IETF Logo Mail Archive

Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30

Susan Hares <shares@ndzh.com> Tue, 09 April 2024 23:30 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 090F2C14F6E1; Tue, 9 Apr 2024 16:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1kwJx-VAQW3; Tue, 9 Apr 2024 16:30:23 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04hn2206.outbound.protection.outlook.com [52.100.163.206]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62C61C14F610; Tue, 9 Apr 2024 16:30:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FgubQIxtqRzPtO+nV5dR65Xl/SlzqahjL0KZJM3RDPG188hOgUh2AsrNjhv0uZE3OiolTHEG2d6XjSVtfKIslnCXnD+2vAFduG6kfPZhWNCJtLnprtKKjdrDLcYFxqWw4E/ZUcyfap4zNEF8cKw6w8Uo9C3fomUblRpXe9DjwnI5845jRyDRgQX8+WBJYpzQYRe2bm50YWZKP4P20vIYOTMh7F2rPMGOrU5jhu1gfulRec03Y+xuotUfM13uwQtQba5zy5olH/5QlpBpDryUk/TVCEy8sscwiVy+rYEysQKTDJxxQyB42R6NDlVvcf4tWnGMsnDA1TpKawa5518aGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=m8PDlP7+z2RDYEZObE2ZuJ+3xv+fPcNAqC3qziJNdA0=; b=BgIRHcoJX6dU/7ctdT03kIZQe7ie9bj2cH05TuQC4ch3CrKiYMpM0a4oJ3uUEUhZ+FEwTDaZA59IRA1mNTqTsZJJhx04bq4VFtDJ30D4BXw1DgbHshpCxmjtzbgy64hyiQUc/3h80z2DaPoTcI2VjA6Tm+W8063s1JV39/Y938jiZ6pDqVc0m3tJLtFbMFPd5PM02Z3INNz3dYueHrfpCdkWn1AcjI+V5HyRteU1EXuZ1CkOGRJJpzY4p2XGlT3vAKJA38nQSdDhv5O8q4ugFYU/c0+NzkY0Fzr07E4uxOhP7O6Ougk6UZkZpZR5uBMtwOqY8noVtEeqDvxA9mrbnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.66.40) smtp.rcpttodomain=gmail.com smtp.mailfrom=ndzh.com; dmarc=bestguesspass action=none header.from=ndzh.com; dkim=none (message not signed); arc=none (0)
Received: from SA1P222CA0086.NAMP222.PROD.OUTLOOK.COM (2603:10b6:806:35e::27) by SN4PR0801MB7840.namprd08.prod.outlook.com (2603:10b6:806:21f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.55; Tue, 9 Apr 2024 23:30:19 +0000
Received: from SN1PEPF00036F3C.namprd05.prod.outlook.com (2603:10b6:806:35e:cafe::c2) by SA1P222CA0086.outlook.office365.com (2603:10b6:806:35e::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.19 via Frontend Transport; Tue, 9 Apr 2024 23:30:19 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.47.66.40) smtp.mailfrom=ndzh.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=ndzh.com;
Received-SPF: Pass (protection.outlook.com: domain of ndzh.com designates 104.47.66.40 as permitted sender) receiver=protection.outlook.com; client-ip=104.47.66.40; helo=NAM12-MW2-obe.outbound.protection.outlook.com; pr=C
Received: from obx-outbound.inkyphishfence.com (44.224.15.38) by SN1PEPF00036F3C.mail.protection.outlook.com (10.167.248.20) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7452.22 via Frontend Transport; Tue, 9 Apr 2024 23:30:18 +0000
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by obx-inbound.inkyphishfence.com (Postfix) with ESMTPS id 6EEA4C360A; Tue, 9 Apr 2024 23:30:17 +0000 (UTC)
Received: from DM6PR08MB4857.namprd08.prod.outlook.com (2603:10b6:5:44::25) by PH0PR08MB7794.namprd08.prod.outlook.com (2603:10b6:510:f5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.43; Tue, 9 Apr 2024 23:30:13 +0000
Received: from DM6PR08MB4857.namprd08.prod.outlook.com ([fe80::b6e6:add:92ce:6fa0]) by DM6PR08MB4857.namprd08.prod.outlook.com ([fe80::b6e6:add:92ce:6fa0%4]) with mapi id 15.20.7409.053; Tue, 9 Apr 2024 23:30:13 +0000
From: Susan Hares <shares@ndzh.com>
To: Kaliraj Vairavakkalai <kaliraj@juniper.net>, Magnus Nyström <magnusn@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-idr-bgp-ct.all@ietf.org" <draft-ietf-idr-bgp-ct.all@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
Thread-Index: AQHaiXQK3PI+jRyB00qvX7Puqf/H97FfOvoAgAFTnHA=
Date: Tue, 09 Apr 2024 23:30:12 +0000
Message-ID: <DM6PR08MB4857BF2A91EFF6DD1E3EDE3FB3072@DM6PR08MB4857.namprd08.prod.outlook.com>
References: <171255343637.3005.42205344596392120@ietfa.amsl.com> <SJ0PR05MB8632FDD8A3852BA61687C652A2072@SJ0PR05MB8632.namprd05.prod.outlook.com>
In-Reply-To: <SJ0PR05MB8632FDD8A3852BA61687C652A2072@SJ0PR05MB8632.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2024-04-09T02:36:36.7852930Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard
x-ms-traffictypediagnostic: DM6PR08MB4857:EE_|PH0PR08MB7794:EE_|SN1PEPF00036F3C:EE_|SN4PR0801MB7840:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: GcsHcFcEPZ52QP+LKuAwXD50/xviCv6ijEMo4BxTbuo1hvtGbUBDqfXS/BfnaUzHGLmjSCnfKjTMx3MujXzOilQ/xD0rkTHdctLIJTRFbvpoYOkZwjQuwC3K/nRJGAjMOwns4LHHSUpe8hCXL7H2DgnEEi4tiokDUa60uAGfH7H3eqXozMz1Z6GRJApjdEP1V5oix+4LL3VOjEFjSCA2A2qhBPjY1Dq1UEaVy/P1e76D+T/InP9lRxIZ5hzyIaebaowRbahz905Ht47ujyBKD2UhckSfKyBHErBYk2b1ezvPL0TtDvX/s63gea72QIqIUPBF39hg27G0cxA//vKlCKzkQx80j1BuNXAI9MCNREivUAjL62p4qpHbl4nPkbI06b9KsBp4nfONV5NpPePaoxtuz/LFtn0KFd+LZ9t+UYv/Z/6HNc8H9DdlokiE957Yb8xIhOd/aD4TBkJVl9/ph0sWmmR2hAvrmpeUhI3kEIp945CBorTtUHmuxdYDsWvM6SFCHKSbBVOoA1JvdMNi0cG/y0YB2xl1E1Wx84xXkNDLitfF+bSmAJxDO7sB3bNnByC+ljAwYn5/MOBs7umgxwto+tCVvcD8TKYc/OVrcb1mXXGLybHdWyAVTbBDh6RDnVcSF5MBJSjFrHwOixc+fCsTpclOxMd46yOoAI54V5s=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR08MB4857.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
Content-Type: multipart/alternative; boundary="_000_DM6PR08MB4857BF2A91EFF6DD1E3EDE3FB3072DM6PR08MB4857namp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR08MB7794
X-Inky-Outbound-Processed: True
X-EOPAttributedMessage: 0
X-MS-Exchange-SkipListedInternetSender: ip=[104.47.66.40]; domain=NAM12-MW2-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender: ip=[104.47.66.40]; domain=NAM12-MW2-obe.outbound.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped: SN1PEPF00036F3C.namprd05.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ce4648fa-5958-4b6c-0aca-08dc58ed04bc
X-IPW-GroupMember: False
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wPlFH7411+C/kRX/JR0i2W2aYVm3T7XvtETO9EmuhTap+PkFlYJSt+GzcnvZ4TjHadjl4RMZbufTNknYeGzc9TTzabZPIxSFN4tiJuHhscwuVFyKDrwmI3Rc5dtB65s6x7gqQsSlo0s19755x5aHSsh4ZXJ5NHJ/WL+X00Agkni7pPr7t8ot7kUGrmgGQAsRCC4jMnJwFhKA4dral4UldOrojDYCVq0vDagrmAqoQj+WbH34t89lQ4u7XiIwTEASKVgchRc5n3+qA+IIc4YR1HdDPrMY0IuiSYXrBsywCHlwp9V029pWtPT7yUeMrX3U+Rgnz68GaFRpfkn0b11i1RfZObY9b1s5/5+KIzms98y/808nmAFeMNAdHBGIE+LegLMfEiiQe3pCyD3sQ54jWFIhZRbfqGvWHRX3lPQLTzvUCcehi2AIv0U6Y25P3E/7DfM+v2gzp25oHWiwVZqicnYUdC8YiKGImiksl9Nppa2P+e9yC5Oq5utRk9rWpGRh2t9zsIcBXxadKqra0UO9m7KdhNph23cfDQO3OWt56Vy3cN3ieRhYwiyfNkgXTiDQHMolHVYZ1rS+TjKRrS8D1qyogF+HJuwrgbpcU6X41Q0dgCdf7vaRwy1DijZhpoL4UGwSDaQ2xGjHkuQzyguS3ZgnRwSc6cO/fgZYJO2RoDHNT05fK6T+z1+VmfBAQX6qmnUSfGIEa/cuwtAGSpjiuVxBQ6EALSwqieO44WB2WHkwUsCWfTFsa3icHGh2o02Y9yQxYfcyMBeDfBxg9InBVMMxxrkxDtdllZ4Vr4vTb1XZmqZ3aoXjY/fs1aiBodRhyEPVlv+Bueznqfq0aHv/ww==
X-Forefront-Antispam-Report: CIP:44.224.15.38; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:NAM12-MW2-obe.outbound.protection.outlook.com; PTR:mail-mw2nam12lp2040.outbound.protection.outlook.com; CAT:NONE; SFS:(13230031)(376005)(82310400014)(1800799015)(36860700004)(11100799042); DIR:OUT; SFP:1501;
X-OriginatorOrg: ndzh.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Apr 2024 23:30:18.8287 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ce4648fa-5958-4b6c-0aca-08dc58ed04bc
X-MS-Exchange-CrossTenant-Id: d6c573f1-34ce-4e5a-8411-94cc752db3e5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d6c573f1-34ce-4e5a-8411-94cc752db3e5; Ip=[44.224.15.38]; Helo=[obx-outbound.inkyphishfence.com]
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF00036F3C.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR0801MB7840
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ngF3LVLGaMLsBaO2RTTJyeTStfY>
Subject: Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 23:30:28 -0000

Magnus:

As shepherd of the draft-ietf-idr-bgp-ct draft,  I need additional information about your review.   Would you help me by answering three questions?

For these questions, imagine a series of networks cooperating to get traffic between either: a) two data centers or b) between data centers and user phones.

Thank you, Sue Hares

Question 1:  What are you assuming is involved in BGPsec solutions?

The text in draft-ietf-idr-bgp-ct-30 states in the security section:

"To mitigate any risk of manipulating the routing information carried
within a new SAFI, BGP origin validation [RFC6811] and BGPsec [RFC8205]
MAY be used as means to increase assurance that the information
has not been falsified."

AND

"In order to mitigate the risk of the diversion of traffic from its intended destination,
existing BGPsec solutions could be extended and supported for this SAFI."

This points to basic protocols plus solutions augmented to support this for the
BGP Updates with the AFI/SAFIs that include the CT SAFI.

Are you taking "BGPSec solutions" to mean:

  1.  implementations are being extended to work with CT AFI/SAFI or
  2.   additions IETF protocols for BGPsec that include additional features?

My understanding is that "BGPsec solutions" in the CT document is adding BGPsec protocol + Origin validation to implementations supporting CT.

2) Are you familiar with the potential additions to BGPsec and Origin Validation?

One could secure other attributes that do not change between routers within the BGP Update packet.  These attributes could be secured separately from the BGP Path attribute.   The benefit of securing such things as the "BGP Tunnel Encapsulation Attribute" may aid in securing the distribution of tunnel endpoints within a domain containing multiple AS within a network.

One could register locally Origin validation specific to the transport addresses used by CAR and CT.

3) Are you familiar with the amount of Configuration involved in these features?

You mention this text in your review:

"The restriction of the applicability of this SAFI to its intended well-defined scope limits the
likelihood of traffic diversions. Furthermore, as long as the filtering and
appropriate configuration mechanisms discussed previously are applied
diligently, risk of the diversion of the traffic is significantly mitigated."

This text was written to indicate (as described in the CT document)

  1.  Networks are filtering offered data traffic into different service levels (e.g. gold, silver, bronze service levels),

This filtering includes normal filtering of traffic against DDOS and other attack traffic.



  1.  Data Traffic is placed on set-up transport pathways created by the BGP protocols.
  2.  Back-up pathways are also set-up by the BGP protocol with input from IGP protocols.

All of this setup requires a great deal of configuration on the nodes.




From: Kaliraj Vairavakkalai <kaliraj@juniper.net>
Sent: Monday, April 8, 2024 10:38 PM
To: Magnus Nyström <magnusn@gmail.com>; secdir@ietf.org
Cc: draft-ietf-idr-bgp-ct.all@ietf.org; idr@ietf.org
Subject: Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30

Hi Magnus, > was this meant to say "existing BGPsec solutions" or "the existing BGP solution"? I think we should change it to 'existing BGP solutions'. Agree. Thanks, Kaliraj Ju
External (kaliraj@juniper.net<mailto:kaliraj@juniper.net>)
  Report This Email<https://protection.inkyphishfence.com/report?id=bmV0b3JnMTA1ODY5MTIvc2hhcmVzQG5kemguY29tLzZlZmVlNDVjYTVlYWI0ZjNhN2FkMTc2YTE1MDQ5Zjg3LzE3MTI2MzAyOTUuNDE=#key=425e0e208d524a310039a635b9444e34>  FAQ<https://www.godaddy.com/help/report-email-with-advanced-email-security-40813>  GoDaddy Advanced Email Security, Powered by INKY<https://www.inky.com/protection-by-inky>

Hi Magnus,

> was this meant to say "existing BGPsec solutions" or "the existing BGP solution"?

I think we should change it to 'existing BGP solutions'. Agree.

Thanks,
Kaliraj



Juniper Business Use Only
From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of Magnus Nyström via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>>
Date: Sunday, April 7, 2024 at 10:17 PM
To: secdir@ietf.org<mailto:secdir@ietf.org> <secdir@ietf.org<mailto:secdir@ietf.org>>
Cc: draft-ietf-idr-bgp-ct.all@ietf.org<mailto:draft-ietf-idr-bgp-ct.all@ietf.org> <draft-ietf-idr-bgp-ct.all@ietf.org<mailto:draft-ietf-idr-bgp-ct.all@ietf.org>>, idr@ietf.org<mailto:idr@ietf.org> <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
[External Email. Be cautious of content]


Reviewer: Magnus Nyström
Review result: Has Nits

Comparing with my original review (-18) the authors have addressed my concerns.
There is one remaining, probably smaller, issue: The Security Considerations
section states: "In order to mitigate the risk of the diversion of traffic from
its intended destination, existing BGPsec solution could be extended and
supported for this SAFI." - was this meant to say "existing BGPsec solutions"
or "the existing BGP solution"? Also, it isn't clear how BGPsec should be
extended - and if it would provide any substantial benefit over the mechanisms
described herein (the remainder of this paragraph states: "The restriction of
the aplicability of this SAFI to its intended well-defined scope limits the
likelihood of traffic diversions. Furthermore, as long as the filtering and
appropriate configuration mechanisms discussed previously are applied
diligently, risk of the diversion of the traffic is significantly mitigated.").


_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!B2BvMqPMR2r1KICWj3Vip_HLeDU5abmgtAXxyMwbmZhtzxUlyiprfSYhkYvbMBSGgTiBOIH3LSaGNns$<https://shared.outlook.inky.com/link?domain=urldefense.com&t=h.eJxNj0tPg0AUhf9KIS6VYXiWuqmoaRtL24hV64ZcygDDY8BhCqXG_y4YFy7v-ZJzvvsln3ghzyZyKkTdzBAazojEhDVEOVYlanUUBH-s6zqFEhErFU9QCbQogaGCNoKyuEI04kFwK0mbR2H1HmxvklxyNbf1Pnfes8bx0-r-LdNfaR0s1-Rhb0JYJuLu_dx7XVh-pOJy3hc9rXnsH9L80Iae6y-SF-puV0t97cNiw5or-Xoi56MtI2KQwKo5tRysoSYFTpo5iy7pr7U1fEAM8wgmgdCIdbAhwrYF2FQNJ57aCNtYs3RVc0zFwGMrGVtzKCiHbJ6dGK0JV4aVkUUj-599_wDgdWUL.MEQCIGmCiuiUFWcwOHljynJ64AXGyoHNOgIUnyhvecA3RKd2AiBG9n-nN9-KxzPc4sHm11AALQSWdKi9lyYwtGCkrJqS3g>

v2.23.0 | Report a Bug | By Email