Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07

"Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com> Thu, 08 February 2018 14:03 UTC

Return-Path: <jorge.rabadan@nokia.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C0A712D96C for <secdir@ietfa.amsl.com>; Thu, 8 Feb 2018 06:03:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTKqjMHpopT6 for <secdir@ietfa.amsl.com>; Thu, 8 Feb 2018 06:03:09 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20107.outbound.protection.outlook.com [40.107.2.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11FA012DA05 for <secdir@ietf.org>; Thu, 8 Feb 2018 06:03:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Dn9TlkH03AxyfaWVvH6z3l05Rf91eTqiUU4KJpsmOsQ=; b=DZvGjcFBTfdU56StI7imMbPIf3VpuYnzyoa68N44etVLR7rEa+PoJe2UX/Cm/ctTqZM3ce5YvjCMT+5a07xgZZFdQbD/l+oPD1lcT7lZfixUFHVD/d3cffiC/1+44ibhyVa5rVyHJQfVVSOqjGo3PAp1kzkkl06RU4JFpm3noiY=
Received: from AM4PR07MB3409.eurprd07.prod.outlook.com (10.171.189.158) by AM4PR07MB3073.eurprd07.prod.outlook.com (10.171.188.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.506.7; Thu, 8 Feb 2018 14:03:05 +0000
Received: from AM4PR07MB3409.eurprd07.prod.outlook.com ([fe80::7047:bc78:522d:6085]) by AM4PR07MB3409.eurprd07.prod.outlook.com ([fe80::7047:bc78:522d:6085%2]) with mapi id 15.20.0506.007; Thu, 8 Feb 2018 14:03:04 +0000
From: "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>
To: Stephen Kent <stkent@verizon.net>, Alvaro Retana <aretana.ietf@gmail.com>, "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>, "sajassi@cisco.com" <sajassi@cisco.com>, "uttaro@att.com" <uttaro@att.com>, "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" <martin.vigoureux@nokia.com>, "secdir@ietf.org" <secdir@ietf.org>, "Palislamovic, Senad (Nokia - US)" <senad.palislamovic@nokia.com>
Thread-Topic: SECDIR review of draft-ietf- bess-evpn-usage-07
Thread-Index: AQHTnFHz0wf12N+xhkuJ9V8mooRWQaORnxaAgAAMgwCACPeYgA==
Date: Thu, 8 Feb 2018 14:03:04 +0000
Message-ID: <9D77D57C-E135-479E-8328-69470CC4FF31@nokia.com>
References: <e507416e-202b-defb-b8e9-cd3cb75c877a@verizon.net> <CAMMESsyfe=NL-HwMES5yCUgDhSzkdrN6cpycV3WjNKEJscPo3w@mail.gmail.com> <18631468-67d6-e3ca-0bef-92cdcb3ccd66@verizon.net>
In-Reply-To: <18631468-67d6-e3ca-0bef-92cdcb3ccd66@verizon.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.a.0.180204
x-originating-ip: [88.27.177.143]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR07MB3073; 7:N7Mpqx1Lk2y4HPyfLL8YIMGUCGKkpaFHt7IbDQuOebJa6olKAzuMxcf3uGdsQRhtFWWctTyJDLD4QWTr/lEQDLNU+rFaoqhxy6hb+rnWboAgtxx8OpI2TywY9wapc/+W5GtmnekOvoEmB8dtYKa9JVgdO9oKcgdyx5VASJEc6JkleFhA+zJ7e/xm03Lxyaw6IdmCtEFI+L7yEvTX5hC6FrTu4jtUM5EyZkZ3NJlDflLKNRVKePcYOJmgCmzKAmHg
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(346002)(376002)(396003)(39860400002)(39380400002)(366004)(199004)(189003)(2900100001)(6436002)(3660700001)(5660300001)(58126008)(110136005)(53936002)(81156014)(82746002)(6246003)(5250100002)(2501003)(81166006)(8676002)(97736004)(316002)(83716003)(3846002)(6486002)(478600001)(236005)(6512007)(8656006)(83506002)(54896002)(6306002)(105586002)(99286004)(6116002)(68736007)(106356001)(86362001)(53546011)(6506007)(36756003)(7736002)(59450400001)(66066001)(2906002)(39060400002)(229853002)(102836004)(186003)(2201001)(76176011)(6346003)(14454004)(26005)(3280700002)(6636002)(25786009)(2950100002)(33656002)(8936002)(921003)(560514002)(1121003); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4PR07MB3073; H:AM4PR07MB3409.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: fcbf732d-063a-410b-bb51-08d56efcac38
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7193020); SRVR:AM4PR07MB3073;
x-ms-traffictypediagnostic: AM4PR07MB3073:
x-microsoft-antispam-prvs: <AM4PR07MB3073DDD64CAB7E7BBF515C59F7F30@AM4PR07MB3073.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(82608151540597)(85827821059158)(97927398514766)(88262167912993)(95692535739014)(18271650672692)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231101)(11241501184)(806099)(2400082)(944501161)(93006095)(93001095)(6055026)(6041288)(20161123558120)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:AM4PR07MB3073; BCL:0; PCL:0; RULEID:; SRVR:AM4PR07MB3073;
x-forefront-prvs: 0577AD41D6
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jorge.rabadan@nokia.com;
x-microsoft-antispam-message-info: GkuslUAW6n189kthPbcmUvHVuFwCHVLIxKXo3/TuVX3qVuchsHJI6vws1syhHw7wTcE7rvPMeP+tg96QzXkaVsRknOWLQb7bBQzdThG087egXfuWudPGahvZ84iOn5dd
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_9D77D57CE135479E832869470CC4FF31nokiacom_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fcbf732d-063a-410b-bb51-08d56efcac38
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2018 14:03:04.1912 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB3073
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/2p0u_dfsrAlvh26qGUiYLYeMHMI>
Subject: Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 14:03:12 -0000

Kent,

Thank you very much for your comments.
I have fixed the grammar errors, added PE to the terminology section and added this to the security section:

“The procedures described in this document are a subset of the procedures in [RFC7432] and thus no new security concerns arise.”


Alvaro, I assume we don’t need to post a new version and it can wait till the next reviews, right?

Thank you.
Jorge

From: Stephen Kent <stkent@verizon.net>;
Date: Friday, February 2, 2018 at 11:06 PM
To: Alvaro Retana <aretana.ietf@gmail.com>;, "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>;, "sajassi@cisco.com"; <sajassi@cisco.com>;, "uttaro@att.com"; <uttaro@att.com>;, "Rabadan, Jorge (Nokia - US/Mountain View)" <jorge.rabadan@nokia.com>;, "stephane.litkowski@orange.com"; <stephane.litkowski@orange.com>;, "Vigoureux, Martin (Nokia - FR/Paris-Saclay)" <martin.vigoureux@nokia.com>;, "secdir@ietf.org"; <secdir@ietf.org>;, "Palislamovic, Senad (Nokia - US)" <senad.palislamovic@nokia.com>;
Subject: Re: SECDIR review of draft-ietf- bess-evpn-usage-07

Alvaro,
On February 2, 2018 at 1:16:28 PM, Stephen Kent (stkent@verizon.net<mailto:stkent@verizon.net>) wrote:

Steve:

Hi!  How are you?
I'm well. Thanks for asking.


...
Section 10 (Security Considerations) consists of only one sentence, which refers to the corresponding discussion in RFC 7432. Additional text should be provided here to explain why this document does not add any new security considerations. Presumably the rationale is that the provisioning model and initialization procedures described here are a subset of the more general discussion in 7432 and thus no new security concerns arise as a result of this more detailed information. I am not in a position to judge whether that potential rationale is true.

Fair enough.
Good.

I reviewed the Security Considerations section of RFC 7432. It contains about 1.5 pages of text. The first paragraph there cites security considerations text in RFCs 4761, 4762, and 4364 and the text there is generally well-written. However, there is a significant omission, one that should have been noted in the SECDIR review of that document. Specifically, 7432 cites NONE of the BGP security RFCs produced by the SIDR WG (e.g., RFCs 6480-93 et al), even though they preceded publication of that RFC. Since those documents represented the latest proposals for improving BGP security at the time, they ought to have been cited and a very brief discussion of their relevance to EVPN BGP MPLS deployments. I suggest that this document rectify this omission, i.e., cite several of the BGP secure origin authentication RFCs, and the recent BGPSec RFCs (8205-11), and note the relevance of those standards to EVPN BGP MPLS deployments.

The work from sidr doesn’t directly apply to EVPN simply because the ROAs and BGPSec have been specified only for IPv4/IPv6 and not for the Address Family used by EVPN.

Maybe a statement like that is what you’re looking for — but I don’t think it is appropriate to go any further in this document.
A statement explaining why AS origin authentication and BGPSec are not relevant would address my concerns.

Thanks,

Stevce