Re: [RPSEC] Feedback on draft-behringer-bgp-session-req-01
Joe Touch <touch@ISI.EDU> Fri, 22 June 2007 14:21 UTC
Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1I1k1E-0001rN-CG; Fri, 22 Jun 2007 10:21:48 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43)
id 1I1k1D-0001rI-Dq
for rpsec-confirm+ok@megatron.ietf.org; Fri, 22 Jun 2007 10:21:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1I1k1D-0001r9-4E
for rpsec@ietf.org; Fri, 22 Jun 2007 10:21:47 -0400
Received: from vapor.isi.edu ([128.9.64.64])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I1k1A-0003YV-Kx
for rpsec@ietf.org; Fri, 22 Jun 2007 10:21:47 -0400
Received: from [192.168.1.42] (pool-71-105-86-112.lsanca.dsl-w.verizon.net
[71.105.86.112])
by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l5MELIoQ006737;
Fri, 22 Jun 2007 07:21:18 -0700 (PDT)
Message-ID: <467BDADD.3000406@isi.edu>
Date: Fri, 22 Jun 2007 07:21:17 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: "Barry Greene (bgreene)" <bgreene@cisco.com>
Subject: Re: [RPSEC] Feedback on draft-behringer-bgp-session-req-01
References: <467AE0B5.2080104@isi.edu>
<C35ADD020AEBD04383C1F7F644227FDF03E688C4@xmb-sjc-227.amer.cisco.com>
In-Reply-To: <C35ADD020AEBD04383C1F7F644227FDF03E688C4@xmb-sjc-227.amer.cisco.com>
X-Enigmail-Version: 0.95.1
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>,
<mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0957386417=="
Errors-To: rpsec-bounces@ietf.org
Hi, Barry, Barry Greene (bgreene) wrote: > I guess we have differing views on the definition of "security." If I > can classify based on a policy which provides me more resistance from > attacks, then that is a "security tool." Hence, GTSM is a security tool. GTSM could be classified as a security tool, but it is not IP layer security. It is a mechanism an endpoint can use to increase its resistance to attack, as you note, but it doesn't particularly protect any single protocol layer or header. Joe >> -----Original Message----- >> From: Joe Touch [mailto:touch@ISI.EDU] >> Sent: Thursday, June 21, 2007 1:34 PM >> To: rpsec@ietf.org >> Subject: [RPSEC] Feedback on draft-behringer-bgp-session-req-01 >> >> Hi, all, >> >> The following feedback was requested on the TCPM's >> TCP-AUTH-DT (TCP-Auth design team) mailing list. TCP-Auth is >> TCMP's work towards an update to TCP-MD5, based on two >> current proposals (noted below). >> >> Joe >> >> --------------------------------------------- >> >> This document appears to overlap ongoing work in TCPM to >> characterize concerns with using TCP-MD5 to secure BGP, and >> use of alternatives. >> E.g., draft-ietf-tcpm-antispoof. The TCP-Auth team is >> currently workiing to revise draft-bellovin-tcpsec, and an >> update to that should be out shortly. >> >> Some additional comments: >> >> Sec 1 - the OSI stack is not the reference model for the Internet. >> GTSM is not IP layer security; it is a heuristic that checks >> TTLs in IP packets, and assumes that there is other security >> protecting tunnels to a host. It would be more appropriate to >> cite IPsec as IP security, and GTSM as "other protection mechanisms". >> >> Other work in this area: >> - draft-ietf-tcpm-antispoof (as noted above) >> - draft-ietf-tcpm-tcpsecure >> - draft-bellovin-tcpsec >> as well as specific proposals to update TCP-MD5: >> - draft-touch-tcpm-tcp-simple-auth >> - draft-bonica-tcp-auth >> >> Further, to a large extent, the preference of router managers >> to avoid IPsec was the motivation behind BTNS: >> - http://www.ietf.org/html.charters/btns-charter.html >> See also the problem and applicability statement: >> - draft-ietf-btns-prob-and-applic >> >> draft-bellovin-tcpsec should be cited in "Dependence on the >> MD5 algorithm...", as well as RFC4808 >> >> 3.2 - IPsec = RFC4301 >> in addition to Bonica's proposed alternative, please include >> mine ;-) : >> draft-touch-tcpm-tcp-simple-auth >> >> 3.3 - "This requirement is currently..." - also by IPsec. >> >> -- >> ---------------------------------------- >> Joe Touch >> Sr. Network Engineer, USAF TSAT Space Segment
_______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Feedback on draft-behringer-bgp-session-r… Joe Touch
- RE: [RPSEC] Feedback on draft-behringer-bgp-sessi… Barry Greene (bgreene)
- Re: [RPSEC] Feedback on draft-behringer-bgp-sessi… Joe Touch
- Re: [RPSEC] Feedback on draft-behringer-bgp-sessi… Stephen Kent
- Re: [RPSEC] Feedback on draft-behringer-bgp-sessi… Ron Bonica