Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12
Russ Housley <housley@vigilsec.com> Wed, 19 January 2022 16:59 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E17E3A0899; Wed, 19 Jan 2022 08:59:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbvKbzrquJRv; Wed, 19 Jan 2022 08:59:24 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F03E33A13B9; Wed, 19 Jan 2022 08:59:20 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id E73B1161F53; Wed, 19 Jan 2022 11:59:19 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id D06E716206E; Wed, 19 Jan 2022 11:59:19 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Subject: Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <c10062dd0ac24e1f8a8e00175c54eee6@boeing.com>
Date: Wed, 19 Jan 2022 11:59:19 -0500
Cc: IETF SecDir <secdir@ietf.org>, "draft-ietf-rtgwg-atn-bgp.all@ietf.org" <draft-ietf-rtgwg-atn-bgp.all@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <16A34AB4-B996-448E-A6A3-EA8666254DA1@vigilsec.com>
References: <c10062dd0ac24e1f8a8e00175c54eee6@boeing.com>
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/1JY9o76m2aQee95tl0i-WSkcHKU>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2022 16:59:29 -0000
Fred: If a tunnel that provides confidentiality and integrity is used for all control plane traffic, that addresses several of the comments. This does raise a question about the approach that will be used to provide keys for the tunnel. Will ICAO or some delegated authority provide a PKI for this purpose? Russ > On Jan 19, 2022, at 11:53 AM, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote: > > Russ, thank you for this Secdir review, and see below for responses: > >> -----Original Message----- >> From: rtgwg [mailto:rtgwg-bounces@ietf.org] On Behalf Of Russ Housley via Datatracker >> Sent: Tuesday, January 18, 2022 2:22 PM >> To: secdir@ietf.org >> Cc: draft-ietf-rtgwg-atn-bgp.all@ietf.org; rtgwg@ietf.org >> Subject: Secdir early review of draft-ietf-rtgwg-atn-bgp-12 >> >> Reviewer: Russ Housley >> Review result: Has Issues >> >> I reviewed this document as part of the Security Directorate's ongoing >> effort to review all IETF documents being processed by the IESG. These >> comments were written primarily for the benefit of the Security Area >> Directors. Document authors, document editors, and WG chairs should >> treat these comments just like any other IETF Last Call comments. > > I will respond to your points below as IETF Last Call comments. > >> Document: draft-ietf-rtgwg-atn-bgp-12 >> Reviewer: Russ Housley >> Review Date: 2022-01-18 >> Early Review Due: 2022-02-11 >> IETF LC End Date: Unknown >> IESG Telechat date: Unknown >> >> >> Summary: Has Issues >> >> >> Major Concerns: >> >> Section 3 says: >> >> The only requirement is that ASNs >> must not be duplicated within the ATN/IPS routing system itself. >> >> What party will administer these ASNs? I understand why it does not >> need to be IANA, but there does need to be a single authority, even >> if a hierarchy is used to delegate assignments. ASN collisions are >> extremely harmful. > > It is assumed that a centralized administrative authority for the ATN/IPS > routing system overlay will be responsible for assigning the ASNs. As you > note, this has nothing to do with IANA since the ATN/IPS routing system > does not interact with the Internet routing system, but most likely an > entity such as the International Civil Aviation Organization (ICAO) will > be responsible for overall administrative control. I gather from the point > you are raising that you would appreciate some additional text to this > effect, and I can certainly provide something more concrete. > >> Section 10 says: >> >> BGP protocol message exchanges and control message exchanges used for >> route optimization must be secured to ensure the integrity of the >> system-wide routing information base. >> >> I assume that "secured" means integrity protected. BGP runs over TCP. >> TCP-AO was defined primarily to provide integrity protection for BGP. >> Is the intent to use TCP-AO or something else. Please specify. > > Security is based on network layer security between BGP peers, where all > secured traffic between the peers is confidential, integrity-protected and > authenticated by a security tunnel. Since the tunnel extends the entire > length of the path between the BGP peers, I believe higher-layer security > protection such as the TCP-AO you mention should be seen as optional. > Again, if this satisfies the concern I could add some words to that effect. > >> Minor Concerns: >> >> Section 1 talks about IPsec and Wireguard as "secured encapsulations". >> Please say what you mean by security here. Are you expecting >> confidentiality, integrity, or both? Since this is an example, >> please drop "Wireguard" or provide a reference for it. > > I am expecting these network-layer securing functions to provide all of > confidentiality, integrity and authorization. I can add words to make this > more clear. About Wireguard, I would prefer to keep it and provide a > reference, but if you recommend dropping I would be willing to do that. > >> Section 1 goes on to say: >> >> In particular, tunneling must be used when >> neighboring ASBRs are separated by multiple INET hops. >> >> This seems to mean that tunnels are not used in some if there is a >> single INET hop. Can you add a sentence about that? > > Yes, actually this text is misleading to begin with because tunneling > will be used even if the ASBRs are connected by a common link. I > will look for better words to use here. > >> Section 5 says: "...tunnels packets directly between Proxys ...". >> Are these IPsec tunnels? I am trying to fully understand when the >> tunnels require IPsec (or some other security protocol) and when they >> do not. > > This is a good point. We want to establish an environment where security > tunneling is used to protect only control messages and BGP protocol > messages while unsecured tunneling is used to convey data plane packets > when higher-layer security is used end-to-end. Again, more words may > help clarify. > >> Section 10 lists IPsec, TLS, WireGuard, etc. This is the first >> reference to TLS. When do you see TLS being used? > > TLS and possibly also DTLS may be used to protect the data plane in > end-to-end security, but they do not really apply for protecting the > control plane which is what this document is about. I could resolve > this by either cutting TLS and remaining silent about data plane > security, or including one or two sentences such as the above to > explain the data plane considerations - do you have a preference? > > Thanks - Fred > > >> _______________________________________________ >> rtgwg mailing list >> rtgwg@ietf.org >> https://www.ietf.org/mailman/listinfo/rtgwg >
- Secdir early review of draft-ietf-rtgwg-atn-bgp-12 Russ Housley via Datatracker
- RE: Secdir early review of draft-ietf-rtgwg-atn-b… Templin (US), Fred L
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Russ Housley
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Templin (US), Fred L
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Russ Housley
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Templin (US), Fred L
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Russ Housley
- Re: [secdir] Secdir early review of draft-ietf-rt… Benjamin Kaduk
- RE: [EXTERNAL] Re: [secdir] Secdir early review o… Templin (US), Fred L