Re: [Idr] Securing BGP sessions (Issue#41)

Mahesh Jethanandani <> Wed, 11 December 2019 01:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2347712008C for <>; Tue, 10 Dec 2019 17:21:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kcEz7utJ9IKT for <>; Tue, 10 Dec 2019 17:21:42 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D0538120059 for <>; Tue, 10 Dec 2019 17:21:42 -0800 (PST)
Received: by with SMTP id x185so907629pfc.5 for <>; Tue, 10 Dec 2019 17:21:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=3hCAC3Yikqj/dEZNUkM1yPsbYFSl3qvJt55IPf+/2Ps=; b=ZI33w59MyE8li8t10Q+wILPC2zzU/fPzzkiGZtHVsm0Tq76oKxwxR67hMLr6JlWz4N u7WgvMfyJDugeIi5E2UKvfGeYaLdCq3qt9Lg/HCf0hqZN2rjR4k1TQ4smwu64MVCpVkv us2cAZaOg+qpKvH8UgfLKp+eILKDa5d7mNIxQq1+LKgR2IXXMr1nBe3SMbCsnzORbJ9H ETFuCx8xJNpvEgMaE/U2PCn/vi08aOHcDN4TpKSA9r5GtypOU9E0hQHW0hJPK0m773zr q5LXb3sSvc5V2Bpd3+dT0rqk+L5B9iRQzu2MksxCFUtRGByjjU1dCciF2UWt7Z8bmvU6 pDTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=3hCAC3Yikqj/dEZNUkM1yPsbYFSl3qvJt55IPf+/2Ps=; b=jAH+sX/zc/SxdXPAAPCLgM65JWvaE4G70Rn95KxgtAMyjQw4/jORuZAV2ldoFy3kKG 4RlUXEI0g4KdSO18qk2biU3c3ltjjpfgzH3ys+GzbpnUiGHFeXszwED5j6Y+1drYllHj qiF+KQqIiTiKFGwzqGBBbRvpRca5Bf926lxq5WoGPmYatJkdO5LoFxLcBqpkKbtJU1gx J7EFFr4HnIhxIXBM/Wv9DKkGUSIchcffrRcg83fDGCDdwaf9FtenNrrnWkzbTi7sDWx3 a9eOJO27y87BWjL53fo374N3qxBec9a75sm+49hoxS/3Omzw5Eki0T9Y4lpNwfvt84JT WPzA==
X-Gm-Message-State: APjAAAXKAzLOei9S7eq3xoNt6cKKdckFe+Vu4A+k2S79qnzws4ss6OCA YpWHqmLRS/sPc6CAwe8JnQE=
X-Google-Smtp-Source: APXvYqwLiN8dxEoiEbK2gNJfIvSXfT3c60IvscUiBLw+CxdFpN+YnfIB0emoY52EOg52GVWaQYz/Mg==
X-Received: by 2002:a63:4d4c:: with SMTP id n12mr1247981pgl.212.1576027302258; Tue, 10 Dec 2019 17:21:42 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id v8sm278099pfn.76.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Dec 2019 17:21:41 -0800 (PST)
From: Mahesh Jethanandani <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_45C9BD35-C72A-4E61-9BA9-ACB9B5799C65"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 10 Dec 2019 17:21:40 -0800
In-Reply-To: <>
To: Jared Mauch <>
References: <> <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [Idr] Securing BGP sessions (Issue#41)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Dec 2019 01:21:45 -0000

> On Dec 10, 2019, at 4:51 PM, Jared Mauch <> wrote:
>> On Dec 10, 2019, at 7:34 PM, Mahesh Jethanandani <> wrote:
>> This is the second thread in the list of issues that were discussed in IETF 106 w.r.t. to BGP YANG model. This particular thread is to discuss the issue of defining how BGP sessions are going to be secured.
>> As stated in Singapore, the model is being defined to secure BGP sessions using 
>> - TCP AO
>> - TCP MD5
>> - IPSec
>> In case there was a question of why MD5, it is because there are existing implementations that are choosing to stay with MD5, regardless of the issues that have been raised about MD5. The model therefore has to support such implementations.
>> The model will use the ietf-key-chain model’s (RFC 8177) key-chain-ref to refer to an instance of the key chain. By doing that it will make use of the key rollover capability defined in that model, and for static key configuration by setting the end time to infinite in the key chain. The BGP model will leave the case of IPSec as TBD for now, and fill it when/if the IPSec YANG model is defined.
>> Questions/Concerns?
> Some comments here:
> I think of the above options the only two that are available are TCP-MD5 and IPSEC.  IPSEC doesn’t have use in the (public) internet space, but this doesn’t mean people don’t use it internally or elsewhere.. I just haven’t found any of these people in real life.
> TCP-AO seems like it’s viable but as I mentioned in one of the security area meetings at IETF-101, the current operational requirements are generally stability for 180-1800 days of a BGP session (or longer).  People hate it when their BGP sessions go down and their routes go away as a result so there’s a lot of steps necessary to upgrade both sides once they support something like TCP-AO.
> Also operators have a hard enough time keeping the static keys configured as they often outlast the lifetime of the engineer at the company and most key rotation systems (eg: IPSec on routers don’t often expose them in a way that survive device migrations, and key management/export are poor or non-existent, so people only use them internally vs externally facing …) don’t work well or require time sync in a way that if the fail will drop the TCP session and BGP goes down as well.
> The other thing is most people just want transport integrity, not privacy.

Not securing the BGP session is certainly an option.


> - Jared

Mahesh Jethanandani