[Idr] [Errata Held for Document Update] RFC4724 (6217)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 21 July 2020 14:40 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478F23A09BC; Tue, 21 Jul 2020 07:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_HZ6vjp9Te7; Tue, 21 Jul 2020 07:40:52 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 214083A09BA; Tue, 21 Jul 2020 07:40:52 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 63B81F4074D; Tue, 21 Jul 2020 07:40:38 -0700 (PDT)
To: nir.chako@CyberArk.com, rsrihari@cisco.com, enkechen@cisco.com, rex@juniper.net, jgs@juniper.net, yakov@juniper.net
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: aretana.ietf@gmail.com, iesg@ietf.org, idr@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20200721144038.63B81F4074D@rfc-editor.org>
Date: Tue, 21 Jul 2020 07:40:38 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/0N3I90594DrXbONITs3gUKrFfRc>
X-Mailman-Approved-At: Tue, 21 Jul 2020 08:11:15 -0700
Subject: [Idr] [Errata Held for Document Update] RFC4724 (6217)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 14:40:55 -0000

The following errata report has been held for document update 
for RFC4724, "Graceful Restart Mechanism for BGP". 

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6217

--------------------------------------
Status: Held for Document Update
Type: Technical

Reported by: Nir Chako <nir.chako@CyberArk.com>
Date Reported: 2020-06-29
Held by: Alvaro Retana (IESG)

Section: 7

Original Text
-------------
Since with this proposal a new connection can cause an old one to be
terminated, it might seem to open the door to denial of service
attacks.  However, it is noted that unauthenticated BGP is already
known to be vulnerable to denials of service through attacks on the
TCP transport.  The TCP transport is commonly protected through use
of [BGP-AUTH].  Such authentication will equally protect against
denials of service through spurious new connections.

If an attacker is able to successfully open a TCP connection
impersonating a legitimate peer, the attacker's connection will
replace the legitimate one, potentially enabling the attacker to
advertise bogus routes.  We note, however, that the window for such a
route insertion attack is small since through normal operation of the
protocol the legitimate peer would open a new connection, in turn
causing the attacker's connection to be terminated.  Thus, this
attack devolves to a form of denial of service.

It is thus concluded that this proposal does not change the
underlying security model (and issues) of BGP-4.

We also note that implementations may allow use of graceful restart
to be controlled by configuration.  If graceful restart is not
enabled, naturally the underlying security model of BGP-4 is
unchanged.


Corrected Text
--------------
Since with this proposal a new connection can cause an old one to be
terminated, it might seem to open the door to denial of service
attacks.  However, it is noted that unauthenticated BGP is already
known to be vulnerable to denials of service through attacks on the
TCP transport.  The TCP transport is commonly protected through use
of [BGP-AUTH].  Such authentication will equally protect against
denials of service through spurious new connections.

If an attacker is able to successfully open a TCP connection
impersonating a legitimate peer, the attacker's connection will
replace the legitimate one, potentially enabling the attacker to
advertise bogus routes.  We note, however, that the window for such a
route insertion attack is small since through normal operation of the
protocol the legitimate peer would open a new connection, in turn
causing the attacker's connection to be terminated.  Thus, this
attack devolves to a form of denial of service.

However, it is possible to downgrade the session so it will be
devoided of capabilities via the NOTIFICATION message for OPEN
messages with an Unsupported Optional Parameter subcode.
RFC5492 specifies that if a peer receives this type of NOTIFICATION
message, it SHOULD try to re-establish the BGP connection without
capabilities and, among other things, reduce the use of Graceful
Restart Capability.
Therefore, in this situation, if the attacker is the first to
establish a BGP connection with the peer, he might secure his route
advertising position.
This time, the legitimate peer won't be able to open a new
connection and terminate the attacker's connection.
Thus, this attack devolves into a form of a man-in-the-middle attack.

It is thus concluded that this proposal does not change the
underlying security model (and issues) of BGP-4.

We also note that implementations may allow use of graceful restart
to be controlled by configuration.  If graceful restart is not
enabled, naturally the underlying security model of BGP-4 is
unchanged.


Notes
-----
The change in this section is the addition of a paragraph between paragraph 2 and paragraph 3 in the original section which describes an attack process where the attacker can gain a permanent grip on the connection

--------------------------------------
RFC4724 (draft-ietf-idr-restart-13)
--------------------------------------
Title               : Graceful Restart Mechanism for BGP
Publication Date    : January 2007
Author(s)           : S. Sangli, E. Chen, R. Fernando, J. Scudder, Y. Rekhter
Category            : PROPOSED STANDARD
Source              : Inter-Domain Routing
Area                : Routing
Stream              : IETF
Verifying Party     : IESG