IETF Logo Mail Archive

Re: [Idr] WG adoption call for draft-abraitis-bgp-version-capability-08, to end September 25

Robert Raszuk <robert@raszuk.net> Tue, 10 January 2023 23:20 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BAA0C14F74A for <idr@ietfa.amsl.com>; Tue, 10 Jan 2023 15:20:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKkukW2LoT02 for <idr@ietfa.amsl.com>; Tue, 10 Jan 2023 15:20:21 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33995C14CF13 for <idr@ietf.org>; Tue, 10 Jan 2023 15:20:21 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id j16-20020a05600c1c1000b003d9ef8c274bso6955715wms.0 for <idr@ietf.org>; Tue, 10 Jan 2023 15:20:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Z2qFBwov7AR5pjaPO+YlfQy6T/u8ZdeboX+c1yhEQzM=; b=bJRlnTC5haO1XCtGHxa3TrkIIE/K+cReoD342fieF3FxEdNu3KRbsXWjcFKnLiSpqI ZoWR/hEOCUJsMIUuVVn25Ak5hV6og4zK58JHcxWiUusr8NxVvEuRQOrtkDfq7Vqe5aOc 0zYOG3p7OV19minXw+9x8U5vVEGgM7jYscGh0GBgBFxyupe88dnIyDCVIZ74e3o3TcnS Rmgn1Qvz/VjigS3KjKi2za/+JIBG/3I/LgJYQXCPUd4GlpTUflD7O/miUirwW7sIV8eA svJVKAWvCkWl1WkG6/ktbkO+dZFKnTpibl9cTv7AuH8pzu9njqlKDfQwdRvE8ST8zWZd oRfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Z2qFBwov7AR5pjaPO+YlfQy6T/u8ZdeboX+c1yhEQzM=; b=bBBqqUWAGJhsjLTLRA9dIMOe6UIiOvFD9XYOIQg1CiP9dfkh9DEXsUcq+cH3pbNwWY SQxZ6ICJa1NXJmfoY82nu7zig+Do4l0ulNRFvgCUm0x2KHSC8WDVomN48Ey6+GM2X6ar /vdyaulP1CdlCMLlsqqk23YYZQIbibvkk7y+edS+nhLeLdc9JhQhIBkZg+86EbzHIVlS +P6Q8nx48jyJUu4QNgU95yNmRJ4CqJHSH8+xWn4HxC3dmbCBHydhOST8Zq7h5HdLFAEw WuxN6d8L75cbvFJ2xOnIaOwQCG6WJ6Qv1jPULU0KKL0YRqHc5px3Jr+NIIV9L04VQ+F3 rwSw==
X-Gm-Message-State: AFqh2koRGP4wMh6g6r8HuoTlYs6cn2ok11ILSOuKHx9+QyEpLBrbMeTH aSRbagnQFtGLToSat1QhxWD7HXnkkWCjUr5HpnCf7w==
X-Google-Smtp-Source: AMrXdXuhcbd5dfrCcuNUAkWrp3oseehaNfO3nzfCqElAMcm7Pb6tIIwCzXK7/YolGpxvjLva84VfMoL80Ox26TVwbbM=
X-Received: by 2002:a7b:cd91:0:b0:3d3:5315:8de with SMTP id y17-20020a7bcd91000000b003d3531508demr5393377wmj.50.1673392819490; Tue, 10 Jan 2023 15:20:19 -0800 (PST)
MIME-Version: 1.0
References: <081E5E98-8D7B-452E-8517-EECBE72E3D7F@juniper.net> <64E754F4-CB63-4F2E-92A3-43ADEA1EC4AB@juniper.net> <20201028215313.GA8863@pfrc.org> <CAOj+MMFH35TB10gpeX80645qEZF3irFk0XVyyLZzkXagcTtwAA@mail.gmail.com> <20201029113316.GB8863@pfrc.org> <CAOj+MMHvVgP0SSTSLqcUHizfk_kR1tUjo0u8p3AnKiuHFr=VaQ@mail.gmail.com> <BYAPR11MB3207AE20610604C5310C0BBAC0140@BYAPR11MB3207.namprd11.prod.outlook.com> <007c01d6ae71$4513eec0$cf3bcc40$@tsinghua.org.cn> <8560_1604052018_5F9BE432_8560_210_1_53C29892C857584299CBF5D05346208A48FDBBFD@OPEXCAUBM43.corporate.adroot.infra.ftgroup> <20201103163259.GC7455@pfrc.org> <CAJwpseXrj46EY7ccXYNH-aWqfykGD99obOaA5qLMNHfoWG7ptQ@mail.gmail.com> <CAMMESsx=c__3UR57zCXLUp62q2ua9YXPT90f-ThqDUJzCYiGjQ@mail.gmail.com> <CAOj+MMG+_aHkc0=+FNvJ8tcTu9W-GpmVxJf=6JeD=zZK+AyjUw@mail.gmail.com> <CAJwpseWAt5oUEMqUE85m+PNSEv_kfONScUSdGooq4XpP6EwFYg@mail.gmail.com> <CAOj+MMHCvyE7vDiP3iBOC+EHgpBsKUESXs4GvcHFbHj_VSChTg@mail.gmail.com> <CAJwpseWOaqP6zXYY2gPN3J47gEbDfcyCtt91C9PH5nZDnK6vJQ@mail.gmail.com> <CAOj+MMGTXB+XSyXCJKugVzKwEi=u8d7nP1LzKdYKJcSHXd9CiA@mail.gmail.com> <CAJwpseULj4_FTELt9WQbU8jqDVdO_GNUvcFxgxQONWViYzksVQ@mail.gmail.com> <CAOj+MMFnawJt=J2z0qWNmkPLoq6n+F9tKC+F+_hBtpJ=Xqe8iA@mail.gmail.com> <CAJwpseXG0SCN=+XZQqYavzu=i4sTetyKRDVDHrRg0mbD14BuCQ@mail.gmail.com> <65C185D6-D194-4865-A678-8F85EFB50DAD@pfrc.org> <CAOj+MMG6y0B6ZaPwLSn+5rvmuhtKWvEBw8MWAOgLWtw7n3dUag@mail.gmail.com> <A09C18C3-5038-4719-931B-2C86A3BCFF49@pfrc.org>
In-Reply-To: <A09C18C3-5038-4719-931B-2C86A3BCFF49@pfrc.org>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 11 Jan 2023 00:20:08 +0100
Message-ID: <CAOj+MMFRKx5qHS5ZGaUcwwVMHB=sKnyxqP0F53XUeqhTR=tufA@mail.gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: Donatas Abraitis <donatas.abraitis@hostinger.com>, Alvaro Retana <aretana.ietf@gmail.com>, "Jakob Heitz (jheitz)" <jheitz@cisco.com>, Bruno Decraene <bruno.decraene@orange.com>, IDR List <idr@ietf.org>, John Scudder <jgs@juniper.net>
Content-Type: multipart/alternative; boundary="0000000000009367fa05f1f120df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/b9ywz1z64qAqqJ2U-VBcUp4qfCY>
Subject: Re: [Idr] WG adoption call for draft-abraitis-bgp-version-capability-08, to end September 25
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2023 23:20:25 -0000

Hi Jeff,

Very good points.

But I am not sure if they are really applicable here ?

Keep in mind that we are talking about p2p BGP OPEN Msg between PE & CEs
(computes with lot's of machines - bare metal or virtual). Moreover what is
proposed is really informational with little to no bearing into operational
aspects of the subject BGP session.

So while I am all for making right, robust and secure protocol encoding
decisions it seems that especially in BGP we have lot's of other security
holes which if exploited could have a much bigger negative impact.

Regards,
R.

On Wed, Jan 11, 2023 at 12:11 AM Jeffrey Haas <jhaas@pfrc.org> wrote:

> Robert,
>
> Please note that the points I'm about to make is intended to more broadly
> discuss the URL issue and isn't saying you're making these recommendations.
>
> On Jan 10, 2023, at 5:47 PM, Robert Raszuk <robert@raszuk.net> wrote:
>
> I would like to just highlight one IMHO very cool property hidden in yr
> note ... If we would use URL to carry a pointer to the information the URL
> can be shortened to be a fixed length of a few characters which could be
> really easy to process and presented  to users in a pretty uniformed way
> across any receiver.
>
>
> Before we move forward with any specific shortened-URL proposal, it's
> likely we'll want to get comment from those with expertise in the security
> implications of shortened URLs.
>
> Certainly, many vendors maintain a domain name for shorter URLs for
> various contexts.  That's likely not the main concern.
>
> URL shortening services are probably a Very Bad Idea since they're in an
> entire vector of attacks on their own.
>
> (We also introduce all of the interesting headaches about interaction with
> the PKIX certificate infrastructure.  See my prior comments in the BGP
> autoconfiguration discussions if you're interested.)
>
> One possible mitigation for some of the attacks given the problem to be
> addressed is to permit an IANA registered prefix for the URI/URL.  This
> means rather than carrying a potentially long URL to a specific resource,
> you carry something like the Private Enterprise Number's[1] instance of
> your registered prefix and a suffix portion of the URL.  The rest of the
> data is contained in the structured data at the other side of the expanded
> URL.
>
> I'd encourage Donatas to continue the discussion on such structured data
> before we worry over-much about how to point to it in BGP. :-)
>
> -- Jeff
>
> [1] https://www.iana.org/assignments/enterprise-numbers/
>

v2.23.0 | Report a Bug | By Email