Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01.txt
Tobias Fiebig <tobias@fiebig.nl> Fri, 26 January 2024 10:56 UTC
Return-Path: <tobias@fiebig.nl>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9947CC14CEE3 for <grow@ietfa.amsl.com>; Fri, 26 Jan 2024 02:56:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiebig.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lb6q_xSWnmJb for <grow@ietfa.amsl.com>; Fri, 26 Jan 2024 02:56:37 -0800 (PST)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A412C14F619 for <grow@ietf.org>; Fri, 26 Jan 2024 02:56:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiebig.nl; s=key01; t=1706266591; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=dGZsyhK/0tEN88weztvmqIraJl0XYC9vE8d+VjJiHCA=; b=PF1HXCBbTv3TNGCj115PlwaFCwTxscXX6Mtpr/zigtXUJEANKnYbuAyTMaySmTVjsrMczC quRpj9g/DGG25Zobyp/nYnPpQAPykSRf7X3Xkp1ekxWwQVAfCuU/ShnMhHnUWgGvWtmbds ouobdYnO+6cqUd7RWNktaPZ7VK18MPHzgNjx3ZbbBJSirmwOhDHt4uRQRmW2y0KXbAMCMP /yjB0XRk68ndN9Ql2nm6b1E8g4gmmyhoxof1MH2JOA14OfP/5vOABhIb1ykuHcIAnt0jtQ y3iUnXpaBdpB4yOXgjAGGOMeoE67UcczG+HrORvNhENCTVqgH7QbSK2f0+bYqQ==
Received: by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id cd7f2c53 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=tobias@aperture-labs.org for <grow@ietf.org>; Fri, 26 Jan 2024 10:56:31 +0000 (UTC)
Message-ID: <3f2f38b66f70e2322ac7fad4924be799cfca0494.camel@fiebig.nl>
From: Tobias Fiebig <tobias@fiebig.nl>
Reply-To: tobias@fiebig.nl
To: grow@ietf.org
Date: Fri, 26 Jan 2024 11:56:30 +0100
In-Reply-To: <170626626863.46209.4188888465009101179@ietfa.amsl.com>
References: <170626626863.46209.4188888465009101179@ietfa.amsl.com>
Autocrypt: addr=tobias@fiebig.nl; prefer-encrypt=mutual; keydata=mQGNBGNJ8U0BDADceBfKESVuZd2+zqPwwlFnAo2BSoGK8ptzDqZk7VZBlNiLj4IC2qTLmDbfmXPfPSnbSBNenivAa0xneWfzBPjrtJAFvj9uo/kx69s8LWs3j4U9m7HbHk02X4fpkF3/+l23Au+wCbwCzI6jSlDaoh49bZjtE5Yt+PtDwsLqpLmfxO4BcEvwwQnGdjXEk44gRLOOveaB0RbteXDcHnJFZ6Jbg0XFGZUiUbmEDD6wo82LIZ3SJDyConvg/qAYLotEG/qGh0VwLpOcmV74wrJ3hVGoKoojmB4NBzE13pS403CAkL1EJxswBMiFinQSZ1ZEIZKfiRwFRLBPUIeYzfQxXtAtwf3tWuWu2TklJMqfnCCPjo9HLXQgeId5H0ifQkhvRhXS+j1wKu6dJMhUvj+C5cY5lO8gI4PaAYt/ExXwxXwckcsjgFYork9x2UlKKQ1OZA5B/wEaXCGv/tBLTL22xcXDa204ma1JpqNYp+MMxU/6SbnULrz57Mfyse+WA5jMGtkAEQEAAbQgVG9iaWFzIEZpZWJpZyA8dG9iaWFzQGZpZWJpZy5ubD6JAdQEEwEKAD4WIQSvzK3/vKWFg/2MITsKEQe4B8MYFAUCY0nxTQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAKEQe4B8MYFHmhDACUjHE+VjqgMUsHy7xQxjxN1Gw8dxLudilxGQWW3a4zFb+oEscIi+oCMLvyoriZ4aNIgdZuQST3RtroR/i6YgtAZuH8P0gxQhbUYPs7hI/Yp4cwp/jxRrkb5YDRDjxiYtl3ABARV20px92FfC9kUZ29kI2eA83pVumTz0r4HLiXB+B8neaAwC/Hx76ZBPw/4LaKmS1ONZwgdXnCuwlUjvbpxC84Ffe4a0+KD1hNH6Amei+B7vUXnE5SkS5Xm++EZHZpezIykdaiF5ezTAoF2CODrLpSQgSVFRLPo/flF BdOKl8zQtdTQQ/6z2Psr0N2qUbsStZoiQ03yK7CVSsLZkzxtd2FDkvpu4XNtPKwJcG/ew8X8u45yLRQJbf1TFKEBvPRnTwJOpcDzY6WPS9AcyUa47BoBxmMzbs9zYzeau3LjwwCs2OqnpQ9ZVVXSEHE+0zfTXfNu2irIwZOyleopfNMRPGCp4A5EEejP9ZUy7m3po5AGpkFzwwYaT0clV3lo7q5AY0EY0nxTQEMAPmhWXNCfb4AVf0QWE91fz+xzWmjDc+BpJDfB7yCmq1fj6iRiBVCx4BOzGvkPd5B6D4mTBgwO1wDEyEwNmD2NiaJNSB0UKHtC1aEcy7mPZdx9OxBOsADzzaH9rYYXPHKtMOkZJss+lvYLtEDWpzBocw/X0IrhG/zXsyDO9Eqc+UPRLHDW0bGJduBwO/ZPxOXg6IpnS4zu2Tn9+cG80pJh65zMzQFFt5cCmCyAiytwuhvoG81s/4sRYeP1JgO/Ci36vb52MgtVSyeb+JzaxlpPzDHi/kpY/DlbCy9+mJa3+kPcUfNV6+SPW4YNDR6COvVOsnfq37rTT3jL+KKZ8FodMF+JgwBu2hhP+LrHuKC5Uk4oxxnwaGrIAbQk6BRjgheArgjr2Bt65qVfAKpJUJMFp/dkSG2D+bQS1HcfduJ1KYRIWWFenuUnpmRBUpJA5D94BYs9AhrKqvFfxF6YziaJBpRgQWjFUMvJxERTe2nimnZDlDalghUO4pSdmbRRkq6owARAQABiQG8BBgBCgAmFiEEr8yt/7ylhYP9jCE7ChEHuAfDGBQFAmNJ8U0CGwwFCQPCZwAACgkQChEHuAfDGBQfowwAmVgDCn+w9rscAH3ZvbMjKo7JdwjxWfAo+iszY3K6aM3ayCLD/D4uF91k6JnuOvDHVsq4M5+YNB437zn8SB8fqYtfKPB+reMCR+MOgb+5+zU4tD6oIwBVL0Sou/hVBdVdWNVy/xFqZkY5J5V1acExUxNDdue4QqwgAY IB447EsOtnYVZ/giuLoaJYz6BRuDvaYTjy82DwZYdw6x3lwXx1W3/cRw99jggTp3a1iw1RtNesKzi9ssHo7/WSM90E23mYRvp7aajRkQydXJQndCbvi81Vf7sjXWRBLGujER1RdKXtDW3NBRbEEJz5gOFLM3Y+zfSY4nSs4h9n5tTarauJLq2YDB1KgCCJLllvEorFlgxOidHM6+1rFDVQt/pVQg7hNDbcEkecfQbSqj/ZEkuN8CoraLn1kcmaRkheVppfSZDW1S4BwPHn/BHOKYvYE7OAZYA+UilEkBgam3hHSuE5E/wM7qRqOeQ9yD+AYj5mMY0GNHfH5xB/IZiXgHu38mET
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.50.2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/7Fypt1Q65l0lHNUaAp58Nmrx--Q>
Subject: Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01.txt
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2024 10:56:41 -0000
Moin, after just importing the adopted draft last week, I now added all feedback I received since 117 to the document and submitted -01. I would appreciate additional feedback on the new iteration of the draft either on the list, or directly as a ticket here: https://github.com/ichdasich/draft-ietf-grow-bgpopsecupd/issues Changes from -00 include: # Changes: - Clarified scope (excl. DC BGP) - Addressed comments on TCP-AO - Addressed comments on VRF confinement/OOB/IB for Controllplane Protection - Contextualized iBGP TCP Auth - Added note on using a VRF for IXP peerings - Expanded on AS_PATH filtering/manipulation - Added extended communities to scrubbing, added in/out scrubbing - Expand attribute scrubbing, add attribute healing - Included note on not using communities to signal validation state - Clarified connection between ASPA and OTC - Added note on filter Idempotency - Added section on behavior at IXPs, incl. not using LOCAL_PREF and honoring GSHUT - Explicitly reference issues with MED induced route oscilation - Shortened abstract - Fixed a logic-error in the reference to ASPA - Set the document to obsolete RFC7545, if approved # Nits: - Fixed reference to workinggroup - Aligned some terms The full diff can be found here: https://github.com/ichdasich/draft-ietf-grow-bgpopsecupd/compare/draft-ietf-grow-bgpopsecupd-00...draft-ietf-grow-bgpopsecupd-01 With best regards, Tobias On Fri, 2024-01-26 at 02:51 -0800, internet-drafts@ietf.org wrote: > Internet-Draft draft-ietf-grow-bgpopsecupd-01.txt is now available. > It is a > work item of the Global Routing Operations (GROW) WG of the IETF. > > Title: Updated BGP Operations and Security > Author: Tobias Fiebig > Name: draft-ietf-grow-bgpopsecupd-01.txt > Pages: 55 > Dates: 2024-01-26 > > Abstract: > > The Border Gateway Protocol (BGP) is the protocol almost > exclusively > used in the Internet to exchange routing information between > network > domains. Due to this central nature, it is important to > understand > the security and reliability measures that can and should be > deployed > to prevent accidental or intentional routing disturbances. > > Previously, security considerations for BGP have been described in > RFC7454 / BCP194. Since the publications of RFC7454 / BCP194, > several developments and changes in operational practice took > place > that warrant an update of these best current practices. This > document replaces RFC7454 / BCP194, reiterating the best practices > for BGP security from that document and adding new practices and > recommendations that emerged since its publication. > > This document provides a comprehensive list of Internet specific > BGP > security and reliability related best practices as of the time of > publication. It specifically does not cover other uses of BGP, > e.g., > in a datacenter context. > > While the recommendations in this document are, in general, best > practices, operators still need to carefully weigh individual > measures vs. their local network requirements before implementing > them. Also, as with BCP194, best practices outlined in this > document > may have changed since its publication. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-grow-bgpopsecupd/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-grow-bgpopsecupd-01.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-grow-bgpopsecupd-01 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > GROW mailing list > GROW@ietf.org > https://www.ietf.org/mailman/listinfo/grow -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tobias@fiebig.nl
- [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01… internet-drafts
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Tobias Fiebig
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Martin Pels
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Tobias Fiebig
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Nick Hilliard
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Randy Bush
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Tobias Fiebig