Re: [Idr] Securing BGP sessions (Issue#41)

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 11 December 2019 01:18 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEC6C120086 for <idr@ietfa.amsl.com>; Tue, 10 Dec 2019 17:18:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q5yp3BH9t67T for <idr@ietfa.amsl.com>; Tue, 10 Dec 2019 17:18:51 -0800 (PST)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE7B3120059 for <idr@ietf.org>; Tue, 10 Dec 2019 17:18:50 -0800 (PST)
Received: by mail-pj1-x1033.google.com with SMTP id w5so8208479pjh.11 for <idr@ietf.org>; Tue, 10 Dec 2019 17:18:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Pfz336AYP1+hOrnN1K0tlSmA8jpbfKN/yCPEchgsUJo=; b=RwHldLwF+e0d5BpaKwTRm3nc0VAHbl+1RYtdAw2HyXpbNqofn7LW7dUKvmPtq9uPiq 35rxUx9tKJGZz1rQnrxnW8g3mofWtQvP8Jbb6tbYj/yzN7bea6u9R5mvc8WkW5+IR2hM 1vB0EeqfgpLm3TSKzeEsMKexWFXFkbV7/1qM0JrT4F7K4BgSKWLs6guAPv7o3YGITJ+x vGSCpZW7GhphjWU90/JL0U063p4B8+mbXSAHmoVH6pU1wVzwtkfIXqy3AeCEO6HhbNk6 dkjYMbz19alRj9/QAaPEW1B+DSejyDru0A59XWD7xxOKRs/hwhNJL8YxMXbtSAySrqs2 l7LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Pfz336AYP1+hOrnN1K0tlSmA8jpbfKN/yCPEchgsUJo=; b=D3zgOWn1ZEs+9OSf0je5qPPjOu0KjyrC7WcFUZ+DsU9YN14UUxBbrHO0qNXbXkCITZ 41KXOvSqM4ZV7fp6vt6FmT6JKP+VY3qCDfi6n+UgQ20pDLQLSKptHkgZuh6McGF4/PTL dMajZ90BQ/8cRQGQeTpOdZynmn54bU2c6owaK9Ewz5Uif3C4Gfdfonjwm6rAPfjMYXfd aIGcVk0/c0emxZquLjriRH9Kj/pDSe8GJpqi9MUTEFENKnA5d44ugF4LjoG/vMYsHabS dxpVNcKEH2jpwXRICxFGbxp94okIHwDoOIay7bq0aSTWcOO3MHOmpGhQbYlBd//VJzEC Stcw==
X-Gm-Message-State: APjAAAUXAFSY3oy9rmLW82p1DbbS+R7Y+DNyO1j2nRuUm16mpgeyOxIt cR+KvHI+wN6qb81j2T+c15bHmOR0
X-Google-Smtp-Source: APXvYqwkqCRr58t9LCOqeBOWJZ3PsvZuazh0+htqjerVPsLgJGMB9Iryjmi5fJ6TfwhrGfKu/e5g1Q==
X-Received: by 2002:a17:902:b204:: with SMTP id t4mr425293plr.137.1576027130391; Tue, 10 Dec 2019 17:18:50 -0800 (PST)
Received: from [10.33.123.64] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id 3sm282033pfi.13.2019.12.10.17.18.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Dec 2019 17:18:49 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <68B00DBF-3590-4ECE-8028-301643B9E49E@cisco.com>
Date: Tue, 10 Dec 2019 17:18:48 -0800
Cc: "idr@ietf.org" <idr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <91B63CF9-B92B-4D14-98CA-EBC865999B08@gmail.com>
References: <D9C310C0-89C6-4CB5-80A2-98C274581E7F@gmail.com> <68B00DBF-3590-4ECE-8028-301643B9E49E@cisco.com>
To: "Acee Lindem (acee)" <acee@cisco.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ZE61tM_OHh4OpK3scOm10ET5zGY>
Subject: Re: [Idr] Securing BGP sessions (Issue#41)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 01:18:53 -0000

Hi Acee,

> On Dec 10, 2019, at 5:10 PM, Acee Lindem (acee) <acee@cisco.com> wrote:
> 
> Hi Mahesh, 
> I assume by IPsec, you mean transport mode IPsec.

Yes. The assumption is that the underlying transport is secured using IPsec, and the model provides (if needed) key parameters needed to kick off the IKE to setup the SA in IPsec.

HTH.

> For IPsec protection of BGP, where are the details specified? 
> Thanks,
> Acee
> 
> On 12/10/19, 7:35 PM, "Idr on behalf of Mahesh Jethanandani" <idr-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote:
> 
>    This is the second thread in the list of issues that were discussed in IETF 106 w.r.t. to BGP YANG model. This particular thread is to discuss the issue of defining how BGP sessions are going to be secured.
> 
>    As stated in Singapore, the model is being defined to secure BGP sessions using 
>    - TCP AO
>    - TCP MD5
>    - IPSec
> 
>    In case there was a question of why MD5, it is because there are existing implementations that are choosing to stay with MD5, regardless of the issues that have been raised about MD5. The model therefore has to support such implementations.
> 
>    The model will use the ietf-key-chain model’s (RFC 8177) key-chain-ref to refer to an instance of the key chain. By doing that it will make use of the key rollover capability defined in that model, and for static key configuration by setting the end time to infinite in the key chain. The BGP model will leave the case of IPSec as TBD for now, and fill it when/if the IPSec YANG model is defined.
> 
>    Questions/Concerns?
> 
>    Mahesh Jethanandani
>    mjethanandani@gmail.com
> 
> 
> 
>    _______________________________________________
>    Idr mailing list
>    Idr@ietf.org
>    https://www.ietf.org/mailman/listinfo/idr
> 
> 

Mahesh Jethanandani
mjethanandani@gmail.com