Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct
Kaliraj Vairavakkalai <kaliraj@juniper.net> Mon, 22 January 2024 06:11 UTC
Return-Path: <kaliraj@juniper.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49631C14F605; Sun, 21 Jan 2024 22:11:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="pcJC0Tvb"; dkim=pass (1024-bit key) header.d=juniper.net header.b="DKO7Z1sg"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8b4f5LR2AcR; Sun, 21 Jan 2024 22:11:31 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0C66C14F5EA; Sun, 21 Jan 2024 22:11:31 -0800 (PST)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 40LLKF6J006510; Sun, 21 Jan 2024 22:11:30 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=PPS1017; bh=E7+3CMEzF6VStPxllvTZB/ cPrg/EW/pc/lL9GfNh+F4=; b=pcJC0TvbNGQK9NTIy3+ymzAzGgUPq8GUw4NtUH 1fHGUxQ+u7A/N1/8siHegYU2Z1pK+F8EABFGOC6OlU9yHuTO131a0t7PVTpAOc6T XUMv5inkVTpXG8sO/CHjfrDIzAl2TYhfDYQOtJIqbWxzd88low6Ev7/SMv7iLbev 04rPepIQS+QdHMWJ+sfCRaj6/dbFpacwhEL1zjlihTN1H0wY8/xdWc1wNBGjntQ/ z0migbQ+HioThq2KVQTxXDfk4+Q9t1ogxLFGTqii44IsNGrZpUMixlyMrgavr7M1 LHTW+t1Z7/Q1F895q0VctzkozMfRwptzj2JvERrEgqd5/Qfg==
Received: from sj2pr03cu001.outbound.protection.outlook.com (mail-westusazlp17010001.outbound.protection.outlook.com [40.93.1.1]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3vreamj3xk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 21 Jan 2024 22:11:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fPI2i2FxRkJ1pOpC8OySy1oefeEd5ibp4ohNu4X9ut+C6mBK1FJtlOKe6UOcr1ttZ8OqXWYvBsddwL+132PP+Qc19aHpht3pTlLrMAVYeg/AsEsnJe0w/kxUzkrqzIWQcGDoDLVuKEuBKmj6TpxdEoe6fbFFi83g2re515xnzc6IDQ6hlLJDca0LW6ozuMNIknQCjzXDE1aOLbIPH2Ej5fR3Fy395Cm7yUtiIJaG5KBucFxZbY7AaasGkKVBc2KefXs8n31eObJmsr+aOF+PN+aZeEpxeuGhVUHHirA1pNeRDI1ZkvOqW7ePaNFWVGIDpyL6fY+GQx/N3bMwZLSAew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=E7+3CMEzF6VStPxllvTZB/cPrg/EW/pc/lL9GfNh+F4=; b=gN+koxAzukRdmcVfG561XH6lkTQijjeyl/mxA9mJSdS5iFaqW8GV3LKVQacN2QgRbQTUewJjPVQn1w7JKIhwhDu2zDYLTuHZmyMW1sTM6ofxtzmWXKwWG2i0A9z8GvekppS7bNa3F8pS7CJjxnY9fQm7tMvyLVGbFTk/a8LM6KSrsmhy11tUpOozerT/gV1r0e0ep+s933BYEea/VApSzpJmU/sTgpeRPbupqKJD1nYtMPcp6yaK30hB/bdjT8cYvt3XAI5vaMnhkP4hn0GM1h5N5G7qo7k6aWFwJ0Sq9SNd+5nRc+RPvyCUix6wNtiA2TCyR4GIgHbUIe/7yImcww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E7+3CMEzF6VStPxllvTZB/cPrg/EW/pc/lL9GfNh+F4=; b=DKO7Z1sg3RKV5umxBXagPQoF89KFoJxLSnYd3bktcFaAchXHZdHYiv/Bunp8yOmZXWUmtu5V76y/wNkljcG/APYeIL6t+CrmqwpEP6F7OYPMmKeTMqA/ESctZ0Xz/jCfYEZRiow9BAwAbEI0zNqh8bnHhxvy70iO9T1NE8kI8dk=
Received: from SJ0PR05MB8632.namprd05.prod.outlook.com (2603:10b6:a03:394::12) by SA1PR05MB9270.namprd05.prod.outlook.com (2603:10b6:806:251::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7202.31; Mon, 22 Jan 2024 06:11:27 +0000
Received: from SJ0PR05MB8632.namprd05.prod.outlook.com ([fe80::86ef:3df3:d0f5:5f3d]) by SJ0PR05MB8632.namprd05.prod.outlook.com ([fe80::86ef:3df3:d0f5:5f3d%7]) with mapi id 15.20.7202.034; Mon, 22 Jan 2024 06:11:27 +0000
From: Kaliraj Vairavakkalai <kaliraj@juniper.net>
To: Magnus Nyström <magnusn@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-bgp-ct@ietf.org" <draft-ietf-idr-bgp-ct@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: Secdir early review of draft-ietf-idr-bgp-ct
Thread-Index: AQHaMkGduxTIxK5+1UKgPJ1+LsmZILDlKelMgABlBWs=
Date: Mon, 22 Jan 2024 06:11:27 +0000
Message-ID: <SJ0PR05MB86323E33530BAC599E18F729A2752@SJ0PR05MB8632.namprd05.prod.outlook.com>
References: <CADajj4Zv=VAMcXwN3ig4PKtxCy-6_fFu3s9PFknH7XpBpFGMTA@mail.gmail.com> <SJ0PR05MB863209A75D9CA046083D7DF6A2752@SJ0PR05MB8632.namprd05.prod.outlook.com>
In-Reply-To: <SJ0PR05MB863209A75D9CA046083D7DF6A2752@SJ0PR05MB8632.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2024-01-22T00:09:04.9637372Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR05MB8632:EE_|SA1PR05MB9270:EE_
x-ms-office365-filtering-correlation-id: f13fcf85-835a-4688-28f3-08dc1b10f80b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bKVsGaDJGtKYZVMWWe74zax6rFaG5xYrgx6/ImuoFIDJIrVYXBS0mmRp9ct21HbPSeKL5y/SUzzDVam15RCeHkl195I3Ltol6Rm5IxHnPM9Zu2oVwS0zV+0Zcrl6xTKGUPNQBPlRb+kSaErz2/IbXN+3QfgHTvLXlKIsDBlUOFbhQObn+if4vzfPc/l9QWTEWPV0ITlbxHgeL/xfTJH6rHgYyX8cFmapyyBVKJkFFm7YDqK+k5Tkf5+TY+yBkwHIgjyOqZUgGlTqfQqvkbMgreHi8uMS6R5qxRVRZ/DgXcqDLIxHyhmUNuXbgNSKgcA3plAyDvITwMZhn1RdPhm+0fhoIOa6qP3LLu/ZgbTE2l+vWaV3XlISNbsIm/B7Hshl6UtDsl37DFX2iM6Nq/6RukI+P2vob6NiK8MOr+iAnv791KRJIEIxlMglamAfC3lQI1wvgm9zXU12smkCoUf20KXBfbas5x2gz+g5+RAJliNc/IMEVGk22Grpuh3orp5VALprVLBDgqL9NCwRjElXFV5nmTNbKughk9RCUGdt2eWhdtlzPPrEslX6H3R+twkeRfLHmmhooTDJdaceb0VjGx9D1VGYw4WloBffoDh0RzchERPUoFpUkyWDomLFCRZ9tWtduRDHcBgLb9UYGqXm4w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB8632.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(366004)(346002)(39860400002)(376002)(230922051799003)(230173577357003)(230273577357003)(64100799003)(186009)(451199024)(1800799012)(86362001)(7696005)(2940100002)(38070700009)(66556008)(66476007)(66446008)(64756008)(110136005)(166002)(76116006)(33656002)(66946007)(316002)(53546011)(41300700001)(6506007)(9686003)(5660300002)(66574015)(8936002)(8676002)(52536014)(122000001)(83380400001)(38100700002)(26005)(2906002)(478600001)(71200400001)(55016003)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PKminQePWXhSpMt4JYm7xXIn4C9/j70rQfT5FvUetTwWPaYtQjv1JgKzzujcCubjcZCbioWswaBlXemcGQzV9Jwvw3VF9Jr8VN9F/PXF3OOMw1yi4GOethij6XuHRkXgRSBmUJHu6+xVtQG92KOpOpAt7SMpUIgpeCe5/uKQCKX3RwOJybSQK2SaybiXKxYkGKoWpbVAM30D7XYANZ/8tBwYB8lC/Ip1jx7PQ4dP/r564f4xIunjoJ++AI4iNSKfL75XuJBbvd6Np5tnh5HsqbeWgbhBkwQDcqJ4f6r+x065e3MO8RPyhDDOAClPgNtb7bxIVlpuKmn4ps3MoBwRZ8JBqm7/tUV6IOwoAjpqrq/YAnJ5VWczH8Z9lmTnehphjb0kKg+0cn2f02m0RZ1VqbNBPU9wfqxnuytQOrtlzXmFlVFV9kGLsKZ5cVcqprXMbByUGKYCXlwFwQG7854sgUMWeqyq32u4EI5Xku/LN4hsoQd9Q/78AWnU8Y1PazLLTUZncOgujTy9Sz9v8WfhyxIzDYSQi7u14OAT/vfwAmYFX/wvRtcAkiqlHIuDNTLyUm4ttfh8WDgXfNqLZVaJmohLtmnqJiX6C8Mg70F8V9sDLfmGa3b9WQFkn11g0fqozRo/d6Ia/YzVytsZUu+Bt+SLhbuiXgV1nFXtog9RExIsdS78O8Qw+2FG4E02NYeE72tzo39GxRpqnadl7Il6MbEwKXTIY7kC/8tb0P36sHaYzcM3qRXBRRK2PBnXZhcUR8nZCOQdrfQed2fBaba1XGWl/xQ52XM+9yCbukDEPfIXmzg5vmeeo1NBT/a9HP3LroMuAdnEVDoV/55X2PpwkBItpXodZeOU9dXyyDsAc5KW5X/F56X3KnV/jB0IJ/24vqAQEy4LYGBP8sQHZqi3fW4Cve99BDfMo3eWy4iXsCCKzqWbrYgR73dBwHPgvC7f0LZdtvVKlFJjAJY5bE/XFaC1TpEtr8PhauQUky8+RR/jACAc89HIqKeBPvRLEjjlAU/hoF3OVFVS7E2uBIhX5iT+XxuG+mJ5EX8xH3iUc8u1NhUb+kK66Slm8IrGocyKr9wDKcFlWFKuc4Tozzv3ofgq5DBt+x8VtPHOYtB9JxxEfcakAlvbakdrwUi14IFrMMUR87DOnvSMREMpbK/dF3y3jSAihjsGESwmwwMZmeXGAEQq/phlF0/UnJJudQQXdTz5jOPWG9vuUJ0eKB7CtPMDa+PpSANeMOF4f7zCbwwZDWDWjoyhWTp1qB0rQvXU3ojkp69MPdYb+jWa/ee3gF/MFr5JeYi+yZeDcpyifKyVfVePs9FGMt/Zxp2DkDMsHEpFm6AW6zXLedY4NErBcSW5K6mmCCBN8ag6FZORkMyBs/Mp4neTEREXUuKLDt9jEZTwQgks2/ZP9dkggH4TQFhdb8iEd0CJbH3nql4hGR4NdZkUOM62JJhD+1dDrKghquNiQ7UykQjC+FilzgHaYqYx7pVXYZPQU9kJZmpENYRJL3QZvIDYHwz49i68I6W3fA2kn5a+ZAejoCswpUF/2oZukqi5l8p/uYV5g7qFnlTbqZlHomtqdGBkXvWqw/pRG+VT1sfe4z6H2s5D9lYl/Q==
Content-Type: multipart/alternative; boundary="_000_SJ0PR05MB86323E33530BAC599E18F729A2752SJ0PR05MB8632namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB8632.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f13fcf85-835a-4688-28f3-08dc1b10f80b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2024 06:11:27.4074 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: foteJMBDc0hi1FtxXH33xmESuM6aqgtDnQ2Yk9daxfz7DkvBM8jzJyPTfXKwPLCKQ5/zPZ/0Vpmcgp6vTeqeGA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR05MB9270
X-Proofpoint-ORIG-GUID: AV_H2r2mqmyipu95MVmkdTnCVZYJ_3md
X-Proofpoint-GUID: AV_H2r2mqmyipu95MVmkdTnCVZYJ_3md
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-21_04,2024-01-19_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 mlxlogscore=999 mlxscore=0 adultscore=0 spamscore=0 malwarescore=0 phishscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 bulkscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401220043
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ozUlgE1UraCxBlue6bF8TAkTrXc>
Subject: Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2024 06:11:35 -0000
Copying IDR mailing list too. Juniper Business Use Only From: Kaliraj Vairavakkalai <kaliraj@juniper.net> Date: Sunday, January 21, 2024 at 10:06 PM To: Magnus Nyström <magnusn@gmail.com>, secdir@ietf.org <secdir@ietf.org>, draft-ietf-idr-bgp-ct@ietf.org <draft-ietf-idr-bgp-ct@ietf.org> Subject: Re: Secdir early review of draft-ietf-idr-bgp-ct Hi Magnus, please see inline for responses. KV> I have made some updates accordingly in draft version -20. https://datatracker.ietf.org/doc/html/draft-ietf-idr-bgp-ct-20 Thanks Kaliraj From: Magnus Nyström <magnusn@gmail.com> Date: Monday, December 18, 2023 at 10:07 PM To: secdir@ietf.org <secdir@ietf.org>, draft-ietf-idr-bgp-ct@ietf.org <draft-ietf-idr-bgp-ct@ietf.org> Subject: Secdir early review of draft-ietf-idr-bgp-ct [External Email. Be cautious of content] I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other comments. This document presents BGP constructs that may be used to implement certain types of network segmentation. 1. The Security Considerations section start off by stating: 2. This document defines a new BGP SAFI for AFIs 1 and 2 and therefore 3. does not change the underlying security issues inherent in the existing BGP protocol It isn't clear to this reader why the definition and introduction of a new element "therefore" doesn't change any underlying security characteristics. This should be explained better. 4. The Security Considerations section also states: 5. Mechanisms described in this document follow a "Walled Garden" approach Perhaps this is due to me not being an expert in this area and therefore missing it, but where in the document is it expressed that these mechanisms only apply to Walled Garden situations? KV> I clarified/reworded tbe text to explain this better: https://datatracker.ietf.org/doc/html/draft-ietf-idr-bgp-ct-20#section-14 6. It is stated that BGP origin validation "could" be used to "increase assurance" that information has not been falsified. Firstly, "could" does not say much to an implementer. Is this intended to be "SHOULD"? What's the risk of not using origin validation? And conversely, what assurance is given if BGP origin validation is not used (the "increased assurance" part). KV> That para about TCP-AO, GTSM, BGP-SEC and Origin-Route-Validation (RV) was added as a general BGP security practice, based on suggestions from the chairs. KV> RV is used to validate origination of public Internet service prefixes. Though BGP CT families don’t carry service prefixes, RV can be used to detect/validate any origination of internal loopback routes from EBGP Interenet peers. In absence of Origin validation, BGP policy can be used in the network perimeter to reject such routes. KV> will change the ‘could’ to MAY. 7. It is stated: 8. In order to mitigate the risk of the diversion of traffic from its 9. intended destination, existing BGPsec solution could be extended and supported for this SAFI Again,"could" is not part of RFC 2119, so not sure what is intended here. KV> will change it to MAY. 10. It is also stated that "as long as filtering [and other measures] are applied diligently, "risk of [traffic diversion] is eliminated" - is this really the case? That it is entirely eliminated? KV> changed ‘eliminated’ to ‘significantly mitigated’ 11. Not being an expert in this area, I just want to call out the following items that I ask the authors to ensure that they are covered: 1. Is there anything in here which increases the risk of dDoS attacks? KV> No. 2. Do the mechanisms and constructs in this document introduce any new risks related to unintended information disclosure? KV> No. As the reachability information advertisement has confined scope. 3. Do the mechanisms and constructs in this document introduce any new risks due to spoofing of endpoint identities etc.? KV> No. 4. Do the mechanisms and constructs in this document introduce any new risks due to modification of information exchanged, e.g., between AS endpoints? KV> No, this document doesn’t introduce new risks. But use of mechanisms like TCP-AO, GTSM, BGPSEC are recommended, as stated in the text. Editorial: Generally the document is in need of language clean-up, it uses needless commas, etc. Three examples below just from the abstract: · The first sentence is very long and hard to follow. I suggest changing to: This document specifies a mechanism referred to as "Intent Driven Service Mapping." The mechanism uses BGP to express intent-based association of overlay routes with underlay routes that have specific Traffic Engineering (TE) characteristics satisfying a certain Service Level Agreement (SLA)." · .Likewise, I suggest changing the next sentence to (since a document in itself doesn't achieve anything): This is achieved by ... · I also suggest starting the second paragraph Additionally, this document specifies ... KV> Fixed these. Thanks. Thanks, -- -- Magnus
- Re: [Idr] Secdir early review of draft-ietf-idr-b… Kaliraj Vairavakkalai