Re: [OPSEC] Comments on draft-jdurand-bgp-security
"Jerome Durand (jerduran)" <jerduran@cisco.com> Fri, 17 August 2012 09:07 UTC
Return-Path: <jerduran@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6708321F846E for <opsec@ietfa.amsl.com>; Fri, 17 Aug 2012 02:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.178
X-Spam-Level:
X-Spam-Status: No, score=-8.178 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_GIF_ATTACH=1.42]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHiXFLBROiVM for <opsec@ietfa.amsl.com>; Fri, 17 Aug 2012 02:07:09 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id E888321F8463 for <opsec@ietf.org>; Fri, 17 Aug 2012 02:07:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jerduran@cisco.com; l=17373; q=dns/txt; s=iport; t=1345194429; x=1346404029; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=pfxEDmdRcwxt4gfSJc8Q73nLyewiOt1p+1f1xwPfc/4=; b=L8YTHpuxtOv/BWAoaSHiEQ9Q0WR7YiKevVP91ufR+UwurhosbcRw+EFM AWF8Ea6jCEMm2/Cih9dBbkOwW4jXLlMAdE4XTwPS6ElbjYfEXNzNuesBL kepCNrUMJsJsLEtok2ywD4t5OU+NgjSuIr12lJj3NILhMfEtvCcnUckQ6 E=;
X-Files: logo.gif, green.gif : 837, 87
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aq0FAJ0ILlCtJV2b/2dsb2JhbABFgkqmYIg9AYhMgQeCIQEBBAEBAQIHBgEbGxsKCxACAQgODwEBARAPBwIFEA8BCxQRAQEEDgQBCQUUh2sLmXegPosfBYNHgjpgA4gZh2EBhVSBFI0YgWaCX4FXCA
X-IronPort-AV: E=Sophos; i="4.77,783,1336348800"; d="gif'147?scan'147,208,217,147"; a="112594676"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-4.cisco.com with ESMTP; 17 Aug 2012 09:07:08 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q7H9784Z031086 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 09:07:08 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.248]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 04:07:08 -0500
From: "Jerome Durand (jerduran)" <jerduran@cisco.com>
To: Ronald Bonica <rbonica@juniper.net>
Thread-Topic: [OPSEC] Comments on draft-jdurand-bgp-security
Thread-Index: Ac10qlFrY5+NYzLkQSyU572HanPu5gH10KgA
Date: Fri, 17 Aug 2012 09:07:07 +0000
Message-ID: <6356B324-1065-4305-BBA7-CFDDF7740239@cisco.com>
References: <13205C286662DE4387D9AF3AC30EF456D77178BB80@EMBX01-WF.jnpr.net>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D77178BB80@EMBX01-WF.jnpr.net>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.94.165]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.005
x-tm-as-result: No--57.290000-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/related; boundary="_005_6356B32410654305BBA7CFDDF7740239ciscocom_"; type="multipart/alternative"
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 09:07:10 -0000
Thank you Ron for this great feedback. Comments in-line: Thanks for writing draft-jdurand-bgp-security. On the whole, it is a very well written document. The following are a few comments: Section 2.5 ============ Somewhere between Section 2 and Section 3, you should mention that the BGP process needs to be protected from stray packets. Protection can be achieved by applying a forwarding plane ACL. The ACL accepts all packets that meet the following criteria: - directed to TCP port 179 on the local device - sourced from a known BGP neighbor It discards all packets directed to TCP port 179 on the local device and sourced from an address not known to be a BGP neighbor. Yes. Will be added in next version. Section 3.1 ============ In Section 3.1, you talk about MD5 Password Protection. This make the reader think that you are talking about RFC 2385. However, the reference is to RFC 5925 (TCP-AO). Please be clear about which you are recommending. In this regard, we have a dilemma. The IETF has obsoleted RFC 2385 and replaced it with RFC 5925. However, to the best of my knowledge, there are no commercially available implementations. Already integrated but not published yet :-) Section 4.1.1.1 =============== Rather than listing every IPv4 special-use address, you might want to simply refer the reader to RFC 5735 and 5736. Section 4.1.1.2 ================ Rather than listing every IPv6 special-use address, you might want to refer the reader to http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml. It might be better to refer the reader to the registry, because it will be kept up to date in the future. Yes we have progress to make for these 2 points. From your comments and the ones from Marc Blanchet we'll propose new text here. Section 4.1.3 ============= It is true that most ISPs will not accept advertisements beyond a certain level of specificity. However, this is an issue to be worked out between the operators, and not an issue for standardization. Indeed. Of course we don't intend to standardize anything or to mandate any operator to do what is said in the document. We just want to describe what are the BCP's so we have somehow to say that it's BCP to think about a limit (quickly recalling reasons for that), that each domain is free to decide its limit (that can change accross peerings for sure) , and that some communities have documented what limit is usually adopted. Thanks again. Jerome -------------------------- Ron Bonica vcard: www.bonica.org/ron/ronbonica.vcf<http://www.bonica.org/ron/ronbonica.vcf> _______________________________________________ OPSEC mailing list OPSEC@ietf.org<mailto:OPSEC@ietf.org> https://www.ietf.org/mailman/listinfo/opsec [cid:64A2AD8F-2887-4ECC-AD2A-E695929D6837@cisco.com] Jérôme Durand Consulting Systems Engineer Routing & Switching jerduran@cisco.com<mailto:jerduran@cisco.com> Mobile :+33 6 35 11 60 50 http://reseauxblog.cisco.fr http://ipv6blog.cisco.fr Cisco France 11, rue Camille Desmoulins 92782 Issy les Moulineaux Cedex 9 France www.cisco.fr<http://www.cisco.fr> [cid:7248AA9E-F798-45B3-9917-F1BBD75CD002@cisco.com] Think before you print. This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- [OPSEC] Comments on draft-jdurand-bgp-security Ronald Bonica
- Re: [OPSEC] Comments on draft-jdurand-bgp-security Jerome Durand (jerduran)