Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12
Russ Housley <housley@vigilsec.com> Wed, 19 January 2022 17:27 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF4F3A0AF4; Wed, 19 Jan 2022 09:27:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VK5L7JJwXznk; Wed, 19 Jan 2022 09:27:31 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56A773A14F0; Wed, 19 Jan 2022 09:27:31 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 86E0258C27; Wed, 19 Jan 2022 12:27:30 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 6CC5A167179; Wed, 19 Jan 2022 12:27:30 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Subject: Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <12d06a2206404537811b17a66f8412d8@boeing.com>
Date: Wed, 19 Jan 2022 12:27:30 -0500
Cc: "Saccone (US), Gregory T" <Gregory.T.Saccone@boeing.com>, IETF SecDir <secdir@ietf.org>, "draft-ietf-rtgwg-atn-bgp.all@ietf.org" <draft-ietf-rtgwg-atn-bgp.all@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5652F8C2-B43F-404A-97BB-89FC98A96588@vigilsec.com>
References: <12d06a2206404537811b17a66f8412d8@boeing.com>
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/coFg86KI6u4OZZPCI8NVKRyX228>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2022 17:27:36 -0000
Yes, that would be good. It is important to the security of the tunnels. Russ > On Jan 19, 2022, at 12:26 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote: > > Thanks Greg - Russ, maybe you would like some words to this effect in the draft? > > Fred > >> -----Original Message----- >> From: Saccone (US), Gregory T >> Sent: Wednesday, January 19, 2022 9:21 AM >> To: Russ Housley <housley@vigilsec.com>; Templin (US), Fred L <Fred.L.Templin@boeing.com> >> Cc: IETF SecDir <secdir@ietf.org>; draft-ietf-rtgwg-atn-bgp.all@ietf.org; rtgwg@ietf.org >> Subject: Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12 >> >> Hi Russ- >> Fred is correct, ICAO has a Trusted Framework Study Group that is defining the PKI approach for ATN/IPS, and this is being done in >> conjunction with the various ATN/IPS industry groups as well. >> Thanks >> Greg >> >> -----Original Message----- >> From: Russ Housley <housley@vigilsec.com> >> Sent: Wednesday, January 19, 2022 9:18 AM >> To: Templin (US), Fred L <Fred.L.Templin@boeing.com> >> Cc: IETF SecDir <secdir@ietf.org>; draft-ietf-rtgwg-atn-bgp.all@ietf.org; rtgwg@ietf.org >> Subject: [EXTERNAL] Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12 >> >> EXT email: be mindful of links/attachments. >> >> >> >> Fred: >> >> That is one approach, but it seems like there needs to be a globally trusted trust anchor or set of trust anchors that understand the >> architecture to make sure that the certificates are providing the needed authentication and key management. >> >> Russ >> >>> On Jan 19, 2022, at 12:12 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote: >>> >>> Russ, ICAO will be the top-level administrative authority for a >>> hierarchy of Air Navigation Service Providers such as ARINC, SITA, Inmarsat and others. >>> Different ANSPs will need to establish security peerings between >>> neighboring ASBRs even though they are from different organizations. >>> So, I assume this would mean that ICAO would need to be the ultimate >>> authority for the common PKI? >>> >>> Thanks - Fred >>> >>>> -----Original Message----- >>>> From: Russ Housley [mailto:housley@vigilsec.com] >>>> Sent: Wednesday, January 19, 2022 8:59 AM >>>> To: Templin (US), Fred L <Fred.L.Templin@boeing.com> >>>> Cc: IETF SecDir <secdir@ietf.org>; >>>> draft-ietf-rtgwg-atn-bgp.all@ietf.org; rtgwg@ietf.org >>>> Subject: Re: Secdir early review of draft-ietf-rtgwg-atn-bgp-12 >>>> >>>> Fred: >>>> >>>> If a tunnel that provides confidentiality and integrity is used for >>>> all control plane traffic, that addresses several of the comments. >>>> This does raise a question about the approach that will be used to provide keys for the tunnel. Will ICAO or some delegated authority >> provide a PKI for this purpose? >>>> >>>> Russ >>>> >>>> >>>>> On Jan 19, 2022, at 11:53 AM, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote: >>>>> >>>>> Russ, thank you for this Secdir review, and see below for responses: >>>>> >>>>>> -----Original Message----- >>>>>> From: rtgwg [mailto:rtgwg-bounces@ietf.org] On Behalf Of Russ >>>>>> Housley via Datatracker >>>>>> Sent: Tuesday, January 18, 2022 2:22 PM >>>>>> To: secdir@ietf.org >>>>>> Cc: draft-ietf-rtgwg-atn-bgp.all@ietf.org; rtgwg@ietf.org >>>>>> Subject: Secdir early review of draft-ietf-rtgwg-atn-bgp-12 >>>>>> >>>>>> Reviewer: Russ Housley >>>>>> Review result: Has Issues >>>>>> >>>>>> I reviewed this document as part of the Security Directorate's >>>>>> ongoing effort to review all IETF documents being processed by the >>>>>> IESG. These comments were written primarily for the benefit of the >>>>>> Security Area Directors. Document authors, document editors, and >>>>>> WG chairs should treat these comments just like any other IETF Last Call comments. >>>>> >>>>> I will respond to your points below as IETF Last Call comments. >>>>> >>>>>> Document: draft-ietf-rtgwg-atn-bgp-12 >>>>>> Reviewer: Russ Housley >>>>>> Review Date: 2022-01-18 >>>>>> Early Review Due: 2022-02-11 >>>>>> IETF LC End Date: Unknown >>>>>> IESG Telechat date: Unknown >>>>>> >>>>>> >>>>>> Summary: Has Issues >>>>>> >>>>>> >>>>>> Major Concerns: >>>>>> >>>>>> Section 3 says: >>>>>> >>>>>> The only requirement is that ASNs >>>>>> must not be duplicated within the ATN/IPS routing system itself. >>>>>> >>>>>> What party will administer these ASNs? I understand why it does >>>>>> not need to be IANA, but there does need to be a single authority, >>>>>> even if a hierarchy is used to delegate assignments. ASN >>>>>> collisions are extremely harmful. >>>>> >>>>> It is assumed that a centralized administrative authority for the >>>>> ATN/IPS routing system overlay will be responsible for assigning the >>>>> ASNs. As you note, this has nothing to do with IANA since the >>>>> ATN/IPS routing system does not interact with the Internet routing >>>>> system, but most likely an entity such as the International Civil >>>>> Aviation Organization (ICAO) will be responsible for overall >>>>> administrative control. I gather from the point you are raising that >>>>> you would appreciate some additional text to this effect, and I can certainly provide something more concrete. >>>>> >>>>>> Section 10 says: >>>>>> >>>>>> BGP protocol message exchanges and control message exchanges used >>>>>> for route optimization must be secured to ensure the integrity of >>>>>> the system-wide routing information base. >>>>>> >>>>>> I assume that "secured" means integrity protected. BGP runs over TCP. >>>>>> TCP-AO was defined primarily to provide integrity protection for BGP. >>>>>> Is the intent to use TCP-AO or something else. Please specify. >>>>> >>>>> Security is based on network layer security between BGP peers, where >>>>> all secured traffic between the peers is confidential, >>>>> integrity-protected and authenticated by a security tunnel. Since >>>>> the tunnel extends the entire length of the path between the BGP >>>>> peers, I believe higher-layer security protection such as the TCP-AO you mention should be seen as optional. >>>>> Again, if this satisfies the concern I could add some words to that effect. >>>>> >>>>>> Minor Concerns: >>>>>> >>>>>> Section 1 talks about IPsec and Wireguard as "secured encapsulations". >>>>>> Please say what you mean by security here. Are you expecting >>>>>> confidentiality, integrity, or both? Since this is an example, >>>>>> please drop "Wireguard" or provide a reference for it. >>>>> >>>>> I am expecting these network-layer securing functions to provide all >>>>> of confidentiality, integrity and authorization. I can add words to >>>>> make this more clear. About Wireguard, I would prefer to keep it and >>>>> provide a reference, but if you recommend dropping I would be willing to do that. >>>>> >>>>>> Section 1 goes on to say: >>>>>> >>>>>> In particular, tunneling must be used when neighboring ASBRs are >>>>>> separated by multiple INET hops. >>>>>> >>>>>> This seems to mean that tunnels are not used in some if there is a >>>>>> single INET hop. Can you add a sentence about that? >>>>> >>>>> Yes, actually this text is misleading to begin with because >>>>> tunneling will be used even if the ASBRs are connected by a common >>>>> link. I will look for better words to use here. >>>>> >>>>>> Section 5 says: "...tunnels packets directly between Proxys ...". >>>>>> Are these IPsec tunnels? I am trying to fully understand when the >>>>>> tunnels require IPsec (or some other security protocol) and when >>>>>> they do not. >>>>> >>>>> This is a good point. We want to establish an environment where >>>>> security tunneling is used to protect only control messages and BGP >>>>> protocol messages while unsecured tunneling is used to convey data >>>>> plane packets when higher-layer security is used end-to-end. Again, >>>>> more words may help clarify. >>>>> >>>>>> Section 10 lists IPsec, TLS, WireGuard, etc. This is the first >>>>>> reference to TLS. When do you see TLS being used? >>>>> >>>>> TLS and possibly also DTLS may be used to protect the data plane in >>>>> end-to-end security, but they do not really apply for protecting the >>>>> control plane which is what this document is about. I could resolve >>>>> this by either cutting TLS and remaining silent about data plane >>>>> security, or including one or two sentences such as the above to >>>>> explain the data plane considerations - do you have a preference? >>>>> >>>>> Thanks - Fred >>>>> >>>>> >>>>>> _______________________________________________ >>>>>> rtgwg mailing list >>>>>> rtgwg@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/rtgwg >>>>> >>> >
- Secdir early review of draft-ietf-rtgwg-atn-bgp-12 Russ Housley via Datatracker
- RE: Secdir early review of draft-ietf-rtgwg-atn-b… Templin (US), Fred L
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Russ Housley
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Templin (US), Fred L
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Russ Housley
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Templin (US), Fred L
- Re: Secdir early review of draft-ietf-rtgwg-atn-b… Russ Housley
- Re: [secdir] Secdir early review of draft-ietf-rt… Benjamin Kaduk
- RE: [EXTERNAL] Re: [secdir] Secdir early review o… Templin (US), Fred L