[Idr] Securing BGP sessions (Issue#41)

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 11 December 2019 00:34 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D9E1200F6 for <idr@ietfa.amsl.com>; Tue, 10 Dec 2019 16:34:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqE6J53if2QW for <idr@ietfa.amsl.com>; Tue, 10 Dec 2019 16:34:34 -0800 (PST)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5702312008C for <idr@ietf.org>; Tue, 10 Dec 2019 16:34:34 -0800 (PST)
Received: by mail-pf1-x42c.google.com with SMTP id 4so824917pfz.9 for <idr@ietf.org>; Tue, 10 Dec 2019 16:34:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=w954cbvLQ6v01dV4NYxNrhsLYgMHXPovI9H6pE792FU=; b=dJs4mRuX5s8tFLfZOgOfnyBYfW2O1h8hEQH9g4mhvit6w8TmVAlD96Brfv0RMwQZGk yJEskPSwLa0z+ycNWHm8WHdAA8FyW0ltm7I0kz7kwdOhucc9zsWBO2ehuJKNOzx7MKBW iPirUmnD22+k/lVNqV6NRj4eU5O9IWj7o7PK7N1nSAK3wSVelNJvQzJmm0ZSd4uVtEnW 64MzUXhYPlY1S+YDC2E/omWDrDV+rcPvEBmXw0U925ukdEPcZSlRRfNanlVSbAsQURcF HPqyCEd8uRv5pxG6rVsd3fPSQ8ADI0RMyG/hiXFvvwWAWwiBCDj5Xe1lE4Mbjj1INZty 8iVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=w954cbvLQ6v01dV4NYxNrhsLYgMHXPovI9H6pE792FU=; b=sOqXfTbaYyQw3IRJO7uRBk/mAm7I7kQpdt0H/wJ3ilEbWUEjVxQuWfudPu5QobjUaX yeLsTMM+ZMoOojIbtn+y+XudApICww21eFurk5R0yAdZz4O9PLInpVoLTrLNsr1/cM/c V1AOAJOaUZYVeFsNpSJm+8nB0IhkKXKWc1aFEcnudrN/0oyHtUK2wz9B4zRQlMoMwatq EBAT1Qbl2X3WaEzWEzrMv6w6WE4ox8gLRCqdL0JS9HuGoNPeltAPbcO63T0HNbjWwGys 3/Oiz+vSPazQ6iC/bjtQNKWt3d3Eq4jiVl2jrfjs56wZdNWkNgDsRcEjcyWkWMP5SfpT P0bw==
X-Gm-Message-State: APjAAAVrZCOogM+aOg+hensFC84AiqsK///5EgDopooPtxjjtnSw+sfT GEj8VJYdNZ9xzbLJTovSLWvhQo15
X-Google-Smtp-Source: APXvYqxK47aFp+/eay6rnkxCHMCNuHj7X4vWejF2IN4Nnkr3H7xkiwoPdnUcSh99kGmNJs6O247VOw==
X-Received: by 2002:a63:e545:: with SMTP id z5mr966256pgj.209.1576024473583; Tue, 10 Dec 2019 16:34:33 -0800 (PST)
Received: from [10.33.123.64] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id l21sm136819pjq.23.2019.12.10.16.34.32 for <idr@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Dec 2019 16:34:32 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <D9C310C0-89C6-4CB5-80A2-98C274581E7F@gmail.com>
Date: Tue, 10 Dec 2019 16:34:31 -0800
To: idr@ietf.org
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/moL_SGXtEyLCYFwWsw7pSrQeHpQ>
Subject: [Idr] Securing BGP sessions (Issue#41)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 00:34:36 -0000

This is the second thread in the list of issues that were discussed in IETF 106 w.r.t. to BGP YANG model. This particular thread is to discuss the issue of defining how BGP sessions are going to be secured.

As stated in Singapore, the model is being defined to secure BGP sessions using 
- TCP AO
- TCP MD5
- IPSec

In case there was a question of why MD5, it is because there are existing implementations that are choosing to stay with MD5, regardless of the issues that have been raised about MD5. The model therefore has to support such implementations.

The model will use the ietf-key-chain model’s (RFC 8177) key-chain-ref to refer to an instance of the key chain. By doing that it will make use of the key rollover capability defined in that model, and for static key configuration by setting the end time to infinite in the key chain. The BGP model will leave the case of IPSec as TBD for now, and fill it when/if the IPSec YANG model is defined.

Questions/Concerns?

Mahesh Jethanandani
mjethanandani@gmail.com