IETF Logo Mail Archive

Re: [Idr] Securing BGP sessions (Issue#41)

Mahesh Jethanandani <mjethanandani@gmail.com> Fri, 13 December 2019 23:55 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72D67120025 for <idr@ietfa.amsl.com>; Fri, 13 Dec 2019 15:55:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYdNEgiY45uw for <idr@ietfa.amsl.com>; Fri, 13 Dec 2019 15:55:10 -0800 (PST)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8157D120005 for <idr@ietf.org>; Fri, 13 Dec 2019 15:55:10 -0800 (PST)
Received: by mail-pg1-x532.google.com with SMTP id k3so260120pgc.3 for <idr@ietf.org>; Fri, 13 Dec 2019 15:55:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=dD/s0gvzZjWRfYGwQ59R+zNwUcOCtSaQk3ZJzn8vTNE=; b=m6Dg0GdseY8PvYLAtTMR64P9sY1SjPVD6ive6WWKNGIu+Oc+yV5R8bR1QIeW43YheX x14/8eXDzM0bD9vJca2bkJ1ahn56WonFpzfvzlC1p56/S5mBDFQ/D8W4Q7TQrQie6dAe t9MkyrNfq4tf5wBq9CAkXhFTseDCoT8kH9pSIGrnMEAwhJgO/miAaPeBoWC4UgeD8Loi T68Fefbn1cTgC3aWgZXfD2CtFC41LVWcCIqpjRW6+oeouG2t1TJXv6Nk7n0JwJ0Ef4YH dARRtkUihwK0l67lAnkxyFX64voodIstcQ/5D/XHq8hCM6xHNb+nXx68VOoXStVMnxC1 GYIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=dD/s0gvzZjWRfYGwQ59R+zNwUcOCtSaQk3ZJzn8vTNE=; b=jVuDjmhlqEXPYBwA1nvYhUS6u3wNbsnKNb506KQX982VBNNMjhZ4HpM9OCopgO5n2e R5hy6uvDXJxdee6yzOINOaWCRlPDyAno5oHqKJgjgEv5Tes2h4UpQdwJcOWBvz0iqlBr g4vSEbvtkKVguN/vW3TqJSRPouUTsEvDDnQRYGtngFExvTTC2Nm7L5OARisYbhAqY/Fa NEuX5n6GiFZ+Zo5KsAVk9jtMY/Jx8jGJdbegmy02pJ7TLeSUnnhkUjckwm+TNQrzVE7C GSbVXgherXM6GKvpRRN1aWtvXbx9JgqqqFLwXhIaYxKJez7KH1/S/6a6D/r/Y8mcJEoP YC/A==
X-Gm-Message-State: APjAAAUbFqVGQCHRSmJH+RzKW1qQcpOE2VsU0/AUsts8BUTxDSbBowoZ D+J3cPZqPnWIeTdAzHkdUlU=
X-Google-Smtp-Source: APXvYqwX0QM6CzXpjoQ56hlY5NERpj1rT2DDohy55tyvFXViNl89jvInbvyINT+Kr7XpCwSC3sTv+w==
X-Received: by 2002:a63:5b0e:: with SMTP id p14mr2504628pgb.315.1576281309824; Fri, 13 Dec 2019 15:55:09 -0800 (PST)
Received: from ?IPv6:2601:647:5600:5020:85b0:636a:fdd9:8b35? ([2601:647:5600:5020:85b0:636a:fdd9:8b35]) by smtp.gmail.com with ESMTPSA id t137sm11980374pgb.40.2019.12.13.15.55.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Dec 2019 15:55:09 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <DEA4FFA3-E5BF-4AD0-9248-73CE383E42EB@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_29C6CEBA-F582-42B8-98FC-55AA7CCC248E"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 13 Dec 2019 15:55:08 -0800
In-Reply-To: <DE40EA38-504C-4D6F-B697-DD3325577C05@cisco.com>
Cc: "idr@ietf.org" <idr@ietf.org>
To: "Acee Lindem (acee)" <acee@cisco.com>
References: <D9C310C0-89C6-4CB5-80A2-98C274581E7F@gmail.com> <68B00DBF-3590-4ECE-8028-301643B9E49E@cisco.com> <91B63CF9-B92B-4D14-98CA-EBC865999B08@gmail.com> <A8395DB8-6D10-46A1-99A1-DFFB9B2CBD9D@cisco.com> <E126FB83-AB0B-46C6-91F0-396C9C4FBE9E@gmail.com> <DE40EA38-504C-4D6F-B697-DD3325577C05@cisco.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/vYq0IxnOxTHpRq6HO97T5N9T0Ns>
Subject: Re: [Idr] Securing BGP sessions (Issue#41)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 23:55:13 -0000

Hi Acee,

I realize that the last e-mail did not help. So let me see if this is any better.

If I understand you correctly, you are suggesting that securing BGP with MD5 and TCP-AO is adequately documented, and I agree. We just need a YANG model (in a different document) that defines groupings for them such that the BGP model can use them. BTW, work has started in TCPM to define just that model, just that it is still an I-D, and not a WG document. That puts BGP YANG model in a downrev with that draft. If at the time of publication, the draft has not made progress, IDR will have to make a decision of whether they want to keep that dependency or push support for secure sessions out into a -bis document.

To the question of IPsec, and whether we should support it or not, as I said, I will let Jeff comment. But what kind of documentation are you hoping for? Isn’t it just a question of giving IKE the parameters it needs to setup a IPsec tunnel? If we decide to support it, i2nsf WG has been working on an IKE model, as I just learnt, complete with re-keying, which with a few changes could be used by the BGP model.

Cheers.

> On Dec 13, 2019, at 10:47 AM, Acee Lindem (acee) <acee@cisco.com> wrote:
> 
> Hi Mahesh, 
> 
> On 12/10/19, 8:41 PM, "Mahesh Jethanandani" <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> wrote:
> 
> 
> 
>> On Dec 10, 2019, at 5:29 PM, Acee Lindem (acee) <acee@cisco.com> wrote:
>> 
>> Hi Mahesh, 
>> 
>> On 12/10/19, 8:19 PM, "Mahesh Jethanandani" <mjethanandani@gmail.com> wrote:
>> 
>>   Hi Acee,
>> 
>>> On Dec 10, 2019, at 5:10 PM, Acee Lindem (acee) <acee@cisco.com> wrote:
>>> 
>>> Hi Mahesh, 
>>> I assume by IPsec, you mean transport mode IPsec.
>> 
>>   Yes. The assumption is that the underlying transport is secured using IPsec, and the model provides (if needed) key parameters needed to kick off the IKE to setup the SA in IPsec.
>> 
>>   HTH.
>> 
>> Well it doesn't help at all.... Normally, the usage of IPsec (AH, ESP, algorithms, key exchange, etc.) would be specified in some document. For example, IPsec usage by OSPFv3 is specified in RFC 4552. Granted, it is a lot simpler for BGP than OSPFv3 since BGP is strictly P2P but specification would still seem to necessary. 
> 
>    You are right. It should be some document. That document in my mind is the YANG model for IPsec/IKE, something we need to ask the SEC ADs about. You would agree that what needs to be defined is not BGP specific, and therefore does not belong in the BGP model.
> 
>    Much like TCP-AO and TCP-MD5 I expect this other document to define a grouping that the BGP model imports and uses to define what is needed to setup IPsec.
> 
> Actually I disagree with you - TCP MD5 and TCP-AO are more than adequately documented. 
> 
>   MD5 - https://datatracker.ietf.org/doc/rfc2385/ <https://datatracker.ietf.org/doc/rfc2385/>
>   TCP-AO - https://datatracker.ietf.org/doc/rfc5925/ <https://datatracker.ietf.org/doc/rfc5925/>
> 
> It is only IPsec transport mode that isn't described. Also, I don't know of anyone who supports this so I'm wondering why it is in the discussion for this version of the BGP YANG model.
> 
> Thanks,
> Acee
> 
> 
>    Cheers.
> 
>> 
>> Thanks,
>> Acee
>> 
>> 
>>> For IPsec protection of BGP, where are the details specified? 
>>> Thanks,
>>> Acee
>>> 
>>> On 12/10/19, 7:35 PM, "Idr on behalf of Mahesh Jethanandani" <idr-bounces@ietf.org on behalf of mjethanandani@gmail.com> wrote:
>>> 
>>>  This is the second thread in the list of issues that were discussed in IETF 106 w.r.t. to BGP YANG model. This particular thread is to discuss the issue of defining how BGP sessions are going to be secured.
>>> 
>>>  As stated in Singapore, the model is being defined to secure BGP sessions using 
>>>  - TCP AO
>>>  - TCP MD5
>>>  - IPSec
>>> 
>>>  In case there was a question of why MD5, it is because there are existing implementations that are choosing to stay with MD5, regardless of the issues that have been raised about MD5. The model therefore has to support such implementations.
>>> 
>>>  The model will use the ietf-key-chain model’s (RFC 8177) key-chain-ref to refer to an instance of the key chain. By doing that it will make use of the key rollover capability defined in that model, and for static key configuration by setting the end time to infinite in the key chain. The BGP model will leave the case of IPSec as TBD for now, and fill it when/if the IPSec YANG model is defined.
>>> 
>>>  Questions/Concerns?
>>> 
>>>  Mahesh Jethanandani
>>>  mjethanandani@gmail.com
>>> 
>>> 
>>> 
>>>  _______________________________________________
>>>  Idr mailing list
>>>  Idr@ietf.org
>>>  https://www.ietf.org/mailman/listinfo/idr
>>> 
>>> 
>> 
>>   Mahesh Jethanandani
>>   mjethanandani@gmail.com
>> 
>> 
>> 
>> 
>> 
> 
>    Mahesh Jethanandani
>    mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email