IETF Logo Mail Archive

Re: [Idr] Review of draft-abraitis-bgp-version-capability-07

Donatas Abraitis <donatas.abraitis@hostinger.com> Fri, 21 August 2020 16:32 UTC

Return-Path: <donatas.abraitis@hostinger.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB2D33A0CA9 for <idr@ietfa.amsl.com>; Fri, 21 Aug 2020 09:32:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hostinger.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YGrkFF5YCI0W for <idr@ietfa.amsl.com>; Fri, 21 Aug 2020 09:32:02 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B18523A0C9A for <idr@ietf.org>; Fri, 21 Aug 2020 09:32:02 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id t23so1624329qto.3 for <idr@ietf.org>; Fri, 21 Aug 2020 09:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hostinger.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=PwquCSFWE/lljfAxO5grEZ165D4pIbCiLPHoiZ9S59g=; b=EEvR+vvMwxqamMkNRPf6HaxxN1yB6gZca3kxrcouBKklgCr1zr1RFKeWmV2gsTJ/jC S33LHosotuCER9aHuyRcddvuSY1nxKD2ELGOu57zLYNqaNRfXe3SqtB7BtWoj7U5G9WO f0Tg6NQMB2Mt/ixJSE3kdBDtf1lSwanovWg6LsIGkVyWFhc8Wt//tTfTy3Y+Cqk/uNIZ C2mWTCasPIi65ynOAc/+R7EvC7w4GaHBdfXfv5hSHmTuZBZYiS+25sM3Z8BKrgT7Pc/8 AbThpTU1gq1a0+vxT7vjxxtiEFBFA39MDPgy4an4/9+8q0E5s6IdjFoKLRHQu7pxDxlQ RaAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=PwquCSFWE/lljfAxO5grEZ165D4pIbCiLPHoiZ9S59g=; b=RAkbGMTJERhFgbZeYBy7c9rLZtttX//+FZtIP5ldI2oGqqUC5lRBb/Gh31IK/02EDI 9KkDJ4WfNnt35q19wyCd0ins2z4gFKGg3AX1UaE+QHuDoU+DwoK9n0KqiIZuf23TNFu2 3aDmxOd1tilH8zQdfboceuSZ+Ozpvlf2s/Ylp/Pfso2JrO9RVtnamnPsMf7lLcF77l5a 93MnqsrJTm1fG5o1yWc41pdxmlGTcHSNV2wkr2/ayiIre5jC6+jlwBlD4CzU/RZJaqfX qmJRffKjuW5yl2oIjczweNc9yhJcmHD2Of7VrgpElosZQcVIkuP77fjFpSv8fKqraizb rt7g==
X-Gm-Message-State: AOAM530L6sx7uLdbaTnwSq8QJOVN/kq5pm41e/wRAPomMT5TnICUPtiZ TyUudmfc44s2bdCff2oIx6hNbvY+5vL33Btus0tduQ==
X-Google-Smtp-Source: ABdhPJztwZWlziBzxwxHopVlIEod3+P5+ZbB3z3LM140fUE/9WvdJ/nWhfPmY2U5Bc7nnXJpDvTDIbFfZwzcpvN77mk=
X-Received: by 2002:ac8:24d9:: with SMTP id t25mr3502228qtt.15.1598027521163; Fri, 21 Aug 2020 09:32:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAMMESswJfjShCjr0ZOhshWD058eosBAStOcXVAr77rv6RvFMDg@mail.gmail.com> <37f90ca874e87bd4f8b4245518cd3a3b.squirrel@www.rfc-editor.org> <CAMMESsyqTuPfxCMWO6GQCO8nc2z8+PxQVomL0HX0xQLrBLYEQA@mail.gmail.com> <63466e0fde345b64395b7d12c0ac40ca.squirrel@www.rfc-editor.org>
In-Reply-To: <63466e0fde345b64395b7d12c0ac40ca.squirrel@www.rfc-editor.org>
From: Donatas Abraitis <donatas.abraitis@hostinger.com>
Date: Fri, 21 Aug 2020 19:31:50 +0300
Message-ID: <CAJwpseXeL4XsuaYDYsxRTa9XoO_SDpHZxM7LbNxhrH41XLV4-w@mail.gmail.com>
To: rfc-ise@rfc-editor.org
Cc: Alvaro Retana <aretana.ietf@gmail.com>, IDR List <idr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/uPOhzewale7ICAXBey7SG5NFs-s>
Subject: Re: [Idr] Review of draft-abraitis-bgp-version-capability-07
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2020 16:32:05 -0000

Hello Alvaro and Adrian,

thank you for the detailed review. I'll look at that carefully next week.

By the way, should I upload a new version with fixes or send a
generated txt here (or pastebin/gist) to review again before pushing
to draft revision?

On Thu, Aug 20, 2020 at 9:55 PM RFC ISE (Adrian Farrel)
<rfc-ise@rfc-editor.org> wrote:
>
> Lovely. Thanks for the quick convergence, Alvaro.
>
> We'll wait to see what Donatas makes of all this.
>
> Best,
> Adrian
>
> Alvaro Retana wrote:
> > On August 20, 2020 at 9:28:42 AM, RFC ISE wrote:
> >
> >
> > Adrian:
> >
> > Hi!
> >
> >
> > ...
> >> > (1) You do a very good job to highlight potential threats in the
> >> > Security Considerations section.
> >> > But you also Normatively recommend (SHOULD) the use of encryption in
> >> > the BGP Session.
> >> > While sensible, there are no Standards Track documents that currently
> >> > do the same.
> >> >
> >> > This recommendation, even if the draft points out that it "is not an
> >> > IETF Standards Track document", can create confusion and potentially
> >> > disrupt other IETF work.
> >>
> >> At this point, I don't see that as a problem. This is a recommendation
> >> that *if* you use this extension you should also use encryption. The
> >> fact
> >> that no standards track documents recommend encryption means that if you
> >> don't use this extension you are not recommended to use encryption.
> >
> > This extension is only present in the OPEN message (1 message), while
> > a BGP session is (hopefully) long-lived.   Recommending any
> > transport-related functionality is really a recommendation for the
> > whole BGP session.
> >
> >> Can you supply examples of the confusion or disruption? (It is certainly
> >> not our intention to confuse or disrupt!)
> >
> > TL;DR: The objective is consistency with current practice and
> > expectations related to BGP documents.
> >
> >
> > Over the years, the need for "upgrading" BGP's security, specifically
> > in terms of authentication, integrity and confidentiality has been the
> > subject of many conversations and reviews, including many from the
> > SecDir and SEC ADs.  The summary of those discussions has been to not
> > change the recommendations/requirements in documents specifying
> > enhancements (like this one), but to do so in the base specification,
> > which is the one dealing with the specification of the transport for
> > BGP.
> >
> >
> > Given that you don't have any objection to the new text I proposed for
> > the Security Considerations, I think we're settled. :-)
> >
> >
> >
> > ...
> >> > (2) As currently specified ("SHOULD be no greater than 64" and "it is
> >> > RECOMMENDED to exclude the Version Capability"), the Capabilities
> >> > Length Overflow (§3.1) handling represents a significant threat to a
> >> > BGP session.
> > ...
> >> However, I would be comfortable with:
> >> - SHOULD be no greater than 64 bytes
> >> - MUST be left out if would constrain inclusion of any other Standards
> >> Track capabilities
> >
> > That works for me too.
> >
> >
> > ...
> >> > Suggestion (for the Security Considerations)>
> >> > A rogue node can prevent the proper operation of a BGP session, or
> >> > the advertisement of other Capabilities, by not excluding the Version
> >> > Capability as required in Section 3.1. This risk is equivalent to a
> >> > rogue node simply not advertising a specific Capability and is not
> >> > new to BGP.
> >>
> >> Sorry, but by your own text, this is at best unhelpful. A rogue node can
> >> do anything! A rogue node can decide to omit or lie about capabilities;
> >> it
> >> can add new and unknown capabilities that fill up the the attribute; it
> >> can violate any MUST from a protocol spec; it can generate random
> >> streams
> >> of bytes.
> >>
> >> Adding your text would, I think, not be very harmful, but it gives the
> >> appearance that this protocol extension introduces a new threat. It does
> >> not. So if you wanted something added it would need to say "BGP includes
> >> no protection against rogue or subverted implementations. This
> >> specification does not introduce any security measures to address that
> >> problem." Personally, I don't think that this is the place for a
> >> commentary on the general deficiencies of BGP.
> >
> > The SEC Area has been putting some emphasis lately on the effect that
> > a rogue node can have, related to the specified functionality.  That
> > is the reason that I suggested the text.
> >
> > I am ok if the author doesn't decide to include the text above.
> >
> >
> >
> >> > [major] The length to be considered is not 255 octets of Capabilities,
> >> > but of Optional Parameters -- take a look at rfc4271/§4.2.
> > ...
> >> 2. How do you stop the version capability crowding out other optional
> >> parameters?
> >
> > That's maybe a better way of stating my concern about the ability to
> > affect the operation of a BGP session...  [The only Optional
> > Parameters currently used are Capabilities.]
> >
> >
> >
> > I'm ok with all your other comments and suggestions.
> >
> > Thanks!
> >
> > Alvaro.
> >
> >
>
>
> --
> Adrian Farrel (ISE),
> rfc-ise@rfc-editor.org
>


-- 
Donatas Abraitis
Systems Engineer
@: donatas.abraitis@hostinger.com
W: www.hostinger.com

v2.29.0 | Report a Bug | By Email | System Status