[GROW] Kathleen Moriarty's Discuss on draft-ietf-grow-bmp-15: (with DISCUSS)
"Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com> Wed, 14 October 2015 02:06 UTC
Return-Path: <Kathleen.Moriarty.ietf@gmail.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFBAC1ACEBF; Tue, 13 Oct 2015 19:06:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RNz9jnCeohk; Tue, 13 Oct 2015 19:06:15 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 431321ACEB8; Tue, 13 Oct 2015 19:06:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.5.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20151014020615.21713.91137.idtracker@ietfa.amsl.com>
Date: Tue, 13 Oct 2015 19:06:15 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/grow/wfiSNKWQAjMZAIe2zOHP6IsInx8>
Cc: draft-ietf-grow-bmp.ad@ietf.org, grow-chairs@ietf.org, grow@ietf.org, draft-ietf-grow-bmp.shepherd@ietf.org, draft-ietf-grow-bmp@ietf.org
Subject: [GROW] Kathleen Moriarty's Discuss on draft-ietf-grow-bmp-15: (with DISCUSS)
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 02:06:16 -0000
Kathleen Moriarty has entered the following ballot position for draft-ietf-grow-bmp-15: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-grow-bmp/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- The statements on authenticated access and confidentiality are helpful, but this is a new protocol and should not start out with the security property levels of the current BGP deployments. Efforts have been made to publish RFCs to fix BGP security and the vulnerabilities have been published - even in the Washington Post. I'd like to see more security required for the properties mentioned to prevent active and passive attacks getting dumps of the BGP data, which was not previously available. If this is not possible per the suggestions below, please explain why. If there is a good reason, it would be helpful to remove the text that says its okay to leave security out because BGP isn't secure and just include the security considerations. Now for specifics: 1. In the Security considerations, it is not only a passive attacker, but also an active one that could gain access to the session if it is not encrypted (protected for confidentiality). An active attacker might change routes causing network disruption. A passive attacker might better understand the possible paths to an AS, assisting with a more effective DDoS attack. The latter point is important to consider in the first paragraph of this section that currently says, "although it's hard to consider the content of BGP routes in the public Internet to be confidential," I think this is a bit of an overstatement as the exact routes and paths are not published for each router and could be used for DoS attacks - for example taking out one or more paths to a network AS. What I am suggesting for #1 is a simple text change to address the fuller set of security considerations. Change from: Unless a transport that provides confidentiality is used, a passive attacker could gain access to BMP data in flight. To: Unless a transport that provides confidentiality is used, a passive or active attacker could gain access to or tamper the BMP data in flight. 2. The last paragraph would be the right place to require session encryption and authentication for sessions (unless there is a good explanation as to why this is not needed). If the transport may vary, then it's okay to leave IPsec as a suggestion. It would be nice if there was an MTI for transport, so the security protections could be consistent and interoperability would be easier between implementations. This also came up in the SecDir review. https://www.ietf.org/mail-archive/web/secdir/current/msg06011.html In any case, it would be good to discuss this and see if there are good reasons to leave it as-is or to change the text to improve security, preventing a few attack types.
- [GROW] Kathleen Moriarty's Discuss on draft-ietf-… Kathleen Moriarty
- Re: [GROW] Kathleen Moriarty's Discuss on draft-i… Brian Haberman
- Re: [GROW] Kathleen Moriarty's Discuss on draft-i… Brian Haberman
- Re: [GROW] Kathleen Moriarty's Discuss on draft-i… John Scudder
- Re: [GROW] Kathleen Moriarty's Discuss on draft-i… Brian Haberman