IETF Logo Mail Archive

Re: [secdir] New Routing Area Security Design Team

Richard Barnes <rlb@ipv.sx> Fri, 13 April 2018 21:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4232E12D869 for <secdir@ietfa.amsl.com>; Fri, 13 Apr 2018 14:57:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4-WmWPizovF for <secdir@ietfa.amsl.com>; Fri, 13 Apr 2018 14:57:18 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA2C129C6D for <secdir@ietf.org>; Fri, 13 Apr 2018 14:57:17 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id 188-v6so9673291oih.8 for <secdir@ietf.org>; Fri, 13 Apr 2018 14:57:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WRFMwKUQVNxgGirnBpPESUL586YDAhBDYmv1e7G86vg=; b=cYZxVAjQYTXsp4lvZYqiJjdlZ/0IrmHdN+ylFmMEv5gHPAfaOXgXaBC5hhQuj6IQBJ 5nT2l+A00OAHkadFQ1kQflfnZyy04Ez6wWDt3Ynfk8tOikT5PJzWmi5YgBRScRLZj4EJ s1aPGSWWcPNCy4F/feYWDPMuO5ai/HzHI7SSUbTn/716ODzyDT0WZXBuZWkBS6HqusoU 8/Pm1D9UhO4XFaAXnhrmh2yiDFUt1ouAsQ44ZI5U3pvOf5RsME8EGwWVuV0c/MdrRTka wWtmtxgUPpfN0rHD7GXch6eaOLHw4bbdpJGMGRYgS9qNld5r4OZuy6cRtVLXRKAM6EPy x1hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WRFMwKUQVNxgGirnBpPESUL586YDAhBDYmv1e7G86vg=; b=uI+y8FX1sNxAmXjtx0Y9RbrAxa0FFyMhaaLXA0LgsCScKNC1ChG8ju9SUvIQxRrh2Q XXAFSYWkFeuIS8uYCyamUmFBTiIYRI9z7FpHk7I80pkAJp4EoBfgazdXDd3pw4pRf+bu Won3/g9TosBoY0srCGU30S1gKE8hotWdUcOyNkzX8y+NWvE+20LEf5N2sayMTlXBmR6I hxDCHlzSqSLGglxHvP4jgVDXIrbec9oVVNaMQ2/WUWyBauZV0TAYlXJAQWsXeeBBnzrq RxpfQoVjKq034eaoYlpkvppvjl2xSovIidlZiBDY32Pf4PFQgZdVg+c1lncJ75Vcdgb3 KWow==
X-Gm-Message-State: ALQs6tAc5WbxLEQ8Q3Owxl4q6dK1UECML+4qWgnoEo8Y/zCusVVoUvrT rRDWRJ5KEn03kIEWzkqBgUm4qI9RZ+rIY80FxN1iXQ==
X-Google-Smtp-Source: AIpwx48/aInNzc+WfLkY+Nm/YC7dYXAGxOl8LnLmkhw20zkbqa6Yy59bEG02QEDQsn/2MZExLoNpvWLA98KTTnonhWs=
X-Received: by 2002:aca:df44:: with SMTP id w65-v6mr8994117oig.155.1523656636824; Fri, 13 Apr 2018 14:57:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.90.67 with HTTP; Fri, 13 Apr 2018 14:57:15 -0700 (PDT)
In-Reply-To: <187AE9A0-E125-4B54-A286-488F52CB88B6@cisco.com>
References: <F64C10EAA68C8044B33656FA214632C8882C74A7@MISOUT7MSGUSRDE.ITServices.sbc.com> <CAL02cgS9rZKVtZs4aRWJmaQj-anaSqYj8rn8roDdxP+JhBR++A@mail.gmail.com> <187AE9A0-E125-4B54-A286-488F52CB88B6@cisco.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 13 Apr 2018 17:57:15 -0400
Message-ID: <CAL02cgReXuLYdLf2jAt8VJQ6pxp32AR=s3Qa9e65GB-r7rDxEQ@mail.gmail.com>
To: "Acee Lindem (acee)" <acee@cisco.com>
Cc: "BRUNGARD, DEBORAH A" <db3546@att.com>, "secdir@ietf.org" <secdir@ietf.org>, "russ@riw.us" <russ@riw.us>, "Jeffrey Haas (jhaas@pfrc.org)" <jhaas@pfrc.org>, "Stewart Bryant (stewart.bryant@gmail.com)" <stewart.bryant@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000009915d80569c1f4e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-L20xZ6jlRgdtMtSC3-0vvAnG6A>
Subject: Re: [secdir] New Routing Area Security Design Team
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 21:57:21 -0000

Yeah, the elephant problem is part of why I was asking about deliverables
-- it seems like even having the discussion could help us assemble a more
complete picture of the elephant.

I appreciate that "Security Considerations for X" can be a tempting target,
but I honestly wonder whether they're worthwhile.  Writing a guide to BGP
that pounds its shoe on the table and says "DO BGPSEC!" is not going to
substantively move the needle, just like all our shouting about IPsec and
DNSSEC has been basically for nought.

It would be good to avoid all the spinning of wheels that has been done in
those domains in the cases where we're looking to improve routing
security.  FWIW, HTTPS is the one domain where there has been some real
progress toward universal security.  I would be glad to compare notes on
what worked there, and see if we can translate anything to the routing
domain.

I wonder if it would be useful to start by evaluating what change needs to
be made in the Internet.  Which part of the elephant is the bleeding the
worst?  What are the risks that are causing the most harm today, which we
should put the most effort into fixing?


On Fri, Apr 13, 2018 at 5:25 PM, Acee Lindem (acee) <acee@cisco.com> wrote:

> Hi Richard,
>
> When you talk about Routing Security, it is like the blind men and
> elephant, everyone has a different opinion on what the priorities are. From
> my viewpoint (and I do have one bad eye ;^), one of the outcomes should be
> finding the right set of authors for protocol specific “XXXX Security
> Considerations” documents where XXXX is BGP, IS-IS, OSPF, LDP, PIM, etc.
> Additionally, we’d provide a generic outline for these documents.
>
> Thanks,
> Acee
>
> From: Richard Barnes <rlb@ipv.sx>
> Date: Friday, April 13, 2018 at 4:21 PM
> To: Deborah Brungard <db3546@att.com>
> Cc: "secdir@ietf.org" <secdir@ietf.org>, Russ White <russ@riw.us>, Jeff
> Haas <jhaas@pfrc.org>, Stewart Bryant <stewart.bryant@gmail.com>, Acee
> Lindem <acee@cisco.com>
> Subject: Re: [secdir] New Routing Area Security Design Team
>
> (trimming the CC list a bit)
>
> Hey Deborah,
>
> Delighted to hear this news.  Do you have an idea of what the initial
> deliverables are for this group?  What security problems are they going to
> try to address?
>
> TBH, it seems like the headline problem at the Internet level is BGP
> abuse.  The base RPKI docs have been out for several years now, and BGPSEC
> is pretty much finished, but the deployment numbers continue to hover
> around 8-9% for even the most basic protections.  It would be delightful to
> have a group take a look at what the deployment blockers are here, and
> whether there's anything the IETF could do to help, whether it's updating
> protocols, producing deployment guides, writing code, etc.  We shouldn't
> think that RFCs are the only tool in our arsenal.
>
> Thanks,
> --Richard
>
> [1] https://rpki-monitor.antd.nist.gov/
>
>
> On Fri, Apr 13, 2018 at 4:11 PM, BRUNGARD, DEBORAH A <mailto:
> db3546@att.com> wrote:
> The Routing ADs have chartered a design team as described below.
>
> I will be the AD-contact: mailto:db3546@att.com
>
> Routing Area Security Design Team Charter
>
> Internet security threats have evolved in the last couple of years and
> questions are arising about the security properties of many long-standing
> IETF routing protocols and new protocols under development. This is an
> opportunity for the Routing Area to evaluate current assumptions and make
> recommendations for new work.
>
> The Routing Area will kick off a Routing Area-wide Design team with
> support from the OPS Area and Security Area. The first phase will consist
> of a small team:
>
> Stewart Bryant mailto:stewart.bryant@gmail.com
> Jeff Haas mailto:jhaas@pfrc.org
> Acee Lindem mailto:acee@cisco.com
> Russ White mailto:russ@riw.us
>
> They will be responsible to set up an environment (e..g. wiki), identify
> work items, and coordinating overall the work effort. It is the expectation
> this initial phase will be done by May 1. A second phase will consist of
> small teams working on targeted items. Work items will include review of
> current deployments (use models) and threat models, evaluation criteria and
> useful advice when doing new work (on existing protocols and new
> protocols), and recommendations on where new work is needed in cooperation
> with the responsible working group. The work will have support from the
> Security Area and OPS Area.
>
> The design team will have a private mailing list for this first phase and
> can be reached at mailto:rt-dt-security@ietf.org.
>
> Regards,
> Deborah
>
>
>
> _______________________________________________
> secdir mailing list
> mailto:secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>
>
>

v2.23.0 | Report a Bug | By Email