[RTG-DIR]Re: RtgDir Early review of draft-ietf-bess-bgp-sdwan-usage-28
Linda Dunbar <linda.dunbar@futurewei.com> Wed, 10 December 2025 20:37 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: rtg-dir@mail2.ietf.org
Delivered-To: rtg-dir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8DB5498B2963; Wed, 10 Dec 2025 12:37:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUmgzGbQ5Ng5; Wed, 10 Dec 2025 12:37:33 -0800 (PST)
Received: from PH7PR06CU001.outbound.protection.outlook.com (mail-westus3azon11020134.outbound.protection.outlook.com [52.101.201.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2BE8398B2957; Wed, 10 Dec 2025 12:37:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qxjA/fDbv4jK+X7MqLFSCSkhWrx4S9S8bEqVKi9xRdMkbtukwnbvhO4OkrYV6CF2zPho1JkrttxgunhEDTRVGq6bFjtYU64KlTQASdBKX9QRnjDDv4eol42fzp78fAN+GeCv+o/j5dAm6L7DiFY3VI1Bc4Z76DIqJtlKB9wVd/bZdxFSEun8huGTYPNK8+mOVk84/w/hWCWP/xpPnrXvYZ+itmLd2x7tpoEAYJEufkS28fgbYXBnABay1tKrVP62S+/pl1JKVHRPtEava3K385e5SRyBdi9nYTz6GXsV8O0+m1GPApfag3TMVia3puvpZv6TO12HWGuiKDQzgwP/bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xGb6R7d4X3FAd4ZTMIQHL5xdfI2Ac6xnkHW5Prw/SSE=; b=v8xgryrxW/M5DYS8Be2OgVXPhBQ3BN+2KffhGPdoNS4vKVa3FNNn3Lors+zI7DZatW+MU2rXtzQxM9Ub5XWmAOpqv1NGACukBq+YB6qOOzA65wO1G5y43j9Hj+FEmY1qxClVkqEEePLNZxRhAu00T1B11SKTtJd4x0rAhnefb9W8rKDpNRtCksMlFJoK1PBsk7eApbUPsrF93jtVPACG5n/xDgVW/fDYsVlS4xg2RjZ3QS0WOs1PANVEEO9nm8qWVEooiUxyzqnhd/8mklcaB8eSvD6wV8G+cJ/AVz7eSv+CQR/wU65KhXpaU4ETMM4eOZVuBhE6enuw7CXhzFfVpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xGb6R7d4X3FAd4ZTMIQHL5xdfI2Ac6xnkHW5Prw/SSE=; b=fg5WKCU3ZeGEYztK0jrmdYRhPJumvrzF8DOgLIozGOxSiNtP3FeiC3vdm3Hf5j9qMMtP1DxXJRMxSX95V19Spkfw4zgtlzJY4Zv9s5M73whpT5CqXFaTg5Bo4QgV+wD5IofSPg0WS0VFEtKEkDBWwMBiiZjHDCHxUNefWep3rx0=
Received: from CO6PR13MB5355.namprd13.prod.outlook.com (2603:10b6:303:14b::19) by DS0PR13MB7503.namprd13.prod.outlook.com (2603:10b6:8:294::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9412.9; Wed, 10 Dec 2025 20:37:22 +0000
Received: from CO6PR13MB5355.namprd13.prod.outlook.com ([fe80::71b0:1ae9:a849:7dec]) by CO6PR13MB5355.namprd13.prod.outlook.com ([fe80::71b0:1ae9:a849:7dec%6]) with mapi id 15.20.9412.005; Wed, 10 Dec 2025 20:37:22 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
Thread-Topic: RtgDir Early review of draft-ietf-bess-bgp-sdwan-usage-28
Thread-Index: AQHcZTu7vqL1Z3gX3Ume1zgpul6c17URysAwgAHa8ICABo9dYIAAf0YAgACCuxA=
Date: Wed, 10 Dec 2025 20:37:22 +0000
Message-ID: <CO6PR13MB5355E9D9C2155BC405AB02BD85A0A@CO6PR13MB5355.namprd13.prod.outlook.com>
References: <CAMMESsyz7RiejYxJjgts=8yhmozJ1t9G4YzGzw7Fu2+rGZgHww@mail.gmail.com> <CO6PR13MB5355B50E0F5600274BCA221885A7A@CO6PR13MB5355.namprd13.prod.outlook.com> <CAMMESsw+9hUDeSKdDA04q5zxjYGjY1fqG7aiJtzB9JMDMYzBOw@mail.gmail.com> <CO6PR13MB5355400EF4824D68ACE5C74C85A0A@CO6PR13MB5355.namprd13.prod.outlook.com> <CAMMESszvcXPvz1XK5F15z=fLkt_QBEVpMsQwdB5-BDX_mgpGxw@mail.gmail.com>
In-Reply-To: <CAMMESszvcXPvz1XK5F15z=fLkt_QBEVpMsQwdB5-BDX_mgpGxw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO6PR13MB5355:EE_|DS0PR13MB7503:EE_
x-ms-office365-filtering-correlation-id: e0ead3b4-e949-4016-eefb-08de382bebcc
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|8096899003|38070700021|7053199007;
x-microsoft-antispam-message-info: WrqsK53vd1MFbQ9RF5GhVuy+8AZ6PEN2QK7g5m0LZAlbg8U3p1a/3V1i1RrBu1HLuSZ0vneWVIc058GHoKrDgymzBCvTWjmNFoh29ktRrAHtyP8lHcidQUiU5q/stkOTrN+FP0f69wV2VfyJSxBziqaDfLKxjD8Xrb0N7+3qYyObFettDbMNfrXQYNrTscqDMp3KVendN/N+El1XS5wXE6lIERuTwcLFSH+C/fHcYBQqeIAScl7KDNBinipzHk1ZGdZ5m5ogVPuI98bRuMarReL9JJb4c+7sWYYG+S6uek62iyS3sNP7vn/UkSxRgopiMQ2NdPZXNAlwBUIsdBm+EbYr/q1keGBUgF6gBOBR+qzM7jjo1y7QdEIekaGGuv7HCfQ3bakhn8D8qLO5T+bwW5D0mnUaIDAEKIdz6qXGjRbMiAJaHGEGWZgSm/XRXrzeaoDAGfwLyjw/us9kkIQS6kpIS3m/Gg6vm908mJx5TbB4Wi/oWHAEHk02+QXSeHjLSSp4DdZapXlvkVI4D1Csg2QgIzWKMJ5Q27NkW6dk94g7S6GS77Dop1KUVpb/VqSu0zzMiAG7IGZYztJGQIgazRwcM/sq9Pjmf11kPs8U5O2j4HOYCQNgME1MJclACD0yjGX8PN6lGxh0jYJGoRlzLlU5M9bYXfvC7X/l0+exaBZeYL5ALjAtnm7DN2aWZAjKrI9UlHXqcXGeyYZwSM51Fu+5O3KL+tfxTANhivClYNkFviilymIHFJlKLyqt8+a3JOm4lUhZGlJdu9SQCyY6xUqdDH6Z6O0EXe5Cx88ZXq32oMnD/MT9/CgXkEUTe9Sb6wWZZAuAFNgZZMUY5bg2+5qT5FhH5sNCpzUvcSEZhpTqrgrn0T9VxbxdLqDr//MK1CM382UEg/D4QziDZk9Jyufaa4XLH9kOhlUpIvPyGSKfOW4LxFu9FWj/sz0KJQihB0+9T5D9ERk7CHcv81HpADF1AxmiuVlphrWQ2bFlpEyDw2XvgAQvyoVednWC5Fx9phiqWUzbvoZ1Y1F/yoUWu7mohdqxhwvSHHPjY3K9/ZKP7H2d0WlD4/koLcBGD3SIjXwrNFaONiqp6hJJ1EJcHCQAB6SJA22rGBf9sHx8OIYGmxKXdwf0H6m0wFRuwry9zu+BV3boxHJj5YrEWsv8QzpegcwpqLNiQt/CfnAs92VJZa4Dg4RGNRW9yBb1DHNsKKl6ZJxUivg6N2OxaJq1zoVDH1IQrmP+4BT5N7xj0cdmmFCCDLZheUW1tKnuiYgwzZeU8L43+3dxheR125rR+nU3ZzS3a8I5rY+tuIGCLo+OOhB+eia+MKgpxGQzNSh0OttikLroeM6OSHQkkhHLx2ie6YlTZmz70i3zFGEzTbAgZFqrrXxz4JYYVFbllEc92z7+aR43+/IA1yWveFFOMXpMHIgSee3QD4fQBXMSkHsgs0OWhwvzKqZ70Z6UvbvGKEGyf6dr8QujEISPx8AKoIMd+cRR5CuFkJKoDR0u25LhL4PIKxrYtAqoXYZBRBE5
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO6PR13MB5355.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(8096899003)(38070700021)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +hi+tkVNj4c0s+t9+/6gr98gHLA1bCxgThXu7TgrX9Gy3ojyQhngYAiLiFqDaTcQuXzrISe+dov/uILKetRUh8AmIq+z4Z5dLeFl1nhYzQRvpcThIrYpw9m9MfiSCKnbpcAjP4XpRLQobgiqDa3uVE+vFzxRxEe1tiBLvIR+ToPXi/8WH/IMz6kW8fGzABOgT6iF6YmNvCCB3B1SIZinuiB81qoEsFSogmYE2I5oc7TmVp+tVNWTQVm18Nq0PC/gXui44h332JXrswf/uhVb2Tr7juuS6FjD1Vywzx6ljLpUYeGQff38um9aE+Th66NKEegvDw93RXlc53gSsw1+pPDCmkjzP0yHNHX+QifgsyFHIyit+cTEQOG/PCTblvFP3EPFAYvZdhPtF47jGiy00uCWbr4FbSaGuRpoL11gPbOmMp8cT2v3M05FC3IbWms006zVTBCaF1ZNgQUZQvYq2FsoA2ZhBM6yc9nHCRGhJE3dbQ3BWeSn5NTNlHqgJbcYgND/ak/2SxKg8F4nfJDCe1yag2DqTy1I0m0repf2Z2Jxl2M8E2MjSoEL503pJKPbRHoaXIulFBp0OEpB9EbV5JzPaSKcvC+q8+sottX1nFzfLBgEuD7Phrei2rxestGfXM7m5Ova2173rKsGGwBCtLc+UItyn8ujF92+fRA6/hLwtzNM/oVuA0fs95kSm3akdczRTcZhOHQeYDYaHCuEHt+cU2eqN2AZ2jJPo/bGkDZTi/QZA3lc4SiYAVjchBoGRkYVngR0rqBm8vm67etrTz0qx4t8ePxuEwJ/dgrOoCbUiRfHkIelZLa+zwX+vv/3PHsYvrMqWIs0kLwlpcK/yXUG57cDtPyvKkWERpEsCw9oNQdC7iH/UROMC2tqcAo/7lDSYpYLnDQmpnG9SAaZWnfaQUWbl390fy+HjaL52t6aJtVjLzbG+ti6bQKh2i1AgaskptjRHhjYr2MKuW8LR63BFaJzbsC02vq1nh/qO7RK06dGJ6Q6jd/xQqOhc1w0kBsrRtlYGNLJeUEtQH3TNxGGTDVwkHFEcuaiDtHWdGLYnuMNtI6IZYkdLyZ0JHNluLSzMUn6CfzdNRgPohoWVX4Ue7yhAUuZelaH1U9tlDCyiYBbOTfVtU1r0Svv42r0bsc+Y15Z+JV5/TcFhaCbv7uFwymZGvug9DYsBu6RjcWVJnixzhOCOemJg0pAQ+/1Vyw2JiTuKLh3YKZXZ53FTjMPQekFQlw3ZkDtCA6tqir4TWKpEmFIB1fB+5D1h/LWvhpODmq/ZrXmJ32keYONUl3LxeMTAoZ8SU8cZgDVEtUuE+u8Z7aJrEIpM36Kt9/u6VabXK6Af+2/DEzkTcY4qKsU2N7X7+0LmVko/c1BFaaXev8HjqaMYqsXYIlTQa0WNjt52yV9wij817Xhg0J4uTZVbgnAXIZzTN2To2OUGJiTqzfvwryJpEIwWSJsDV5SfNoDBkvJRfQSJ5+5Tvz6a1asTxX0AZ4ccFHiGai23DqzPpbwTujBq42GtEIVzFbBemNpEuT0/KxwYUkzVSqmxXBgsFQ/Fn7SBxTvEFlDL0VyvaZdjUNx02rL13zuRPiR
Content-Type: multipart/alternative; boundary="_000_CO6PR13MB5355E9D9C2155BC405AB02BD85A0ACO6PR13MB5355namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO6PR13MB5355.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e0ead3b4-e949-4016-eefb-08de382bebcc
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Dec 2025 20:37:22.3558 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FaaVjJODZ+NCXkp2fXr6Bp4bdpetVRbLPkRxJX54ohmhRyKg8ye5VAn/E35Ww+3RUx/PdjzziqA85eQSS5JhIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR13MB7503
Message-ID-Hash: G2GJ4GZJKM6HDS3MDCS5CYJUMYEDRLS7
X-Message-ID-Hash: G2GJ4GZJKM6HDS3MDCS5CYJUMYEDRLS7
X-MailFrom: linda.dunbar@futurewei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rtg-dir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "draft-ietf-bess-bgp-sdwan-usage.all@ietf.org" <draft-ietf-bess-bgp-sdwan-usage.all@ietf.org>, "bess@ietf.org" <bess@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [RTG-DIR]Re: RtgDir Early review of draft-ietf-bess-bgp-sdwan-usage-28
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/iXxaXcGDyZ0ruuneBgdcbR7PRSo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Owner: <mailto:rtg-dir-owner@ietf.org>
List-Post: <mailto:rtg-dir@ietf.org>
List-Subscribe: <mailto:rtg-dir-join@ietf.org>
List-Unsubscribe: <mailto:rtg-dir-leave@ietf.org>
Alvaro, Thanks for the call explaining the main issue. We can update the Section 2 in the definition of “Controller” to the following: “Controller: Used interchangeably with SD-WAN controller to denote the logical system that manages the SD-WAN overlay network. In the context of BGP-controlled SD-WAN, one function of the SD-WAN controller is to provide BGP-based route propagation, i.e., the Route Reflector (RR) function. This RR function may be collocated with or embedded within the SD-WAN controller but represents only one component of the overall SD-WAN controller.” See below resolution after [Linda3]. Thank you Linda From: Alvaro Retana <aretana.ietf@gmail.com> Sent: Wednesday, December 10, 2025 2:26 AM To: Linda Dunbar <linda.dunbar@futurewei.com> Cc: rtg-dir@ietf.org; draft-ietf-bess-bgp-sdwan-usage.all@ietf.org; bess@ietf.org; bess-chairs@ietf.org Subject: RE: RtgDir Early review of draft-ietf-bess-bgp-sdwan-usage-28 On December 9, 2025 at 10:40:05 PM, Linda Dunbar wrote: ... > > > “SD-WAN further depends on standard BGP security mechanisms, including > > > the use of secure transport (e.g., TLS or IPsec) for BGP sessions and > > > strict RR policy enforcement. Deployments that bypass protected channels > > > risk exposing SD-WAN edge properties or allowing unauthorized nodes to > > > inject or receive routes. Likewise, incorrect RR policies can result in > > > unintended distribution of client routes or tunnel attributes. These > > > risks arise from deployment choices rather than the mechanisms described > > > in this document, and operators must ensure that secure transport and > > > proper RR configuration are consistently applied.” > > > > I see you have more suggestions later on in §8. In general, including this > > text and what you propose in later, you should point at the existing > > security considerations of the protocols you're using. Many of the risks > > that exist are, as you mention, not specific to this document, but ones > > that exist in BGP already -- again, support that claim by referencing the > > existing security considerations in published RFCs. > > > > One big nit about the text above: "SD-WAN further depends on standard BGP > > security mechanisms, including the use of secure transport (e.g., TLS or > > IPsec) for BGP sessions..." The only standard session-level mechanism is > > TCP-AO, which is not used in this case, so that statement opens the door > > to questions about the existing mechanisms... > > [Linda2] How about changing the paragraph to the following? > > “SD-WAN operation relies on the existing security mechanisms defined for BGP > and IPsec. In particular, protection of BGP sessions may use the TCP > Authentication Option (TCP-AO) as specified in RFC 5925, and the security > considerations of BGP, TCP-AO, and IPsec apply directly. Many of the risks > described here—including route injection, session disruption, or unintended > route distribution—are therefore inherent to those protocols rather than > specific to this SD-WAN usage. Operators must follow the existing security > guidance in the referenced RFCs and ensure correct RR policy configuration > and session protection” Don't talk about TCP-AO; you don't mention it anywhere else in the document. While it is ok to use it when using TLS/IPSec, you don't need to add more just because it exists, and the combined use is also not specific to this document. [Linda3] The primary operational difference between SD-WAN deployments and traditional BGP-based VPNs is that SD-WAN edge nodes often include Internet-facing WAN ports, which introduce additional security, filtering, and policy requirements not present in classic MPLS-based VPN deployments. For Section 8 second paragraph, how about changing to the following (removing the TCP-AO, etc): “SD-WAN operation relies on the existing security mechanisms and security considerations defined for BGP and IPsec, which therefore apply directly to the control and tunnel planes described in this document. The primary operational difference between SD-WAN deployments and traditional BGP-based VPNs is that SD-WAN edge nodes often include Internet-facing WAN ports, which introduce additional security, filtering, and policy-enforcement requirements not present in classic MPLS-based VPN environments. These untrusted interfaces increase exposure to spoofed traffic, denial-of-service attacks, and unintended route learning if misconfigured. As a result, operators must apply strict validation of control-plane information received from Internet-facing ports, ensure correct RR policy configuration, and provide appropriate protection for both control-plane and data-plane exchanges, consistent with the security guidance in the referenced RFCs.” Beyond mentioning the "referenced RFCs", be explicit in this section which ones they are. Note, for example, that rfc4271 is not referenced, but the text does mention "the security considerations of BGP". The vulnerabilities are documented in rfc4272...
- [RTG-DIR]RtgDir Early review of draft-ietf-bess-b… Alvaro Retana
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Linda Dunbar
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Alvaro Retana
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Linda Dunbar
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Alvaro Retana
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Linda Dunbar
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Alvaro Retana
- [RTG-DIR]Re: RtgDir Early review of draft-ietf-be… Linda Dunbar