Re: [secdir] New Routing Area Security Design Team
Christian Huitema <huitema@huitema.net> Sun, 15 April 2018 17:47 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 893421241F5 for <secdir@ietfa.amsl.com>; Sun, 15 Apr 2018 10:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42KLNvdBgrj6 for <secdir@ietfa.amsl.com>; Sun, 15 Apr 2018 10:47:24 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD1D12025C for <secdir@ietf.org>; Sun, 15 Apr 2018 10:47:24 -0700 (PDT)
Received: from xsmtp24.mail2web.com ([168.144.250.190] helo=xsmtp04.mail2web.com) by mx6.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1f7lkG-0003GM-Fc for secdir@ietf.org; Sun, 15 Apr 2018 19:47:22 +0200
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1f7lkB-0004cc-Uu for secdir@ietf.org; Sun, 15 Apr 2018 13:47:16 -0400
Received: (qmail 17180 invoked from network); 15 Apr 2018 17:47:13 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.78]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <secdir@ietf.org>; 15 Apr 2018 17:47:13 -0000
To: Jeffrey Haas <jhaas@pfrc.org>, Richard Barnes <rlb@ipv.sx>
Cc: "russ@riw.us" <russ@riw.us>, "Stewart Bryant (stewart.bryant@gmail.com)" <stewart.bryant@gmail.com>, "Acee Lindem (acee) (acee@cisco.com)" <acee@cisco.com>, "BRUNGARD, DEBORAH A" <db3546@att.com>, "secdir@ietf.org" <secdir@ietf.org>
References: <F64C10EAA68C8044B33656FA214632C8882C74A7@MISOUT7MSGUSRDE.ITServices.sbc.com> <CAL02cgS9rZKVtZs4aRWJmaQj-anaSqYj8rn8roDdxP+JhBR++A@mail.gmail.com> <F64B6EFA-1CB3-454B-B827-B5886A723D36@pfrc.org>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Message-ID: <d37721c3-8e78-6eb8-c0ae-ba0e57a623c3@huitema.net>
Date: Sun, 15 Apr 2018 10:47:04 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <F64B6EFA-1CB3-454B-B827-B5886A723D36@pfrc.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 168.144.250.190
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.30)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5g/MGf5DVpXP7VnanbAMTDR602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvOzniiMFxnOFMHTZqw+apvQzTV/3OdXD2Xdo8CfrY5CQSdUyILakm1B6j4EqeBiHxS4yz NJVaeAWax4WOe4pTBX2DwIE7VKe+bqpcdCns72R1x38mofTGICQnWDciwf9bB05EpHPznVavQp4h 1cyzxbQFXqQgkkYk8mNUb0+uxPxhiSGt4Ko2sv7hY6P0Yu3OA+AIcPc2JG++Fh0y/kogNkMJ0464 etNXHOU+5Kb0QuG3bATPP9eeLWC5kDweN7crsXBXvrLBlKCVRjjdPbjQ4HmidG0pg2HLuLsP3mPp isElTs5Ex5aNZlcgVQFtAhrEij3dKxLhoxcmaInYbR5vlqETd+klAX+KFYkIxu6zxdn+X2XX9bIs GDSYq5OAASmskVIcMSgqtcKbU9La+AHiCFB9vuYMeDoXsMJDD9CZFW2Drvl3AsHuisl/RSyh5DLe 1OidX4Ts4xdG+C13IyWeZaKid9CBwzS7yU76bfQz3+/HF8FcHzzV3acxBudgYcInb4eCDr2QZH+Q 37woHP+EKZiZ4+t4LK79cWIqQA4tGr3po0jfgLl+Ahd0TIbt0Zij6hgeJ07QR0GiieIKGR3KfdmQ xACKGgjW6av7lJfpYBfZXUaHqdOKLJ13TYQgD1U8MFwBl1z1+w2zS/h3e6UiVRejQqfk8Q7Mpq4B CSYZAEsuuvj1Dh5lQ3cVGT6zEzwcQmeqA47D/juB1cx4exzYk7wIdHXqmiNP5dvI77+8YOq/647l NwN4qOsSZg+fYhVZG9EQ9b9YI+9ZsqMLtlmzzH7VwaDsyRiTeu4Ip+KAECko9HdE0Smt1e6HZuGs N7RwePAFMvX7q8M4x6bP/gjzw0OFbIWNJOiaifOc2xlkb46Pa4K5MPGI7fF8+j7E9IwdcQR2aish SbQcCCOvcJLn8v/2OKHH5lr9xXvSM4nM3avg
X-Report-Abuse-To: spam@quarantine6.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0MtcHg6q29vd6MJ9FDbdw_7ODDw>
Subject: Re: [secdir] New Routing Area Security Design Team
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Apr 2018 17:47:26 -0000
On 4/13/2018 4:51 PM, Jeffrey Haas wrote: > The initial motivation to start this was the further "what do we do > about tcp-md5" that the MPLS protocols are dealing with now. And > further, it's a bit about how to reduce the frustrating dance we have > between routing (and other areas?) and security-focused groups during > the RFC process. > > See my slides I did for IEPG to give an idea of some of what at least > I think we'd like to see come out of this: > > http://iepg.org/2018-03-18-ietf101/haas-iepg-101.pdf So basically you are debating which protected transport to use for routing protocols. That's certainly an issue that needs solving, but it has a feeling of focusing on the solution before debating the problem. As Richard said, the headline issue for outsiders like me is BGP hijacking, whether as a mean to hijack addresses and inject spam, or as a way to detour Wall Street's traffic through Belarus. It seems that the first step in router security would be to analyze these attacks, from BGP hijacking to the control plane attacks that you mention. Replacing TCP-MD5 by TCP-AO or DTLS may be part of the solution, but the problem is bigger than that. -- Christian Huitema
- [secdir] New Routing Area Security Design Team BRUNGARD, DEBORAH A
- Re: [secdir] New Routing Area Security Design Team Richard Barnes
- Re: [secdir] New Routing Area Security Design Team Acee Lindem (acee)
- Re: [secdir] New Routing Area Security Design Team Richard Barnes
- Re: [secdir] New Routing Area Security Design Team BRUNGARD, DEBORAH A
- Re: [secdir] New Routing Area Security Design Team Jeffrey Haas
- Re: [secdir] New Routing Area Security Design Team Christian Huitema
- Re: [secdir] New Routing Area Security Design Team Russ White
- Re: [secdir] New Routing Area Security Design Team Jeffrey Haas
- Re: [secdir] New Routing Area Security Design Team Richard Barnes
- Re: [secdir] New Routing Area Security Design Team Jeffrey Haas
- Re: [secdir] New Routing Area Security Design Team Russ White
- Re: [secdir] New Routing Area Security Design Team Richard Barnes
- Re: [secdir] New Routing Area Security Design Team Jeffrey Haas
- Re: [secdir] New Routing Area Security Design Team Sean Turner
- Re: [secdir] New Routing Area Security Design Team Jeffrey Haas
- Re: [secdir] New Routing Area Security Design Team Christian Huitema
- Re: [secdir] New Routing Area Security Design Team Richard Barnes
- Re: [secdir] New Routing Area Security Design Team Richard Barnes
- Re: [secdir] New Routing Area Security Design Team Jeffrey Haas