IETF Logo Mail Archive

[Idr] Closed - One week review for Security Section of draft-ietf-idr-rfc4360-bis-07 (06-04-2026 - 06-11-2026)

Keyur Patel <keyur@arrcus.com> Fri, 12 June 2026 17:49 UTC

Return-Path: <keyur@arrcus.com>
X-Original-To: idr@mail2.ietf.org
Delivered-To: idr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 758C010056E82; Fri, 12 Jun 2026 10:49:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781286577; bh=UfSjf1Qty1H6StFXhqzj/SVj4sQc1fjsGJB+CRwZ4e8=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=Mx/texiRzphckTDdm6rfwTYCEVypIbOcbOKucC0RgmqWeyVTyUvGpN56GiPPPBXAH gISpEbGKU/GWI/QQ3Dt5OhBq1pvE8t7P67YQgNC4e+0/RJrxkD9QM067HxzAwQLITB y+xCxcnxa0tDpyfLakbVdfS+PGl2h+51XFe9xkmg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft1331857.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPS7Xt4KlKVw; Fri, 12 Jun 2026 10:49:36 -0700 (PDT)
Received: from BN8PR05CU002.outbound.protection.outlook.com (mail-eastus2azon11021133.outbound.protection.outlook.com [52.101.57.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BD5D710056E76; Fri, 12 Jun 2026 10:49:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PbYts8TtxhxEaKet8PIJt14Hy2ZAc11kSBg9nBXyyEDm3D/7whN706RzQZTxly1UbJ9V6usCnq70IPg1W6NjFTVzBjyiaBOjs/38CwmFpb5Rv432+x1J3iUsvDXngWYKHHFXHOX3r/vO97NiDoCdd+mOVN9cdOhH3SmA9BkW/yojr6uUCgyhrPrLv9ZjITK5mJIHqo3MPzm7eoTHWjjVtESaeKKGUe0mJDUOcZNnfiD1pI98o6jUOYsEWJ+pvPbdGCYMrhH0Mj7cQPN3sMSCNQLjEkjrLRdgMrmyIoNberhtVe/A0WrnySwSanNfGB49KaHngBHGZTE9VXReuCJagQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UfSjf1Qty1H6StFXhqzj/SVj4sQc1fjsGJB+CRwZ4e8=; b=cwePiDEeefGYbXaZZ2gbkoMLqq4QMpBlc1sTEFozGT78M9P1Ma683ffoMBnvWYPrTRRd/ARKhvPK2JvSJqRZws2Uq2pQwZxqje2dPc5WOn/Iw4QMJ9oI3Dgbfl5Rn7/qE8L8GKU1HVC4udngxKJQiwwE/lgWsTI3vLXbfTIVJH9P5iLddVSJVbCK3UJB821JipCXgAMHF/qU4SZ1myNiX5AmP/5zABtFsSt/q0CaxSzSCTvSCgy50SoJtbudK4eRSp87pmgK6MgowTX0pR/1/yB7SV0kMYkVFkGsvTN60djfmwoA1b/kDIOBFvzXoaNXqIP+0bqjXIuXTkIJKfjXTA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arrcus.com; dmarc=pass action=none header.from=arrcus.com; dkim=pass header.d=arrcus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT1331857.onmicrosoft.com; s=selector2-NETORGFT1331857-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UfSjf1Qty1H6StFXhqzj/SVj4sQc1fjsGJB+CRwZ4e8=; b=IvvLv0khyge8N5NnHdJNzORI2ymUbL1bbx4erC5YJ+qFzKQU/8KwIHkoSd/D2DrloOwhyRws0mFks4tRIF8RjC5jbWmlfi6Xx04mJDgRwzKpN22g+JpS/dG4KVQ2R3BTSxLAjji0/LpWceFlUwOxqtVo/40u3ElMhAa0M27KLkw=
Received: from SJ0PR18MB3980.namprd18.prod.outlook.com (2603:10b6:a03:2e8::12) by DM8PR18MB4503.namprd18.prod.outlook.com (2603:10b6:8:3e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.15; Fri, 12 Jun 2026 17:49:28 +0000
Received: from SJ0PR18MB3980.namprd18.prod.outlook.com ([fe80::c8b4:2dbe:4213:933c]) by SJ0PR18MB3980.namprd18.prod.outlook.com ([fe80::c8b4:2dbe:4213:933c%4]) with mapi id 15.21.0113.014; Fri, 12 Jun 2026 17:49:27 +0000
From: Keyur Patel <keyur@arrcus.com>
To: Keyur Patel <keyur=40arrcus.com@dmarc.ietf.org>, Nat Kao <pyxislx@gmail.com>, Ketan Talaulikar <ketant.ietf@gmail.com>
Thread-Topic: Closed - One week review for Security Section of draft-ietf-idr-rfc4360-bis-07 (06-04-2026 - 06-11-2026)
Thread-Index: AQHc9Hfu1UXStQX3U0u7NjMc+bUN1bY7O6Aj
Date: Fri, 12 Jun 2026 17:49:27 +0000
Message-ID: <SJ0PR18MB398060D4981FCBEBA874ED50C1182@SJ0PR18MB3980.namprd18.prod.outlook.com>
References: <CAH6gdPwnTEtCRjCM1CAbqB9J8qxNxLdwbDG7gMXjFZM8t=ncBA@mail.gmail.com> <CAH6gdPzti=FGjk5YcVjTOokfmYE8MpZfsDnRnt8KkLrhmbD0Ug@mail.gmail.com> <CAKEJeo6QxHpFQfkUpAgEwqm4u702KsgZsRQZDKi9ogU0Mr5WGw@mail.gmail.com> <CAH6gdPwTUTHuC142-ATKwYEF93kieg3-efvt19Qe5S_5pKiSeg@mail.gmail.com> <CAKEJeo4SfYYMLeFpH8r2fOej4CKEkFw2wYgJtCZCzsZKc66qFg@mail.gmail.com> <SJ0PR18MB3980BC92B153EBA0B1F7653EC1102@SJ0PR18MB3980.namprd18.prod.outlook.com>
In-Reply-To: <SJ0PR18MB3980BC92B153EBA0B1F7653EC1102@SJ0PR18MB3980.namprd18.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arrcus.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR18MB3980:EE_|DM8PR18MB4503:EE_
x-ms-office365-filtering-correlation-id: 4d19efa0-aa49-43ce-2a9e-08dec8aaf2e1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|23010399003|366016|4143699003|56012099006|6133799003|22082099003|18002099003|13003099007|8096899003|38070700021;
x-microsoft-antispam-message-info: HEhZHllxVKXlAP1pISW4xb+GPv1FyTLCDa6s7sDTKB7IsBt4XQJxHVaAvAi9r524+PYTHmn35w8N6dmv/IGaor5Ada+8qAJSeESAM+jRe4tSsNCow3FmE+vKEhUlas06GpSsOudVVuLjbPFBFfOV3i7VJZPhEiaVFfJYO1827p6eK2QkuKqxo5ykbKS2hMESxpddQ+4QrjfvbOyZQ+AQTpbM4GnczUD5RcVk6YVsRFVCY0gvoqPWim17sHADTftG3pbJiz7wja8sYLcEB0mdzlZNUVKHfLvGWUplWqk5IwDeZ+z1Q4rzvKjqgS5ST37Qzbnw/WNkT8ZgmJXTky/bn8LiMq+sMkBi+hZtALGkdWal8GkBDWkxnHyTMa/OmiphpeNdL+diVe69mHblzQqh5ENnXN2O6uBK9vMn/RX2b7b0jgTHAMPOerYEqkjr4w4i80n9Dcb9MB7dxncqxSazT9Bj5ra/o2dWvYFIQyGe2hYe0ecHlPCfEDWzXE25a9kL+Y9OgPl0aER4i6IgTNuD2WaRGRoPnz+HNMhvsae+HsCXKHlcLYqJSpLJhybrBdxm53Ec2MwqBtSW1WZKESJU0oTvI//Jtn6KbWmH2g4Ehz4IorCb/kth9vfD0YXnhqTGnXBbkGAZcGWuqHs7dFginD+8VApdD24Z9t50HigoszhoJSi/NAtj9hKQ9wBk9ZENO4TqtnkTA0nZNp4KjozDVdeazgslkU96cg1nQs2U3xq7TQ73pvsGgw2V/3av0qC0
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR18MB3980.namprd18.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(23010399003)(366016)(4143699003)(56012099006)(6133799003)(22082099003)(18002099003)(13003099007)(8096899003)(38070700021);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4fxQaIvPm4t2io4f4xWSCG9QtWgY17Xdb0bJU4Xcj5Br3GxuW41usGhDHi5R+PmFKUGWYRyM2/lpJd4VeLrhbU7qkAGlPCeXvsW6Ws3bg+hlc6YSHw/UrTvkilhdwSN35jr+nKqsvI5A9PJ4thyoPqe8guga8A+gSDFx5Bm/mFEeScblvJdRn+YOI3c8tAfZrcae9h+2xf66jrajCf9uIZpbGneR8/T2WpVs/umK2XcOoWkVIb7AKtGUscfSS45/kxt8pm+RgPW+TsizNIPX1KRun1yEOLLOjVCDnvj2JCxM6GPjMioW6bYOsD7chvcECTelzcgLwZfG525/WX8/wJktGlZjgUTtQX8ncYGIQATGv2AwtM0VDZFszNyaM5I/wIVzvB9V4mfSFfr8OERtB01GMZaY/I0/v5pmIATi5dQ0YltNWvSGIY3kfC+UNc0Bqw/MqYp9QnCZ0o4nT9ylb6K+gdPfvggL2zSm+JiReNPV+AjTpdYiP1BavyNgMqgwMSm7Wu0CDjLhCmZpLwPzBwC6/x0uUQFSbuVTBTcpmusvy80VRHuCViWPdtKlFrAOkEkqgGfDRiaOWqBt+Wu+5rvmd6i2KOUGY5EQ2BHTA0UPqHkcGss/W8r8ZfG0XHYHMbknsc7YAJ9FRKk+4/Ce/phsAg9dkdCZPam4p2kYRc05J1+3KVUrti0Il/z2aDExWE2hFNSFAftJ06aguvECv1L9LXcwysV0/1965bcGMvja7jp8Mc6ayqLbOqaUMHSyOyDI69TErQnFIMiG8zavdg47dlucuBi2A1m8PrPVFjtm9LMBY8ZLayN0sG5Znhg0MD4GGzjCKdxNGZubXZmaK46M+iykul4VwRcFqGBYerwiSJlSjbaOlBltNa6F7oKgycew9pJNmjKw+cVW11sn7MoDtkXyc3FTwzMCOZ+IY38peephlojND38SP+9rI9Dmj10KKxxdEnyLBS+GAVs+VT3b8XtxfuV7SHpsq2miOfqQwRmQT4gEMNqAQB0tG4bcElbkSidWODkNA2KfmhgopOX4RoZK4qs7SP8w4JJA+TGaupMrZuCRdnllRQ5rirYdkEZwooH4t7yYgNtMOK6wU3uckv5B8hob71qtPSdX3Fdsrh43oCoaHp4vEHDN1/zTJzE4X0WLNuw8d6dG7Ns/eOiD1n2wKjkzEWhkPZlg2dDxS3P5e6e+F8NfYYPeU8M+Toii4zYYiAVjxpm8MwQLbt0KlCIp+HTDGxuoDKEzmPvDNcBZ9J4xGeDIUyVONUKZIQntswzMntMBT+z2CL9uOHtDwNX4kSv+icXzDYmsiPzt0T3v92T/yY409qk34kE0la8mGPVsxPtE/iL8/Do2P4U13lDi5z5LUj4vBqtFIkWsS46BETVFfGF9LucWbFzRqyUFpKbzZA0JDBHWlaGm9vHFdOYJVJUtFBuIKBgErOViGItiaz1zBjFf/UXconGBZ46FwzTTDwX1Q4zQ5HyCf0T9cMtBmKlZoPEQkNlpW23VJnCOZRBZB1/PEtweNjDbWB2iplckUsMjzm0q4MCk51UqOxYScEzZ8tbVdz93Of5kxooz94W/l/fztSrcCnTRFDtAzhS/7WlMj0iSeNJZVdmSh/m+tK/CxoIsVRIpr18uz0Ld/D8VQ+aAXcF5TeoYCWFBjUs7y9CmiXFTqnw9VLefYUVZyyWhKYpy+uN4uX4Zhoeixc1ArPlNARGxTroSjL/Wd4nEa/RvbJOUuhJMzw==
Content-Type: multipart/alternative; boundary="_000_SJ0PR18MB398060D4981FCBEBA874ED50C1182SJ0PR18MB3980namp_"
MIME-Version: 1.0
X-OriginatorOrg: arrcus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR18MB3980.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d19efa0-aa49-43ce-2a9e-08dec8aaf2e1
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jun 2026 17:49:27.7808 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 697b3529-5c2b-40cf-a019-193eb78f6820
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RwowhMwHtbCbHvDdkr6t+l9fiZIXbSKX1Ay2CVftTCs1NNEH69alBpbUWhHEamepCwxMxiavhfw27BHj+bQm1g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR18MB4503
Message-ID-Hash: EZ5J4FYDJGNXGDVUCQOMXLWY6YKNMTQE
X-Message-ID-Hash: EZ5J4FYDJGNXGDVUCQOMXLWY6YKNMTQE
X-MailFrom: keyur@arrcus.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-idr.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-idr-rfc4360-bis@ietf.org" <draft-ietf-idr-rfc4360-bis@ietf.org>, "srihari.sangli@hpe.com" <srihari.sangli@hpe.com>, "idr@ietf. org" <idr@ietf.org>, "grow@ietf.org" <grow@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Idr] Closed - One week review for Security Section of draft-ietf-idr-rfc4360-bis-07 (06-04-2026 - 06-11-2026)
List-Id: Inter-Domain Routing <idr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/7npA0zUIXrqnku8yq0t64Oh6TiI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Owner: <mailto:idr-owner@ietf.org>
List-Post: <mailto:idr@ietf.org>
List-Subscribe: <mailto:idr-join@ietf.org>
List-Unsubscribe: <mailto:idr-leave@ietf.org>

Hi Folks,

This review call for Security Section of draft-ietf-idr-rfc4360-bis-07 is now closed. Draft version -08 seems to have incorporated review comments received so far.

Best Regards,
Keyur

From: Keyur Patel <keyur=40arrcus.com@dmarc.ietf.org>
Date: Thursday, June 4, 2026 at 4:18 PM
To: Nat Kao <pyxislx@gmail.com>; Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: draft-ietf-idr-rfc4360-bis@ietf.org <draft-ietf-idr-rfc4360-bis@ietf.org>; srihari.sangli@hpe.com <srihari.sangli@hpe.com>; idr@ietf. org <idr@ietf.org>
Subject: [Idr] One week review for Security Section of draft-ietf-idr-rfc4360-bis-07 (06-04-2026 - 06-11-2026)

****Sender is not from Arrcus***
Hi Folks,

The security consideration section of draft-ietf-idr-rfc4360-bis-07 has changed significantly as part of our AD review and chairs wanted to ensure that working group members had a chance to review it. The GitHub PR is at https://github.com/ietf-wg-idr/draft-ietf-idr-rfc4360-bis/pull/58 where you can find the updated draft text for the Security section.

Please review and send your comments to the mailing list by June 11 2026.

Best Regards,
Keyur

Suggested Text from authors:

9.  Security Considerations

   The BGP Extended Communities provide a general mechanism for labeling
   BGP routes and thus share security considerations similar to BGP
   Communities [RFC1997] and BGP Large Communities [RFC8092].

   Additionally, extended communities are used in several specialized
   ways to implement or augment other BGP signaling mechanisms.  For
   example, the route-target extended community, defined in this
   document, is used to signal Layer 3 VPN membership.

   Since any intermediate AS in the path may have added, deleted, or
   altered the BGP Extended Communities attribute, an AS relying on such
   an attribute carried in the BGP Update message must have trust in
   every other AS in the path.  Specifying the mechanism to provide such
   trust is beyond the scope of this document.

   The BGP Extended Communities attribute itself does not protect the
   integrity of each extended community value.  The operator should be
   aware that any BGP speaker along the path can alter the attribute
   without notice.  Protecting the integrity of the handling of BGP
   Extended Communities attribute in a manner consistent with the intent
   of expressed BGP routing policies falls within the broader scope of
   securing BGP and is therefore not addressed here.

   To prevent information leakage or privacy breach across different
   administrative domains, proper filtering of the extended communities
   should always be exercised:

   *  Operators should filter transitive and non-transitive extended
      communities at the boundary of different administrative domains on
      both transmission and reception using appropriate routing
      policies, since this prevents extended communities outside the
      administrative domain from interacting inappropriately with the
      operator's network.

   *  Implementations should provide policy mechanisms to filter
      extended communities based on type, and possibly sub-type, to
      permit filtering the entire class of extended communities.
      Implementations may also provide the flexibility to match or
      inverse-match a set of extended communities for building permit/
      deny lists.

   *  Implementations that understand the internal format of a defined
      extended community should provide per-community match capability.
      Implementations that don't understand the internal format may
      match against the value field opaquely.

   *  Implementations should provide mechanisms to strip all extended
      communities at the boundary of administrative domains.
      Implementations may strip all extended communities by default
      while providing knobs to modify the default behavior.


[EXTERNAL]

v2.46.0 | Report a Bug | By Email | System Status