Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01.txt
Tobias Fiebig <tobias@fiebig.nl> Mon, 04 March 2024 12:19 UTC
Return-Path: <tobias@fiebig.nl>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C5B4C151986 for <grow@ietfa.amsl.com>; Mon, 4 Mar 2024 04:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiebig.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCjzoFVvgPTY for <grow@ietfa.amsl.com>; Mon, 4 Mar 2024 04:19:18 -0800 (PST)
Received: from mail.aperture-labs.org (mail.aperture-labs.org [195.191.197.3]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC0B0C151991 for <grow@ietf.org>; Mon, 4 Mar 2024 04:19:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiebig.nl; s=key01; t=1709554745; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=FtYQhMOVT88/0LSoBsRXvcBobR5gNp35IdS/n3SqgKk=; b=RtQbu2NNBo8XI/Ai3Vba+cCmWlDxbtqVRerGhIW1bZXy8ow66Lepu4cgWyTRYRXgLIJuPb c9lc2BI0X4Jwa6wGAfDL0bOb+zNCWmvubYaqj430WP4qOAvOxNAEKG5BCleJtQofmFPZHa jRnDmG8UzK7VbdEsoUcRfLWEjg/CD27sEebu0EI2pZn+j/L08xqSETpyPXvqSKVvQiPxbJ 9GCYxXCkktDVKhR45rCn88vkc3+KpQZ3+C3UNR9Ts5zAFdOwhSErH2OjC4smjIoj7/pwKy AH0AUh1ehMNJBx6pnHDEKF8z29RygqQTc071A+Sw4FrlufpvvFPr1pDJWxK99A==
Received: by mail.aperture-labs.org (OpenSMTPD) with ESMTPSA id b4aacc32 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=tobias@aperture-labs.org for <grow@ietf.org>; Mon, 4 Mar 2024 12:19:05 +0000 (UTC)
Message-ID: <7d6eb4db9868bf935876c5695f5bc11e25542891.camel@fiebig.nl>
From: Tobias Fiebig <tobias@fiebig.nl>
Reply-To: tobias@fiebig.nl
To: grow@ietf.org
Date: Mon, 04 Mar 2024 13:19:04 +0100
In-Reply-To: <9ca49b1f-1f40-4db6-b8b4-be1e91e52c0c@ripe.net>
References: <170626626863.46209.4188888465009101179@ietfa.amsl.com> <3f2f38b66f70e2322ac7fad4924be799cfca0494.camel@fiebig.nl> <9ca49b1f-1f40-4db6-b8b4-be1e91e52c0c@ripe.net>
Autocrypt: addr=tobias@fiebig.nl; prefer-encrypt=mutual; keydata=mQGNBGNJ8U0BDADceBfKESVuZd2+zqPwwlFnAo2BSoGK8ptzDqZk7VZBlNiLj4IC2qTLmDbfmXPfPSnbSBNenivAa0xneWfzBPjrtJAFvj9uo/kx69s8LWs3j4U9m7HbHk02X4fpkF3/+l23Au+wCbwCzI6jSlDaoh49bZjtE5Yt+PtDwsLqpLmfxO4BcEvwwQnGdjXEk44gRLOOveaB0RbteXDcHnJFZ6Jbg0XFGZUiUbmEDD6wo82LIZ3SJDyConvg/qAYLotEG/qGh0VwLpOcmV74wrJ3hVGoKoojmB4NBzE13pS403CAkL1EJxswBMiFinQSZ1ZEIZKfiRwFRLBPUIeYzfQxXtAtwf3tWuWu2TklJMqfnCCPjo9HLXQgeId5H0ifQkhvRhXS+j1wKu6dJMhUvj+C5cY5lO8gI4PaAYt/ExXwxXwckcsjgFYork9x2UlKKQ1OZA5B/wEaXCGv/tBLTL22xcXDa204ma1JpqNYp+MMxU/6SbnULrz57Mfyse+WA5jMGtkAEQEAAbQgVG9iaWFzIEZpZWJpZyA8dG9iaWFzQGZpZWJpZy5ubD6JAdQEEwEKAD4WIQSvzK3/vKWFg/2MITsKEQe4B8MYFAUCY0nxTQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAKEQe4B8MYFHmhDACUjHE+VjqgMUsHy7xQxjxN1Gw8dxLudilxGQWW3a4zFb+oEscIi+oCMLvyoriZ4aNIgdZuQST3RtroR/i6YgtAZuH8P0gxQhbUYPs7hI/Yp4cwp/jxRrkb5YDRDjxiYtl3ABARV20px92FfC9kUZ29kI2eA83pVumTz0r4HLiXB+B8neaAwC/Hx76ZBPw/4LaKmS1ONZwgdXnCuwlUjvbpxC84Ffe4a0+KD1hNH6Amei+B7vUXnE5SkS5Xm++EZHZpezIykdaiF5ezTAoF2CODrLpSQgSVFRLPo/flF BdOKl8zQtdTQQ/6z2Psr0N2qUbsStZoiQ03yK7CVSsLZkzxtd2FDkvpu4XNtPKwJcG/ew8X8u45yLRQJbf1TFKEBvPRnTwJOpcDzY6WPS9AcyUa47BoBxmMzbs9zYzeau3LjwwCs2OqnpQ9ZVVXSEHE+0zfTXfNu2irIwZOyleopfNMRPGCp4A5EEejP9ZUy7m3po5AGpkFzwwYaT0clV3lo7q5AY0EY0nxTQEMAPmhWXNCfb4AVf0QWE91fz+xzWmjDc+BpJDfB7yCmq1fj6iRiBVCx4BOzGvkPd5B6D4mTBgwO1wDEyEwNmD2NiaJNSB0UKHtC1aEcy7mPZdx9OxBOsADzzaH9rYYXPHKtMOkZJss+lvYLtEDWpzBocw/X0IrhG/zXsyDO9Eqc+UPRLHDW0bGJduBwO/ZPxOXg6IpnS4zu2Tn9+cG80pJh65zMzQFFt5cCmCyAiytwuhvoG81s/4sRYeP1JgO/Ci36vb52MgtVSyeb+JzaxlpPzDHi/kpY/DlbCy9+mJa3+kPcUfNV6+SPW4YNDR6COvVOsnfq37rTT3jL+KKZ8FodMF+JgwBu2hhP+LrHuKC5Uk4oxxnwaGrIAbQk6BRjgheArgjr2Bt65qVfAKpJUJMFp/dkSG2D+bQS1HcfduJ1KYRIWWFenuUnpmRBUpJA5D94BYs9AhrKqvFfxF6YziaJBpRgQWjFUMvJxERTe2nimnZDlDalghUO4pSdmbRRkq6owARAQABiQG8BBgBCgAmFiEEr8yt/7ylhYP9jCE7ChEHuAfDGBQFAmNJ8U0CGwwFCQPCZwAACgkQChEHuAfDGBQfowwAmVgDCn+w9rscAH3ZvbMjKo7JdwjxWfAo+iszY3K6aM3ayCLD/D4uF91k6JnuOvDHVsq4M5+YNB437zn8SB8fqYtfKPB+reMCR+MOgb+5+zU4tD6oIwBVL0Sou/hVBdVdWNVy/xFqZkY5J5V1acExUxNDdue4QqwgAY IB447EsOtnYVZ/giuLoaJYz6BRuDvaYTjy82DwZYdw6x3lwXx1W3/cRw99jggTp3a1iw1RtNesKzi9ssHo7/WSM90E23mYRvp7aajRkQydXJQndCbvi81Vf7sjXWRBLGujER1RdKXtDW3NBRbEEJz5gOFLM3Y+zfSY4nSs4h9n5tTarauJLq2YDB1KgCCJLllvEorFlgxOidHM6+1rFDVQt/pVQg7hNDbcEkecfQbSqj/ZEkuN8CoraLn1kcmaRkheVppfSZDW1S4BwPHn/BHOKYvYE7OAZYA+UilEkBgam3hHSuE5E/wM7qRqOeQ9yD+AYj5mMY0GNHfH5xB/IZiXgHu38mET
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.50.2
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/qz64O57Hsh06QD6mfTlMD3_cUbY>
Subject: Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01.txt
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 12:19:23 -0000
Moin, > I'm curious where the recommendation to scrub all inbound and > outbound extended BGP communities comes from. This advice seems > overly strict to me. Additional feedback from a discussion during RIPE87; Basic reasoning is 'while we are at it', i.e., indeed in an intention to rather be overly strict (with the general "local considerations may overrule this" provision that exists throughout the document). > As you wrote, not setting a higher LOCAL_PREF for routes received > over IXPs goes against common business practice. Also, it is not > really security-related advice. I don't think it belongs in this > document. I would disagree based on two points: - The scope of the document explicitly also considers 'reliability', not only 'direct' security. - Explicitly stating this has been the single most requested change throughout a variety of channels, in person, and operator groups. Also, from a more security-related perspective, setting a higher pref and not resetting it based on GSHUT makes ddos prevention more challenging if you want to stir traffic via other paths (of course, you can always widthdraw the path). Then again, though, the document aims at 'best practices', i.e., technically ideal, and not a documentation of current business practices. With best regards, Tobias -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tobias@fiebig.nl
- [GROW] I-D Action: draft-ietf-grow-bgpopsecupd-01… internet-drafts
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Tobias Fiebig
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Martin Pels
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Tobias Fiebig
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Nick Hilliard
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Randy Bush
- Re: [GROW] I-D Action: draft-ietf-grow-bgpopsecup… Tobias Fiebig