Re: [OPSEC] some thoughts on draft-jdurand-bgp-security-02.txt
"Jerome Durand (jerduran)" <jerduran@cisco.com> Thu, 22 August 2013 09:12 UTC
Return-Path: <jerduran@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACEBD11E81A1 for <opsec@ietfa.amsl.com>; Thu, 22 Aug 2013 02:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6UY652kWs2b for <opsec@ietfa.amsl.com>; Thu, 22 Aug 2013 02:12:08 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id AFD2D11E81AA for <opsec@ietf.org>; Thu, 22 Aug 2013 02:12:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4132; q=dns/txt; s=iport; t=1377162726; x=1378372326; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=/0GthJxjrCUHUf+EEc1+6OggDF8d0qk7PglrFN3aPKQ=; b=g/8Jinu7fdHjJJgIvIvED0cWTtfwHq6HnP2JPDxaSeFX+Gnf8OClhuFg dFHxK7erNmbspxwvbluQddJRBtVhZ6oD5uRvvxWRgPwW9sRH9vtrpwPMR 0tznuokXK1/zW45WhZVVsKxcMEdwlsPB/b1ElJBKzy98U5wLiS0TiWBzU g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisFAKvVFVKtJXHA/2dsb2JhbABagwU1UcAHgR0WdIIkAQEBAwF5BQsCAQgiJDIlAgQOBQiIAgYMrxqQMwIxB4MbewOZE5Atgx+CKw
X-IronPort-AV: E=Sophos;i="4.89,933,1367971200"; d="scan'208";a="250165710"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-1.cisco.com with ESMTP; 22 Aug 2013 09:12:05 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r7M9C5bg001575 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 22 Aug 2013 09:12:05 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.31]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0318.004; Thu, 22 Aug 2013 04:12:05 -0500
From: "Jerome Durand (jerduran)" <jerduran@cisco.com>
To: joel jaeggli <joelja@bogus.com>
Thread-Topic: some thoughts on draft-jdurand-bgp-security-02.txt
Thread-Index: AQHOjB+vSEbxfgKlbUC1hU+VnxIhe5mha8aA
Date: Thu, 22 Aug 2013 09:12:04 +0000
Message-ID: <0145702467942740A26A9633AA8B60FA47302C5A@xmb-rcd-x01.cisco.com>
References: <51F602DA.7060502@bogus.com>
In-Reply-To: <51F602DA.7060502@bogus.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.218.120]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <E408EA8B194EB348A0A5CDFDC000EDC8@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>, "<draft-jdurand-bgp-security@tools.ietf.org>" <draft-jdurand-bgp-security@tools.ietf.org>
Subject: Re: [OPSEC] some thoughts on draft-jdurand-bgp-security-02.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 09:12:13 -0000
Dear Joel, > since this is on the agenda I'd thought I'd add some comments And indeed thanks for that! First I see that you probably worked on a wrong version of the doc as we are now on draft-ietf-opsec-bgp-security-01 > section-4 worth noting citing/rfc 6192 > > Protecting the Router Control Plane We have section 3 for protection of the router itself where we are referencing RFC6192. I find it clearer to leave reference in section 3. > section 5.1.2.3 > > these sections are too deep. needs better organization, e.g. section 5 > is actually probably two or three sessions. > > e.g. > > 5.1.1. Prefixes that MUST not be routed by definition > > Most of Regional > Internet Registries do also operate an IRR and can control that > registered routes conform to allocations made. > > 3 of 5 Changed to "A majority of Regional Internet Registries […]" > should cite > > http://tools.ietf.org/html/rfc4012 > > rpsl It's cited I believe: "5.1.2.3. Prefix filters creation from Internet Routing Registries (IRR) An Internet Routing Registry (IRR) is a database containing internet routing information, described using Routing Policy Specification Language objects [16]" > would be helpful to cite irrtoolset provide an example in an appendix. That's interesting. I put that on a TODO list. I'll see what we can do. > the tier one example isn't that helpful would be more interesting to > cite the example for a customer vantge point e.g. managing objects so > that your upstreams will accept them. Yes I heard the point in the meetecho recordings. I believe you were the one who made that point? I may not agree with the fact the example is a tier one example. We have many small ISPs peering everywhere on the Internet. Some do not even connect any customer (just servers) and they want there content to be accessible over the Internet. These guys may be interested in making sure they accept appropriate routes coming from each of the peers. I wrote that section with these guys into consideration. I was also thinking of other transit networks (not tier 1) connecting directly customers that I used to operate. These guys are far from being tier 1 (2 steps away) but still they peer, sometimes with the aforementionned CDNs. Still I understand that this section is maybe not clear on applicability (ie who should do what?) and indeed we have not talked much about objects and what people SHOULD do. Point taken, I'll see what we can do. > ---- > > rpki section needs to be fleshed out e.g. what you do with it, how it's > used what it can't be used for needs examples. > > The rest of this > section assumes the reader understands all technologies associated > with SIDR. > > Whut??????? This was removed. I received several interesting comments on this section and there is an existing operational doc so we will change few things yes. > > 5.1.4 > > mixes customer prefixes filtering policy with local prefixes… Good point. I'll try to improve this. > issues around loop-detection (e.g. disconnected islands) vs more > specific(s) e.g. hijacking. > > outbound filtering (prefix advertisement) Not sure what you mean with this point? Still referering to 5.1.4? > 5.3 and later > > prefer to think of these things as import/export policy rather than > describing everything as filter. OK. Will see how to deal easily with this. > 8. > > o Do not accept overly long AS path prepending from the customer. > > going to have to scope that. New text is "try to discourage excessive prepending in such paths". I'm afraid it's difficult to scope that is an IETF document (or we should think of some standard). Thanks, Jerome -- Jerome Durand Consulting Systems Engineer - Routing & Switching jerduran@cisco.com - +33 6 35 11 60 50 http://reseauxblog.cisco.fr - http://ipv6blog.cisco.fr CISCO France 11, rue Camille Desmoulins 92782 Issy les Moulineaux CEDEX 9 FRANCE
- [OPSEC] some thoughts on draft-jdurand-bgp-securi… joel jaeggli
- Re: [OPSEC] some thoughts on draft-jdurand-bgp-se… Jerome Durand (jerduran)