IETF Logo Mail Archive

Re: [RPSEC] BGP Security Requirements v08

"Michael H. Behringer" <mbehring@cisco.com> Mon, 16 July 2007 16:34 UTC

Return-path: <rpsec-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IATWT-0003fg-Ux; Mon, 16 Jul 2007 12:34:09 -0400
Received: from rpsec by megatron.ietf.org with local (Exim 4.43) id 1IATWT-0003fZ-1q for rpsec-confirm+ok@megatron.ietf.org; Mon, 16 Jul 2007 12:34:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IATWS-0003fM-O9 for rpsec@ietf.org; Mon, 16 Jul 2007 12:34:08 -0400
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IATWO-00026b-9U for rpsec@ietf.org; Mon, 16 Jul 2007 12:34:08 -0400
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 16 Jul 2007 18:34:04 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAAAKs5m0aQ/uCLh2dsb2JhbACPPAEBCQon
X-IronPort-AV: i="4.16,542,1175464800"; d="scan'208"; a="148177542:sNHT28538844"
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l6GGY3OF013300; Mon, 16 Jul 2007 18:34:03 +0200
Received: from xbh-ams-332.emea.cisco.com (xbh-ams-332.cisco.com [144.254.231.87]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l6GGXYlN008825; Mon, 16 Jul 2007 16:34:01 GMT
Received: from xfe-ams-332.cisco.com ([144.254.231.73]) by xbh-ams-332.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 16 Jul 2007 18:33:33 +0200
Received: from mbehring-wxp.cisco.com ([10.55.2.211]) by xfe-ams-332.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 16 Jul 2007 18:33:33 +0200
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 16 Jul 2007 18:33:30 +0200
To: Russ White <riw@cisco.com>, Sandy Murphy <sandy@tislabs.com>
From: "Michael H. Behringer" <mbehring@cisco.com>
Subject: Re: [RPSEC] BGP Security Requirements v08
In-Reply-To: <4697F531.3000105@cisco.com>
References: <20070713204932.3D6A63F420@pecan.tislabs.com> <4697F531.3000105@cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <XFE-AMS-332SA1XvpFV00000073@xfe-ams-332.cisco.com>
X-OriginalArrivalTime: 16 Jul 2007 16:33:33.0442 (UTC) FILETIME=[0D085E20:01C7C7C7]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3305; t=1184603643; x=1185467643; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mbehring@cisco.com; z=From:=20=22Michael=20H.=20Behringer=22=20<mbehring@cisco.com> |Subject:=20Re=3A=20[RPSEC]=20BGP=20Security=20Requirements=20v08 |Sender:=20; bh=hNfvCE7Ya5UcXgo2vMOzky08EG8RvnQMEMLfecHaSq0=; b=GcEjevFMzaLb7TwszI0f8wAUYyj/I5fMZ4xjaM0Ww75z9p+4Hh/bM3oWVnaMGkZCz8ROztrX 1sE1JymCTPq+6MeaznOduO7b/X77N7SCsrszQThY8dbSb+dNJouBkdZy;
Authentication-Results: ams-dkim-2; header.From=mbehring@cisco.com; dkim=pass ( sig from cisco.com/amsdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: rcallon@juniper.net, rpsec@ietf.org, dward@cisco.com, psavola@funet.fi
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org

[Just back from vacation today, so I missed the earlier discussion.]

Just as a reminder where I was coming from with my draft http://www.ietf.org/internet-drafts/draft-behringer-bgp-session-sec-req-01.txt: This was directly taken from a to-do-list from Russ, specifying that the WG needs to work on the point-to-point security requirements of BGP speakers:

At 15:37 06/01/2007, Russ White wrote:
[...]
>o P-2-P security requirements for BGP: This was to provide some cover
>and thinking on the various TCP auth mechanisms to replace MD5 that are
>currently being considered. We need, I believe, a volunteer to
>author/edit this, and get it moving.
[...]

I request (again) that my draft be accepted as a WG item, after all it's taken from the WG's to-do list ;-) 
 
The problem space of draft-behringer-bgp-session-sec-req-01 is significantly smaller than that of draft-ietf-rpsec-bgpsecrec-08; I can see this work remaining independent, but I can also see it merged with draft-ietf-rpsec-bgpsecrec-08. My current preference is to keep it standalone, since it's problem space is nicely small and well-defined. But I have no strong views either way. I guess we should discuss this in Chicago. 

BTW, I have received a number of emails with feedback which I have not yet incorporated into the draft, due to time constraints. Apologies for that. Will happen after the IETF. 

See you all next week, 
Michael


At 23:57 13/07/2007, Russ White wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>>> I think so.... I wonder how this overlaps with the p-2-p bgp draft also
>>> being considered?
>> 
>> I don't quite know what you mean by a p-2-p bgp draft.  The behringer
>> draft concerns the security requirements of protecting the bgp peer to
>> bgp peer connection (e.g., TCP MD5).  Perhaps that is what you are
>> talking about?
>> 
>> http://www.ietf.org/internet-drafts/draft-behringer-bgp-session-sec-req-01.txt
>> 
>> Abstract
>> 
>>    The document "BGP security requirements"
>>    (draft-ietf-rpsec-bgpsecrec-07) specifies general security
>>    requirements for BGP.  However, specific security requirements for
>>    single BGP sessions, i.e., the connection between two BGP peers, are
>>    only touched on briefly in the section "transport layer protection".
>>    This document expands on this particular aspect of BGP security,
>>    defining the security requirements between two BGP peers.
>
>Yes... We should pick this work up as a WG item, I think, because it
>really relates directly to the charter. But, I'll leave it to Tony to
>bring it up at the Chicago meeting (it overlaps with Networkers this
>time, and I really can't skip Networkers, *sigh*.
>
>We should try and see what folks think on list before then, if possible,
>though, I think (?).
>
>:-)
>
>Russ
>
>- --
>riw@cisco.com CCIE <>< Grace Alone
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.6 (MingW32)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFGl/UxER27sUhU9OQRAhb4AKDJRU5Emu0HvOTK4IZ1qxQoAk62DgCeKP1P
>vlNLckQ+M00dNx/MrSsDboo=
>=/PTq
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>RPSEC mailing list
>RPSEC@ietf.org
>https://www1.ietf.org/mailman/listinfo/rpsec


_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.8.7 | Report a Bug | By Email