Re: [GROW] Benjamin Kaduk's No Objection on draft-ietf-grow-bmp-adj-rib-out-07: (with COMMENT)
Paolo Lucente <paolo@ntt.net> Sat, 17 August 2019 17:10 UTC
Return-Path: <paolo@us.ntt.net>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26130120154; Sat, 17 Aug 2019 10:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gino365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHLKEgrRhrPm; Sat, 17 Aug 2019 10:10:46 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690064.outbound.protection.outlook.com [40.107.69.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B439E120145; Sat, 17 Aug 2019 10:10:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DrXu7NywC4cVxFLpUBp0otrXRIx/Asf9LgThr5SIylpXk8Wvz9l0fnCMLbEP4S+ZComhg3l2sr4Y+g+Ca6VboytFcTy2NiNjeQIycQpozA/Mr9SMcgFYA3phh3qtpcuhj8dJN3kdMw063G8uR3qtuACrKB22D8DF12XvOD/jqTj/7u/eCdwwadOPnnsHJPdpUxBi1XKJO93zarFozftW5V/vfUgCm9HaKxWUuHosnoUeELIwI5yYXPZFPriKJWeoKCi6nBVydjLuOfhZNHyGMNLrtZ8QwJ59w3V+iXu/0nOW8SwYhLGN6PrvZ76QOHkyrXpwz9gBt3SNN4DdS+UsHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pDUTO93wtUlHxdmVdhZ8AHY3a63RVw3D4kAFhlMSzPQ=; b=bTC+F7I7CT4DB02oMSKWGGMZNfOhaC9U6gvMSaBnaLndC1edZOeuAaHbk33ky3Vxj3/nXaSmSZ84CHhPrSTBiY34AMG25D6xmZP0c7Ec/VxjhGnah/xl9wZJrwPccrTtfmZ6QRq23rJWz3VhtY1bXlmHL0N0RVrKw0fktTayYLix8TYEHtQ+4YTe+lASButn0MXNhHAXtqSjGB90sjTQD0a5/ArWe/KJxtlSh0h0xUYeGuO69QaZrwbKhNaC5Pm+xDFVWDX/w50wP5pjjC5LUzFeu68FTEP+REyq7hNzSUIalqPRg1SwHa7UlWEdvirHd5MMfo7XppPx48af/AWsEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=us.ntt.net; dmarc=pass action=none header.from=ntt.net; dkim=pass header.d=ntt.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gino365.onmicrosoft.com; s=selector2-gino365-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pDUTO93wtUlHxdmVdhZ8AHY3a63RVw3D4kAFhlMSzPQ=; b=ARwlU95p44vaSJFE8IBfNRX3XInJ8jLzr3UUumuH1zLo6zD5AemsoSCqD9bBCltFiklDTGDEYzEDu8CXyK0NfkhS1AvUiYlFr1h++ELgbBhHbAGcWuw7NRj3jE8w4/WnYEHtOJscDIbndUitePh3wV2+0Thlgbs44cNGczCevBk=
Received: from BYAPR06MB5974.namprd06.prod.outlook.com (20.179.158.79) by BYAPR06MB6199.namprd06.prod.outlook.com (20.178.233.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.16; Sat, 17 Aug 2019 17:10:44 +0000
Received: from BYAPR06MB5974.namprd06.prod.outlook.com ([fe80::251c:b83b:89ac:a60e]) by BYAPR06MB5974.namprd06.prod.outlook.com ([fe80::251c:b83b:89ac:a60e%7]) with mapi id 15.20.2178.016; Sat, 17 Aug 2019 17:10:44 +0000
From: Paolo Lucente <paolo@ntt.net>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-grow-bmp-adj-rib-out@ietf.org" <draft-ietf-grow-bmp-adj-rib-out@ietf.org>, Chris Morrow <morrowc@ops-netman.net>, "grow-chairs@ietf.org" <grow-chairs@ietf.org>, "grow@ietf.org" <grow@ietf.org>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-grow-bmp-adj-rib-out-07: (with COMMENT)
Thread-Index: AQHVU4uWgmqDyPotiUmv92CtN0lbVab/lkmA
Date: Sat, 17 Aug 2019 17:10:44 +0000
Message-ID: <1CE4D435-1157-47BB-8A2E-74F966874B0F@ntt.net>
References: <156588869905.15861.15288510098231754517.idtracker@ietfa.amsl.com>
In-Reply-To: <156588869905.15861.15288510098231754517.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: CP2PR80CA0016.lamprd80.prod.outlook.com (2603:10d6:101:3::26) To BYAPR06MB5974.namprd06.prod.outlook.com (2603:10b6:a03:15b::15)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=paolo@us.ntt.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Apple Mail (2.3445.104.11)
x-originating-ip: [2804:7f3:888e:3281:800d:c8b2:6849:c9ac]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 51b67661-6f9a-44e9-0861-08d72335d70e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR06MB6199;
x-ms-traffictypediagnostic: BYAPR06MB6199:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR06MB6199BCD54E3D4A76C87F2A3390AE0@BYAPR06MB6199.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0132C558ED
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39830400003)(366004)(136003)(346002)(396003)(189003)(199004)(2616005)(486006)(476003)(11346002)(446003)(46003)(5660300002)(4326008)(71190400001)(53546011)(71200400001)(6246003)(25786009)(966005)(57306001)(81156014)(14454004)(53936002)(36756003)(81166006)(8936002)(2171002)(50226002)(8676002)(508600001)(256004)(14444005)(33656002)(99286004)(66446008)(316002)(66476007)(64756008)(54906003)(305945005)(66946007)(7736002)(76176011)(66556008)(6436002)(6916009)(6506007)(186003)(6486002)(229853002)(6512007)(6306002)(2906002)(6116002)(102836004)(52116002)(386003); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR06MB6199; H:BYAPR06MB5974.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: us.ntt.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mrea5TQ5GxKHmGCiaCFC5Lf1mAbSdXK6poBUg3VYjg5bmv127ezhY+0kR5KOMT0baRHfo0OdodURhr1Ez/HMsJ/ptOkm6OuX9zxJC5UM1YjgOhlEpDf2tB6prQOwOvY0LAWBRiy7B/4LhMYsE7XYoFUp5nCspGHhcEPtMe3SU3mh9Z8BJ7sOVJeN+rRGjZaVyuSeZDIeHfdAqzoQZvTG7tfnjv4B0gtnu2xJVBoEdxh3bqjbHDtVvtbaH+RzmMpaUYwMeSDQjXYPp+ceZnqRfVbfR/nz7VnmMtvSdYxdQCGjBbq3k2KEsmLAuh/wXBp/BF2ssU+zFhqUGPXRtN4yfpKqNhtVVif06449iP5MDDsot8LYxbBGf5xJkd/N6W3ok2FbXwV0FgMOjXEO5+9LfPD1v9FMRlgQWPmEz8EHnw4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <69BD79FF51ECDB4C8AEC268D14323A02@namprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ntt.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 51b67661-6f9a-44e9-0861-08d72335d70e
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2019 17:10:44.6243 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e65ee3d8-fd64-47ab-92bb-590b1c59945b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sMQOIRs/N4EmFp++G+6zIuxcceGlJKptFR+dm01M+KnSwM3MhT34i79OJjKUv7TAEKDKKfbgOpypNTWWUvDl3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR06MB6199
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/kCpay1fQheSfqP7E_JZamp9iuyw>
Subject: Re: [GROW] Benjamin Kaduk's No Objection on draft-ietf-grow-bmp-adj-rib-out-07: (with COMMENT)
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2019 17:10:49 -0000
Hi Benjamin, Inline: > On 15 Aug 2019, at 19:04, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-grow-bmp-adj-rib-out-07: No Objection Thank you for the ’no objection’. > Section 1 > > An example of pre-policy verses post-policy is > when an inbound policy applies attribute modification or filters. > Pre-policy would contain information prior to the inbound policy > changes or filters of data. Post policy would convey the changed > data or would not contain the filtered data. > > I think we had some discussion relating to my question about policy > being used to inject new data, and even some suggested edits from Jeff, > but I couldn't find those in the -07. Perhaps I just missed them, though. I have now added the comment from Jeff as part of Other Considerations as per draft-ietf-grow-local-rib: https://github.com/paololucente/draft-ietf-grow-bmp-adj-rib-out/blob/master/draft-ietf-grow-bmp-adj-rib-out.txt#L373-#L377 Rationale being: in case of any changes, ie, policy being used to inject new data, the collector should be notified with a PEER DOWN/PEER UP sequence. I also provided some extra feedback as part of my last message, let me report it here for your conveniency: === To your point, i feel we are good, let me explain. Slightly before in the introduction we have: "The Adj-RIB-In post-policy conveys to a BMP receiver all RIB data after policy filters and/or modifications have been applied.” Which says _all_ RIB data (that is: new, changed or removed). Then, continuing, an example is given: “An example of pre-policy versus post-policy is when an inbound policy applies attribute modification or filters." Related to this we have the concluding sentence: “Post policy would convey the changed data or would not contain the filtered data.” Where “changed” does not refer to new/changed/removed RIB data but rather to modified by the policy. Having done some homeworks i feel i can also say: this paragraph was pretty much copy/pasted by rfc7854 :-) === > Section 8 > > I agree with the conclusion from discussions on Alvaro's point, that implementations > SHOULD only use this with trusted/authorized monitoring devices. But I think it's > the role of the security considerations to clarify why this is the case (i.e., that new > information would be made available otherwise), and not just provide a rule to be > blindly adhered to. Also here i feel we are good. If you see section 11 of RFCs7854 (Security Considerations), referenced in Security Considerations of this document, it pretty much already explains all the whys of: "Implementations of this protocol SHOULD require to establish sessions with authorized and trusted monitoring devices" For example it says: "This document defines a mechanism to obtain a full dump or provide continuous monitoring of a BGP speaker's BGP routes, including received BGP messages. This capability could allow an outside party to obtain information not otherwise obtainable.” I’d not know what else to add since imo the security problem statement is already pretty well formulated there. But i’m open to suggestions. Paolo
- [GROW] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker
- Re: [GROW] Benjamin Kaduk's No Objection on draft… Paolo Lucente