Re: [Idr] Securing BGP sessions (Issue#41)

"Acee Lindem (acee)" <acee@cisco.com> Wed, 11 December 2019 01:29 UTC

Return-Path: <acee@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA563120059 for <idr@ietfa.amsl.com>; Tue, 10 Dec 2019 17:29:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ZnZn94Vg; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=IcAcQjLa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6kWB-gugPie for <idr@ietfa.amsl.com>; Tue, 10 Dec 2019 17:29:20 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14B8912008C for <idr@ietf.org>; Tue, 10 Dec 2019 17:29:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3470; q=dns/txt; s=iport; t=1576027759; x=1577237359; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=yipoJdi5lC26a3DpxmsUjibAw7jgobKchdXkFjhwnkQ=; b=ZnZn94VgLHQVxR55DJhi/2mDXbgsM5jT4qnxuyPtuznHzNJqLTxv1cyP x7BJeLYD435lAd0/TmCcnMgze3+AiMx7zZLhcNpUd2tnhVxpQywv31qv+ m2Z8VCJya/LW59egdFOrBq69kI1brQENsRoxdEhI40HMP6S3SgJjz4yRe c=;
IronPort-PHdr: =?us-ascii?q?9a23=3ACVkpmRYPI864LCSMEfA75Kb/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20QKbRp3VvvRDjeee87vtX2AN+96giDgDa9QNHw?= =?us-ascii?q?QAld1QmgUhBMCfDkiuJfXnYgQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B1AAAWRfBd/5pdJa1lGwEBAQEBAQE?= =?us-ascii?q?FAQEBEQEBAwMBAQGBbQMBAQELAYFKUAVsWCAECyqEA4NGA4sIgl+JW44rglI?= =?us-ascii?q?DVAkBAQEMAQEYCwoCAQGEQAIXgWwkNwYOAgMNAQEEAQEBAgEFBG2FNwyFXgE?= =?us-ascii?q?BAQECAQEBEBERDAEBLAsBDwIBCA4KAgImAgICHwYLFRACBA4FIoMAAYJGAw4?= =?us-ascii?q?gAQIMokQCgTiIYXWBMoJ+AQEFgkqCWA0LghcDBoEOKAGMFxqCAIE4IIJMPoI?= =?us-ascii?q?bSQEBhHMygiyNKIMAjyeOJy9DCoIvkVCEIBuaO5kpj1UCBAIEBQIOAQEFgWg?= =?us-ascii?q?jgVhwFTsqAYJBUBEUjGYNFoNQhRSFPgF0gSiOBgEB?=
X-IronPort-AV: E=Sophos;i="5.69,301,1571702400"; d="scan'208";a="680115540"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 Dec 2019 01:29:18 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id xBB1TIig026644 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 11 Dec 2019 01:29:18 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 10 Dec 2019 19:29:18 -0600
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 10 Dec 2019 19:29:18 -0600
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 10 Dec 2019 19:29:18 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RXwpWgt6JGeN5iKi/iTysAIzvclX64mA4MOYfpOSDhlbpxHBeaZS+RVYyYu41xw4odC0Es+CvztKob0Xs8CPnNgaQ77WpQ3DmHZafKHTICnrnyS67PSLaWE6reIoUUIn/sQhm/ze6sx2Fm6rG3pfvWMV2W23a/sKxspkU3OhpxEXI07Vb3TL6CAwxEBaRFr5W8FHPaBFFjs3+ErUKzS+v+8ekDYcJ0d8blLqFMrNrVgCfkM3qtpTomT9BPX1DtPOZ7ND/mTplSFqew7ApK7Tt1L2FF6UVR2XoEBwbnEolS6lc9xhTJB/xhjxMvbRcJQkQPgLNzUlOlLjYD9E/uJMvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yipoJdi5lC26a3DpxmsUjibAw7jgobKchdXkFjhwnkQ=; b=Ekr20uu/4RObzKhTkpnQRiVhmy/cEkUWeAO8e6o/bZG+5d6oJ+DmtpPHHUPtiwrNe/SqHgWFhHGtvb9jZVuxTLcUFrz4GaDqANXxuulJlBWpLyGRCVWMvPen+30Dwm7j1k8qTZ5WffG3udUHNuntR4LQCsuT9u2iDR+5Lton2t3B12mY7+/+ZCaIWcebTWRQAsZRBTyW+F7sP83pz/GKpG+pRoixvSvyIg4QaGbBqpynonIG1X14NL8mP4SddIuYVdkyUhKWPz+Q59swyXlClbNQS0kkrxEqnx9EKb8FqFa3c46ZhPSATlC9TyJfJYxvKCReKoSD/pzQqRgh7ms8Ug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yipoJdi5lC26a3DpxmsUjibAw7jgobKchdXkFjhwnkQ=; b=IcAcQjLa8nKwvJc7klIB6+CooCfBDWh0i8+ieGTWK+3SDH2SsL2pyArXfAzXNLpsoAS6BkEeZ8jVosDe6FdUK5YtCKMDlE1j9Jxm43EAHMtaHmcSFGZLRO4sB9o8F6lBJKD2EQ8UHTdY/16ea1VWCoJrYqHbANpyYwL/SmsELno=
Received: from MN2PR11MB4221.namprd11.prod.outlook.com (52.135.38.14) by MN2PR11MB3902.namprd11.prod.outlook.com (10.255.180.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.12; Wed, 11 Dec 2019 01:29:17 +0000
Received: from MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105]) by MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105%7]) with mapi id 15.20.2516.018; Wed, 11 Dec 2019 01:29:17 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] Securing BGP sessions (Issue#41)
Thread-Index: AQHVr7rd/5qGVW58hUml+zqJVoppf6ezzC0AgABWPgD//68bAA==
Date: Wed, 11 Dec 2019 01:29:17 +0000
Message-ID: <A8395DB8-6D10-46A1-99A1-DFFB9B2CBD9D@cisco.com>
References: <D9C310C0-89C6-4CB5-80A2-98C274581E7F@gmail.com> <68B00DBF-3590-4ECE-8028-301643B9E49E@cisco.com> <91B63CF9-B92B-4D14-98CA-EBC865999B08@gmail.com>
In-Reply-To: <91B63CF9-B92B-4D14-98CA-EBC865999B08@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [2001:420:c0c8:1001::3df]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2cac1d12-a54c-4011-283b-08d77dd98a0f
x-ms-traffictypediagnostic: MN2PR11MB3902:
x-microsoft-antispam-prvs: <MN2PR11MB39025467ECA39C734433CD45C25A0@MN2PR11MB3902.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(136003)(366004)(39860400002)(376002)(189003)(199004)(478600001)(36756003)(33656002)(2616005)(66556008)(66476007)(8936002)(966005)(81166006)(81156014)(186003)(86362001)(8676002)(5660300002)(6506007)(53546011)(66946007)(91956017)(2906002)(76116006)(6512007)(316002)(66446008)(4326008)(64756008)(6916009)(6486002)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3902; H:MN2PR11MB4221.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vwr6Yi2xo7SFeMxHpYjWZOuyPK7e/6DUbqvAqzvjAgw9B8ze7/57J6vZeWp7XS+PQw2obfrkPB2RxwK0/JKte5pilS8hTAaAkOv39KZtqQ+PM6dxa6mrOmNTt8XzASvcbBmaThIhRcYsCl6WFEdsA7ZC/W35f9Xz1jcHdfaBTqU2XIJsvX946ud2Y9Qzfw3E7cWSbt8g9NsuVPJg5fb9LfD5yBL2WhH+TAPpq1FXo7Oe5Omkj5tMz7UK553ee5irVmXwd9CLdbdaPSHG5qMljRCtui7okwqSPj4kBxcd/YxCtb7zFDw01lccWs63QR7a2fGtwvrfbBAi19Y3GgwYuB1bn3x7Om4xUUk9vqjeRG6/UY0OPNrAwLzoSKeQw7b/kDigIrMbpVN0I4SUkkB4pJRKuRIpoHQiUXuKmoNR2Bfks1bYkAC/XT3k5PjmP7vLgHjgMAZx6kuF98pNVMoPl9BZ/+DoK1MExzzVcs8Kz8Y=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <1D33390D74BA2B469DEAD47B02B0E990@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2cac1d12-a54c-4011-283b-08d77dd98a0f
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2019 01:29:17.2529 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rO/V+eW0Zd6j1sTNDQ76vkicmWYcXeC6cJLbW3qmyWwjWUEOWNGc/UouRmM3Hznf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3902
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/SJL8yQqQBeVCC3hdU3pGaXvBGqg>
Subject: Re: [Idr] Securing BGP sessions (Issue#41)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 01:29:23 -0000

Hi Mahesh, 

On 12/10/19, 8:19 PM, "Mahesh Jethanandani" <mjethanandani@gmail.com> wrote:

    Hi Acee,
    
    > On Dec 10, 2019, at 5:10 PM, Acee Lindem (acee) <acee@cisco.com> wrote:
    > 
    > Hi Mahesh, 
    > I assume by IPsec, you mean transport mode IPsec.
    
    Yes. The assumption is that the underlying transport is secured using IPsec, and the model provides (if needed) key parameters needed to kick off the IKE to setup the SA in IPsec.
    
    HTH.

Well it doesn't help at all.... Normally, the usage of IPsec (AH, ESP, algorithms, key exchange, etc.) would be specified in some document. For example, IPsec usage by OSPFv3 is specified in RFC 4552. Granted, it is a lot simpler for BGP than OSPFv3 since BGP is strictly P2P but specification would still seem to necessary. 

Thanks,
Acee

    
    > For IPsec protection of BGP, where are the details specified? 
    > Thanks,
    > Acee
    > 
    > On 12/10/19, 7:35 PM, "Idr on behalf of Mahesh Jethanandani" <idr-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote:
    > 
    >    This is the second thread in the list of issues that were discussed in IETF 106 w.r.t. to BGP YANG model. This particular thread is to discuss the issue of defining how BGP sessions are going to be secured.
    > 
    >    As stated in Singapore, the model is being defined to secure BGP sessions using 
    >    - TCP AO
    >    - TCP MD5
    >    - IPSec
    > 
    >    In case there was a question of why MD5, it is because there are existing implementations that are choosing to stay with MD5, regardless of the issues that have been raised about MD5. The model therefore has to support such implementations.
    > 
    >    The model will use the ietf-key-chain model’s (RFC 8177) key-chain-ref to refer to an instance of the key chain. By doing that it will make use of the key rollover capability defined in that model, and for static key configuration by setting the end time to infinite in the key chain. The BGP model will leave the case of IPSec as TBD for now, and fill it when/if the IPSec YANG model is defined.
    > 
    >    Questions/Concerns?
    > 
    >    Mahesh Jethanandani
    >    mjethanandani@gmail.com
    > 
    > 
    > 
    >    _______________________________________________
    >    Idr mailing list
    >    Idr@ietf.org
    >    https://www.ietf.org/mailman/listinfo/idr
    > 
    > 
    
    Mahesh Jethanandani
    mjethanandani@gmail.com