Re: [secdir] SecDir Review of draft-ietf-sidr-bgpsec-reqs-11

Randy Bush <> Thu, 10 July 2014 23:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DC9AF1A008B; Thu, 10 Jul 2014 16:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4qQLP7SSIXM6; Thu, 10 Jul 2014 16:13:41 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F3A41A0078; Thu, 10 Jul 2014 16:13:41 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.76) (envelope-from <>) id 1X5NX1-0002B6-EQ; Thu, 10 Jul 2014 23:13:40 +0000
Date: Fri, 11 Jul 2014 08:13:38 +0900
Message-ID: <>
From: Randy Bush <>
To: "Adam W. Montville" <>
In-Reply-To: <>
References: <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [secdir] SecDir Review of draft-ietf-sidr-bgpsec-reqs-11
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Jul 2014 23:13:44 -0000

> 2. Requirement 3.13 indicates that BGPsec “MUST provide backward
>    compatibility”, but we are left to assume that downgrade prevention
>    is enabled.  We might assume that it is, but it’s probably better
>    not to.  Perhaps adding a statement to the effect of “MUST provide
>    backward compatibility…. but also allow for strict BGPsec
>    adherence” or something similar.  I also recognize that there may
>    be obviating circumstances behind this requirement (i.e. it’s not
>    practical to *not* allow strict adherence), which I might also
>    assume as a reader.

i have added the following to sec cons,

    The requirement of backward compatibility to BGP4 may open an avenue
    to downgrade attacks.

> 4. In the Security Considerations section (6) it seems that more
>    explanation pertaining to the following sentence might be
>    warranted: “The data plane might not follow the control plane.”
>    This might be readily apparent to anyone in-the-know, but it’s not
>    so apparent to those not-in-the-know.

per alia atlas

   The data plane might not follow the path signaled by the control