Re: [Idr] Securing BGP sessions (Issue#41)

"Acee Lindem (acee)" <acee@cisco.com> Thu, 19 December 2019 01:05 UTC

Return-Path: <acee@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1938A12006E for <idr@ietfa.amsl.com>; Wed, 18 Dec 2019 17:05:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ved7hVqJ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=ILAcUGZR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqnxbvM9LtsQ for <idr@ietfa.amsl.com>; Wed, 18 Dec 2019 17:05:09 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BC24120058 for <idr@ietf.org>; Wed, 18 Dec 2019 17:05:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1166; q=dns/txt; s=iport; t=1576717509; x=1577927109; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=N2CXDTomMVYcln3nmfHnifVH74z3z4BkDdKKScbsKtg=; b=Ved7hVqJue+b4v6lcqsQnTyxhq57ywZNoYnwm489wBIrRNbkQXcpHPsw KX7klr/HLm+6E3LWtPsxGy+Ropp5ehxcURPscCnlwim8+CG05QE0PRwqH JMMMDY9L74hGqxqmKvI9p9KmptcBokwulloYCHws8bnAqT6qAqMtRTQ+X A=;
IronPort-PHdr: =?us-ascii?q?9a23=3A/Sk8URX9ynADXyqqcDlj4DnPFI7V8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSANiJ8OpK3uzRta2oGXcN55qMqjgjSNRNTF?= =?us-ascii?q?dEwd4TgxRmBceEDUPhK/u/Zic3EexJVURu+DewNk0GUMs=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CyAACsy/pd/4YNJK1lGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF8gU1QBWxYIAQLKgqDfINGA4p0gl+YBoJSA1Q?= =?us-ascii?q?JAQEBDAEBGAsKAgEBhEACF4ICJDgTAgMNAQEEAQEBAgEFBG2FNwyFXwEBAQM?= =?us-ascii?q?BARAREQwBASwLAQ8CAQgOCgICJgICAiULFRACBAENBSKDAAGCRgMuAQIMom0?= =?us-ascii?q?CgTiIYXWBMoJ+AQEFgkqCURiCEAMGgQ4ojBgaggCBOCCCTD6CZAEBgWODEDK?= =?us-ascii?q?CLJA3nlYKgjWWFBuaUY5OmlECBAIEBQIOAQEFgWkigVhwFTsqAYJBUBgNjRK?= =?us-ascii?q?Dc4UUhT4BdIEojjMBgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.69,330,1571702400"; d="scan'208";a="687604407"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Dec 2019 01:05:06 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id xBJ152vq023740 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Dec 2019 01:05:05 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 18 Dec 2019 19:05:01 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 18 Dec 2019 19:05:01 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 18 Dec 2019 19:05:01 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=blfkkfNHWo5qlCE+i65qywTQ0ISYCOyvCJLbJ3k4jihjYFoFiudtBpYRLabioEN8YzerOYapalSH0TV72swS9nvhMfww0LMo23/YjMGqPhfg1ys+60PQ3kgHqOiwMXulpZHECaC0hCdbevuPehVqS0vxefzAqWjOQOnL4qBXFXuu1xIwc6aSbb0rb4o422G4hso8VuPtHrTbkEA5SZ3Pz/OzC77WPFQQ8KvS1c1YcqUmmBq0i9wTMZutXkw6Lx1nLCL8ZEp8b2NZsJjjjYIpdqZJitsYeSyFPFnQFGLh0CuZtm0GbKLnDUOhg9q0C/NpomlRpuutW29EXD/1ggewMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N2CXDTomMVYcln3nmfHnifVH74z3z4BkDdKKScbsKtg=; b=TpNWGc3x67eBFOVr4aBVK+ve4Wkqu+YYoetoZ+ZGItlnLv3y5pT3vWENmvcqeEXK8rVTjeCGXj0daLnvuTlGQHONqBci2N65JVx5/hRTBWhDS8Gj6ZBavU1JSWG7uYtSaWskj1OwVX3BhE/GhmWbt8BbHQBb9NNiDaBsDWFrfD3cnhNF7GnO/+oLMr+T45Qk38FLWhA8xS/ymjHgEE5zw/9flWtV0uf2rRChg75YfNh//M3N4+70U3tRnGybaAvcqrmJgZfP791HKrOdoLZmv3Rvi+JVAAJ2eJ7yJTO/b4f5GsKuFeD3BapithDGCOHwuvieYS08oY/5aGfIyCrlmQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N2CXDTomMVYcln3nmfHnifVH74z3z4BkDdKKScbsKtg=; b=ILAcUGZRBGGRpma9gju48/f4GfDwuo5BLqLWheYz3+VCU8Y/RwESU/ZpZ4I1qbDTUGCXsgY3+WKP5Kdf5ATMg/OhRJO3+rRtltADy7CBoEssfXz5Ff7qDI9OTrZ8HtMklVzuXr3S/ZLsg73nJCpclR2aO3EPwLbZ2n0zf0R+/48=
Received: from MN2PR11MB4221.namprd11.prod.outlook.com (52.135.38.14) by MN2PR11MB3741.namprd11.prod.outlook.com (20.178.254.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.17; Thu, 19 Dec 2019 01:05:00 +0000
Received: from MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::f065:2931:17b6:7b5d]) by MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::f065:2931:17b6:7b5d%3]) with mapi id 15.20.2559.012; Thu, 19 Dec 2019 01:05:00 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Jeffrey Haas <jhaas@pfrc.org>, Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] Securing BGP sessions (Issue#41)
Thread-Index: AQHVr7rd/5qGVW58hUml+zqJVoppf6e0GrwAgAAIfACACryNgIABfZ0A
Date: Thu, 19 Dec 2019 01:05:00 +0000
Message-ID: <BBB18C8C-D8DA-4A32-A7E7-046A0DB1C2BB@cisco.com>
References: <D9C310C0-89C6-4CB5-80A2-98C274581E7F@gmail.com> <AAEA8BD6-0601-453A-B49E-1DC616F8C53B@puck.nether.net> <10BD8EDF-6881-4244-A406-0C75BA97695D@gmail.com> <20191217211907.GB4858@pfrc.org>
In-Reply-To: <20191217211907.GB4858@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [216.161.193.50]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 76726dff-ec81-4038-a273-08d7841f7938
x-ms-traffictypediagnostic: MN2PR11MB3741:
x-microsoft-antispam-prvs: <MN2PR11MB37417EBCB188E4C69D95ADB7C2520@MN2PR11MB3741.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 0256C18696
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(136003)(396003)(346002)(376002)(189003)(199004)(64756008)(66946007)(66446008)(36756003)(26005)(66476007)(66556008)(110136005)(316002)(76116006)(4326008)(33656002)(6512007)(2906002)(71200400001)(478600001)(53546011)(86362001)(6506007)(4744005)(5660300002)(6486002)(2616005)(81166006)(91956017)(8676002)(8936002)(966005)(81156014)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3741; H:MN2PR11MB4221.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HZCxmHgP8+jc33toVP2OV1YBX/m9xxe/nlzwMHoX6bMVMclCxx6waKDLxT8Vxe0lkgVA2G6AQfqBSUCQgpg1rj/J8jH4B8qnPsgtfCPep/Hpe20PIK45nQmUV90DkgUousYr2LbBXuAq9h/mO+arURefknGYGq5Yoy5NpZ6R40Z5c85RMG67JZTitUouKM/fpUibU14DeDtHfYTZBjL+O4gLkpi7NF1t9KsLXtcpaCG0VJP+7vkXei1j7Y4LJqcey9npY26nfnqexS+lNkwkVjmGLZAqG05+EGUFMXtsW9axLg0yoxxZgZuZRyScred7ACxYNI7t+c9W8HnATr0QLSQLmrecMwT1TGwM3KAhdTOn8y8yk1cHFrDNPo6t1XrbZrN2WaU3wgideT3Jg3YtSJg+utzrUQh2OYbCXCXIiY8eNESq06taLOYHLHXZzyAc8cSZdRhluAHDZxtxVYYKD4UDt9R1tgtC0ySVQjYPAvs=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <DA0F14F59A1B1148A8DCA0F768DA1DB4@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 76726dff-ec81-4038-a273-08d7841f7938
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2019 01:05:00.6643 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QHzbaFwX8g6O5HrDmsr7TLJBfx1Ho/6WH4gfLmt0z2LQUj8zhU8tYY1ky57WoFIt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3741
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/aLOlEtUMeiDenubtU9HiV9MsJvI>
Subject: Re: [Idr] Securing BGP sessions (Issue#41)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 01:05:11 -0000

Normally for routing protocols, authentication is a much stronger requirement than confidentiality. However, in this case IPsec is simply being used for transmission error detection. 
Thanks,
Acee

´╗┐On 12/17/19, 2:59 PM, "Jeffrey Haas" <jhaas@pfrc.org> wrote:

    Mahesh,
    
    On Tue, Dec 10, 2019 at 05:21:40PM -0800, Mahesh Jethanandani wrote:
    > > On Dec 10, 2019, at 4:51 PM, Jared Mauch <jared@puck.nether.net> wrote:
    > > The other thing is most people just want transport integrity, not privacy.
    > 
    > Not securing the BGP session is certainly an option.
    
    What's intended here by Jared, I think, is that AH without ESP is fine.
    
    -- Jeff
    
    _______________________________________________
    Idr mailing list
    Idr@ietf.org
    https://www.ietf.org/mailman/listinfo/idr