a datacenter context.
> 
>    While the recommendations in this document are, in general, best
>    practices, operators still need to carefully weigh individual
>    measures vs. their local network requirements before implementing
>    them.  Also, as with BCP194, best practices outlined in this
> document
>    may have changed since its publication.
> 
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-grow-bgpopsecupd/
> 
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-grow-bgpopsecupd-01.html
> 
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-grow-bgpopsecupd-01
> 
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
> 
> 
> _______________________________________________
> GROW mailing list
> GROW@ietf.org
> https://www.ietf.org/mailman/listinfo/grow

-- 
Dr.-Ing. Tobias Fiebig
T +31 616 80 98 99
M tobias@fiebig.nl

v2.23.0 | Report a Bug | By Email