[Idr] Review of draft-abraitis-bgp-version-capability-07
Alvaro Retana <aretana.ietf@gmail.com> Wed, 19 August 2020 16:41 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9163A0D13 for <idr@ietfa.amsl.com>; Wed, 19 Aug 2020 09:41:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCQnfdkwUmdA for <idr@ietfa.amsl.com>; Wed, 19 Aug 2020 09:41:06 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE5D3A0CFE for <idr@ietf.org>; Wed, 19 Aug 2020 09:41:06 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id bs17so18662783edb.1 for <idr@ietf.org>; Wed, 19 Aug 2020 09:41:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:date:message-id:subject:to:cc :content-transfer-encoding; bh=j9LhQk1b4Wt8JZQ6CWRstfuQUoIgEIzroAnfruGVfFQ=; b=GjG9nKDJLpyJL0Lx9XH5y6sv8Tj7urHgvHcGpB7vIPCCRuvxK+EFMCNOAJlNSKBiaS H5j63VITiOP9vU1lgHCdEFNkIqg0mN/BhwkVALZ8iNS0Eg/yju12Zpj4M5bWO6N42Z6N Xrc0Ne3FL9FxphvRf1i9LOcJto3qOZpMQM0MQdPWwffauajwv2jHnhocTOvn9BcNDRWR tciemSeVjnDdtaRkTHfAWOsfs7beAmq1KXD1zTBQU/NraDv1XnfKlcaY+j9PDR9sEHKn 9j39WXGDv6wwX3t5p5sW/8V+vfEZDR7VP8BmWXpB1JTTfi5f6VDl5KKQmsoV2UGV3s9K zyDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:date:message-id:subject:to:cc :content-transfer-encoding; bh=j9LhQk1b4Wt8JZQ6CWRstfuQUoIgEIzroAnfruGVfFQ=; b=SJNkSEqiPgjibX+m3AtndpS6aFmvYrEQ1t2eX2mG7dHN1IzmKuZYsBEAiTa5vM5lUl 5Uzv4GlLBvPDewUnFEEJS+QqE+pXW0tLoiSfJJIchSNh9wpvlhSYS521QUyJg+7yQNuO J8+FjCVVuRhLBgQtGekYJt/kDN42AMm2TjvJ6MEHx7u+DkChb6NGb6YgNdT10ng27Clo Y9mFnbQbU2SnYX7Q04pzIeBPp1WotwPqYTM9grfs/fLYx2hKoZhIbTV9LNv0+lIHE7aX DvOLnkqv9vWYks0gRROEygIutMtvPJRdjXRMYjbPWLmQZbTOpuucs+3DDav67/0+ob/t RzwQ==
X-Gm-Message-State: AOAM530JMkLLfVPWebZnfNHYb9myrKgDOcDEQNFR+8DL1nSpoPxX1JOk AzwvFTjFMEABCmtfA9o+Yt8fP9iA1B9nfhLa/M4=
X-Google-Smtp-Source: ABdhPJyZsQYKazBl1lXTB553RTBz0OBJyI2vAVtazplmqmbX9XtVZCuRn6vx951z1wXPR2L3ceTW4/x5Gh7LzbiIoI8=
X-Received: by 2002:a50:ba85:: with SMTP id x5mr24397287ede.38.1597855264147; Wed, 19 Aug 2020 09:41:04 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 19 Aug 2020 12:41:03 -0400
From: Alvaro Retana <aretana.ietf@gmail.com>
MIME-Version: 1.0
Date: Wed, 19 Aug 2020 12:41:03 -0400
Message-ID: <CAMMESswJfjShCjr0ZOhshWD058eosBAStOcXVAr77rv6RvFMDg@mail.gmail.com>
To: donatas.abraitis@hostinger.com
Cc: Adrian Farrel <rfc-ise@rfc-editor.org>, IDR List <idr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/q4pUI7jKnYEL_5Cr0mUfoHopY74>
Subject: [Idr] Review of draft-abraitis-bgp-version-capability-07
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 16:41:10 -0000
Dear Donatas: Thank you for your work on this document! I am reviewing your document prompted by the IESG Conflict Review (rfc5742) requested by the ISE; I am the Shepherding AD. I cc'd the idr WG in case there are any comments on the document or my review. In general, the document is mostly clear, and the functionality may be of interest to some. From that point of view, I think there are no conflicts that prevent publication. I have several comments below (in-line). However, I have a couple of points that would prevent me from declaring the document as conflict-free. I am cc'ing the ISE for awareness of my current thinking. (1) You do a very good job to highlight potential threats in the Security Considerations section. But you also Normatively recommend (SHOULD) the use of encryption in the BGP Session. While sensible, there are no Standards Track documents that currently do the same. This recommendation, even if the draft points out that it "is not an IETF Standards Track document", can create confusion and potentially disrupt other IETF work. The threats that you identify are not exclusive to this extension, so the solution/mitigation shouldn't be either. This issue should be easy to address -- I suggested alternative text below. (2) As currently specified ("SHOULD be no greater than 64" and "it is RECOMMENDED to exclude the Version Capability"), the Capabilities Length Overflow (§3.1) handling represents a significant threat to a BGP session. The recommendations are not enough to prevent the potential exclusion of other more critical Capabilities. The use of draft-ietf-idr-ext-opt-param could reduce the risk, but may result in the same problem. Because the current specification may significantly affect any BGP session where one of the peers supports the Version Capability, I believe that this document would require IETF review. This issue can be addressed by requiring the exclusion of the Version Capability (using MUST), *and* talking about the risk in the Security Considerations section. See more comments about this in-line in §3.1. Note that this message is not the IESG's Conflict Review, just my review of the document. I have scheduled the balloting of the Conflict Review for Sep/10, so we should have plenty of time to talk about the two issues above. Thanks! Alvaro. [Line numbers from idnits.] ... 10 Abstract ... 15 This BGP capability is an optional advertisement. Implementations 16 are not required to advertise the version nor to process received 17 advertisements. [nit] All BGP Capabilities are optional. No need to include this paragraph. The same text is repeated in the Introduction...and similar text elsewhere. ... 66 1. Introduction ... 79 Information about the version of the routing daemon could also be 80 exchanged in protocols such as LLDP and CDP. However, in 81 containerized environments, it is very hard and not recommended to 82 exchange this information between background processes. Therefore, 83 and to help minimize operational costs, it is helpful to exchange the 84 routing daemon information between BGP peers directly. [nit] For completeness, it would be nice to have a reference to LLDP/CDP. ... 94 3. Version Capability 96 Although this document is not an IETF Standards Track document, it 97 makes use of the terminology from BCP 14 in order to clearly state 98 the implementation behaviors. 100 Capabilities advertisements with BGP are defined in [RFC5492]. They 101 utilize the BGP Capabilities Optional Parameter that contains one or 102 more triples <Capability Code, Capability Length, Capability Value>. 103 This document defines a new BGP capability, the Version Capability, 104 with Capability Code TBD and Capability Length and Capability Value 105 as described below. 107 The inclusion of the Version Capability is OPTIONAL. If an 108 implementation supports the inclusion of the capability, the 109 implementation MUST include a configuration switch to enable or 110 disable its use, and that switch MUST be off by default. 112 The Version Capability is intended principally more to non-production 113 environments where more visibility is needed for troubleshooting 114 purposes. It is NOT RECOMMENDED for use outside single Autonomous 115 System domain or Autonomous System Confederations, except you have a 116 topology with a number of routers each with a separate Autonomous 117 Number. [nit] s/except you have/except if you have [minor] A collection of several autonomous systems is often characterized as being "under a common administration". That description covers not only "routers each with a separate Autonomous Number", but also other combinations where multiple ASNs may be present and where exchanging this information might be useful. Suggestion> The Version Capability is intended for environments where more visibility is needed for troubleshooting purposes. It is NOT RECOMMENDED for use outside a single Autonomous System, or a set of Autonomous Systems under a common administration. 119 An implementation that does not recognize or support the Version 120 Capability but which receives one MUST respond as described in 121 [RFC5492] by ignoring the option. An implementation that wishes to 122 complain that its neighbor does not support the Version Capability 123 MAY use the 'Unsupported Capability' Error Subcode of a Notification 124 message as described in [RFC5492]. [major] The Normative behavior is already specified in rfc5492, please don't re-specify the behavior here. Note that rfc5492 specifies a different behavior, specifically about sending a Notification: If a BGP speaker receives from its peer a capability that it does not itself support or recognize, it MUST ignore that capability. In particular, the Unsupported Capability NOTIFICATION message MUST NOT be generated and the BGP session MUST NOT be terminated in response to reception of a capability that is not supported by the local speaker. Suggestion> An implementation that does not recognize or support the Version Capability but receives one must ignore it, as described in [RFC5492]. ... 132 Capability Length [minor] For completeness, please add the following from rfc5492: Capability Length is a one-octet unsigned binary integer that contains the length of the Capability Value field in octets. 134 The Capability Length for the Version Capability MUST be greater 135 than zero. A value of zero SHALL be treated as an encoding error 136 and the entire triple MUST be ignored. [major] s/the entire triple MUST be ignored/the Capability MUST be ignored 138 The Capability Length SHOULD be no greater than 64. This is the 139 limit to allow other capabilities as much space as they require. [minor] Please add a forward reference to §3.1. See more comments there. 141 Capability Value 142 The Capability Value field is encoded in UTF-8 [RFC3629]. It is 143 unstructured data and can be formatted in any way that the 144 implementor decides. 146 +--------------------------------+ 147 | Version Length (1 octet) | 148 +--------------------------------+ 149 | Version (variable) | 150 +--------------------------------+ 152 Figure 1 [minor] Just to make sure, this Figure represents the contents of the Capability Value, right? If so, it seems to me that the Version Length is not needed because the Capability Length already exists...and it takes up 1 octet from the Version. 154 Version Length: 156 The number of characters in the Version [minor] If I remember correctly, UTF-8 uses variable-length character encoding. Is the variable-length part of the encoding? A reference to rfc3639 would be useful here. [?] BTW, is there an advantage to signal the number of characters, vs simply the number of octets? 158 Version: 160 The Version encoded via UTF-8 UTF-8 requires some extra considerations...borrowing from rfc8203: Suggestion> The Version field MUST be encoded using UTF-8. A receiving BGP speaker MUST NOT interpret invalid UTF-8 sequences. This field is not NUL terminated. 162 3.1. Capabilities Length Overflow 164 As defined in [RFC5492] the total length of capabilities that can be 165 carried by the BGP Capabilities Optional Parameter is 255 bytes. If 166 an implementation is constructing a BGP Capabilities Optional 167 Parameter and its length exceeds 255 bytes, it is RECOMMENDED to 168 exclude the Version Capability. An implementation may optimally 169 achieve this by making the Version Capability the last capability 170 triple to add to the Parameter, and only adding it if there is 171 sufficient space to do so. [?] Was the use of draft-ietf-idr-ext-opt-param considered? [major] Some of the other Capabilities are far more critical to the operation of a BGP session than this one: multiprotocol extensions, extended messages, add-path...to mention a few. As specified ("SHOULD be no greater than 64" and "it is RECOMMENDED to exclude the Version Capability"), the result could easily be the inability of the session to properly function if other Capabilities are not included. Why is the behavior recommended and not required? I can imagine how a Version may need a long string...but excluding the Version Capability should be REQUIRED. As mentioned at the top, text in the Security Considerations section should also highlight this risk. Suggestion (for the Security Considerations)> A rogue node can prevent the proper operation of a BGP session, or the advertisement of other Capabilities, by not excluding the Version Capability as required in Section 3.1. This risk is equivalent to a rogue node simply not advertising a specific Capability and is not new to BGP. [major] The length to be considered is not 255 octets of Capabilities, but of Optional Parameters -- take a look at rfc4271/§4.2. 173 4. Operation ... 186 Enabling (i.e., turning on) this capability requires bouncing all 187 existing BGP sessions and the feature MUST be explicitly configured 188 before an implementation advertizes the Version Capability. [minor] There is already a specification in §3 about explicit configuration -- no need to specify the behavior twice. Suggestion> Enabling (i.e., turning on) this capability may require a restart of any existing BGP sessions and its explicit configuration (Section 3). [] Note that some vendors support the ability to change the software version without restarting the BGP sessions...which means that the Capability may have stale information. 190 4.1. Example Usage 192 Below is an example of implementation in [FRRouting] how it looks 193 like with version advertised by a BGP sender: [] Suggestion> Below is an example from the [FRRouting] implementation showing both the received and advertised Version Capability: 195 :~# vtysh -c 'show ip bgp summary failed' 196 ... 197 Neighbor EstdCnt DropCnt ResetTime Reason 198 ens192 3 3 00:00:35 Waiting for peer OPEN (n/a) 199 ens224 3 3 00:01:12 Waiting for NHT (FRRouting 7.2) 200 eth0 3 3 00:00:14 Neighbor deleted (FRRouting 7.3) 201 ... 203 Figure 2 [] I'm not sure what this figure is showing. ... 214 5. IANA Considerations 216 IANA maintains the "Border Gateway Protocol (BGP) Parameters" 217 registry with a subregistry called "Capabilities Codes". IANA is 218 requested to assign a capability number from the First Come First 219 Served range for the Version Capability in this document as follows: [major] The Capability Codes registry is a standalone registry. ... 229 6. Security Considerations 231 The Version Capability should be treated as sensitive information: it 232 could be easier for an attacker to exploit the system if they know 233 the specific version of a BGP speaker. This information could be 234 gathered by inspecting BGP OPEN messages that carry the Version 235 Capability defined in this document. Using encryption to protect the 236 information exchanged in BGP sessions SHOULD, therefore, be carefully 237 considered when this feature is enabled. Suitable encryption can be 238 achieved by protecting the BGP session using TLS [RFC5246]. [major] There is no Standards Track document that talks about encrypting a BGP session, much less recommending it (SHOULD). This is not an IETF consensus document, so providing this type of guidance is out of place, and may cause unnecessary confusion that could disrupt other work. 240 Furthermore, knowledge of which versions of code is running on a 241 given router and from which vendor it comes may facilitate a number 242 of social-engineering attacks. This further adds to the desire to 243 protect this information through encryption. 245 Modifying the information advertised by a router might lead to 246 attacks including bogus software upgrades and also might mask the 247 causes of faults in the network. This can be mitigated by protecting 248 the BGP session using TLS. [major] Confidentiality and integrity are issues that apply to BGP in general, and are not exclusive to this extension. Suggestion (to replace the first 3 paragraphs -- borrowing heavily from rfc8203)> The Version Capability should be treated as sensitive information: it could be easier for an attacker to exploit the system if they know the specific software version and manufacturer of a BGP speaker. This information could be gathered by inspecting BGP OPEN messages that carry the Version Capability defined in this document. Furthermore, this knowledge may facilitate a number of social-engineering attacks. Modifying the information advertised by a router might lead to attacks including bogus software upgrades and also might mask the causes of faults in the network. Users of this mechanism should be aware that unless a transport that provides integrity is used for the BGP session in question, the Version Capability can be forged. Unless a transport that provides confidentiality is used, the Version Capability could be snooped by an attacker. These issues are common to any BGP message but may be of greater interest in the context of this extension as explained above. Refer to the related considerations in [RFC4271] and [RFC4272]. Users of this mechanism should consider applying data minimization practices as outlined in Section 6.1 of [RFC6973], as appropriate within the deployment context. 250 Many BGP implementations leave TCP port 179 open in order to be able 251 to establish sessions with new neighbors. This could lead to an 252 attack where a rogue BGP implementation attempts to open a session 253 and learns the version information from the responding peer. [] This is a general vulnerability. See related comments after the last paragraph in this section. 255 The Version Capability MUST be configurable with a vendor-specific 256 knob to be able to enable or disable the capability. The vendor 257 might implement to disable this capability per neighbor. [minor] The configuration specification is already detailed in §3 -- no need to describe more here. The only extra functionality (not in §3) is the ability to disable the capability per-neighbor -- include it in §3. 259 It would be safe to enable this for iBGP or inside the same tenant 260 where you have full control and the BGP speaker is behind the exit 261 points. [minor] This paragraph sounds very tentative ("would be safe") and not explicit about the meaning of "full control" or being "behind the exit points". In general I understand what you mean, but it many be too vague for an RFC. Take a look at RFC8799, which talks about "controlled environments" (aka limited domains) -- that might be a good reference for what you mean above. [minor] This topic is related to the text already in §3 about deploying outside a single AS (see my comments there too). Suggestion: keep these operational considerations in one place. Perhaps §3 is not ideal -- consider §4 instead. 263 This capability is NOT RECOMMENDED for eBGP use. [minor] As mentioned above, put all operational/deployment considerations in one place. BTW, this is the only place where eBGP is used...perhaps the AS-related terminology is better. 265 Sensitive information leaks can be minimized by using the [RFC5082] 266 mechanism or firewalls to filter out TCP 179 port from untrusted 267 networks. This capability can be disabled per neighbor, thus the 268 sensitive information can't be disclosed to untrusted neighbors. [minor] General vulnerabilities. These two techniques (and other general suggestions) are covered in rfc7454 (BGP Operations and Security). A reference to that document instead of mentioning specifics that are not exclusive to this extension may be better. [major] One more thing -- borrowing also from rfc8203 -- add the following: This document uses UTF-8 encoding. There are a number of security issues with Unicode. Implementers and operators are advised to review Unicode Technical Report #36 [UTR36] to learn about these issues. UTF-8 "Shortest Form" encoding is REQUIRED to guard against the technical issues outlined in [UTR36]. Here's the reference: [UTR36] Davis, M., Ed. and M. Suignard, Ed., "Unicode Security Considerations", Unicode Technical Report #36, August 2010, <http://unicode.org/reports/tr36/>.
- [Idr] Review of draft-abraitis-bgp-version-capabi… Alvaro Retana
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… RFC ISE (Adrian Farrel)
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Alvaro Retana
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… RFC ISE (Adrian Farrel)
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Donatas Abraitis
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Alvaro Retana
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Robert Raszuk
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… RFC ISE (Adrian Farrel)
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… RFC ISE (Adrian Farrel)
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Donatas Abraitis
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Robert Raszuk
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Alvaro Retana
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… RFC ISE (Adrian Farrel)
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Robert Raszuk
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Alvaro Retana
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Robert Raszuk
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Donatas Abraitis
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… John Scudder
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… John Scudder
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Donatas Abraitis
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… John Scudder
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… Donatas Abraitis
- Re: [Idr] Review of draft-abraitis-bgp-version-ca… John Scudder