[OPSEC] Comments on draft-jdurand-bgp-security-02
David Freedman <david.freedman@uk.clara.net> Thu, 27 September 2012 12:29 UTC
Return-Path: <david.freedman@uk.clara.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1EF121F85C7 for <opsec@ietfa.amsl.com>; Thu, 27 Sep 2012 05:29:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6VwTXoHfpBN for <opsec@ietfa.amsl.com>; Thu, 27 Sep 2012 05:29:25 -0700 (PDT)
Received: from staff01.mail.eu.clara.net (staff01.mail.eu.clara.net [IPv6:2001:a88:0:fff7::54]) by ietfa.amsl.com (Postfix) with ESMTP id 53B6C21F85C3 for <opsec@ietf.org>; Thu, 27 Sep 2012 05:29:25 -0700 (PDT)
Received: from [195.157.10.59] (port=30923 helo=SRVGREXCAS02.claranet.local) by staff01.mail.eu.clara.net (staff01.mail.eu.clara.net [80.168.65.54]:25) with esmtps (TLS-1.0:RSA_AES_128_CBC_SHA1:16) id 1THDDW-0005lp-5x for opsec@ietf.org (return-path <david.freedman@uk.clara.net>); Thu, 27 Sep 2012 12:29:22 +0000
Received: from SRVGREXMB02.claranet.local ([10.75.5.12]) by SRVGREXCAS02.claranet.local ([fe80::cd6a:3120:3174:a299%10]) with mapi id 14.02.0318.001; Thu, 27 Sep 2012 13:29:22 +0100
From: David Freedman <david.freedman@uk.clara.net>
To: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: Comments on draft-jdurand-bgp-security-02
Thread-Index: AQHNnKu3WrxGACmI90KZhJSLw3Z/1w==
Date: Thu, 27 Sep 2012 12:29:21 +0000
Message-ID: <E2B120470A420C49A1CB4F6D01C013F875A88100@srvgrexmb02.claranet.local>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [172.18.6.3]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <73D6EBE9116C064F917F809C2F867D22@claranet.local>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-BorderScout-Spam: 0.00
X-BorderScout-Virus: clean
Subject: [OPSEC] Comments on draft-jdurand-bgp-security-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 12:29:25 -0000
Sec 9. Next-Hop Filtering >In direct peerings between ISPs, this is undesirable, >peers could trick the other one to send packets into >a black hole Trick? I think I would want to do this in particular circumstances, when there is a DoS ongoing. (yes, I'm aware there are community approaches, these aren't widely adopted, this technique works for many networks now and is quite invaluable to preserve). What I wouldn't want however is for a peer to set a next-hop as something internal to my network (I.e an internal endpoint) which could enable them to manipulate internal traffic (say, to steal a service by causing me to route it internally). >Therefore, the authors recommend to, by default, apply an inbound >route policy to IXP peerings which sets the next-hop for accepted >prefixes to the BGP peer that sent the prefix (which is what "next- >hop-self" would enforce on the sending side, but you can not rely on >the other party to always send correct information). I'm not aware of any implementations which can achieve this in a scalable way, are the authors? at present I would have to statically configure a next hop for each peer, not fun. Also, are you aware that some networks inject the IXP LAN into their IGP for the purposes of TE? (I.e leaving the IXP LAN next hop present in their iBGP and then doing MPLS TE on this LAN as opposed to next-hop-self on the border where all peering networks are collapsed into a single loopback) Dave.
- [OPSEC] Comments on draft-jdurand-bgp-security-02 David Freedman
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Gert Doering
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Ivan Pepelnjak
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Jerome Durand (jerduran)
- [OPSEC] Comments on draft-jdurand-bgp-security-02 Tim Kleefass
- Re: [OPSEC] Comments on draft-jdurand-bgp-securit… Tim Kleefass