[secdir] Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
Catherine Meadows <catherine.meadows@nrl.navy.mil> Mon, 09 July 2012 18:24 UTC
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5105221F87BE; Mon, 9 Jul 2012 11:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhYrLVFgpGpe; Mon, 9 Jul 2012 11:24:37 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 7B56B21F85AA; Mon, 9 Jul 2012 11:24:37 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q69IP12D024015; Mon, 9 Jul 2012 14:25:02 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q69IOwe6019881; Mon, 9 Jul 2012 14:24:59 -0400 (EDT)
Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012070914245830226 ; Mon, 09 Jul 2012 14:24:58 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail-9-626362508"
Date: Mon, 09 Jul 2012 14:24:58 -0400
Message-Id: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 18:24:38 -0000
I managed to screw up the email address again. Here it is for what I hope is the last time. My apologies again to everyone who receives *three* copies of this message. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes an added capability for four-octet Autonomous System (AS) numbers in BGP. This is intended to replace the older two-octet AS numbers, since that space is filling up. In order to preserve backward compatibility, AS's using the four-octet systems (called New BGP speakers in the document) must advertise both four-octet and two-octet AS numbers. This is the case even if the New BGP Speaker does not have a globally unique two-octet number. The document says that in this case the two-octet number is obtained by mapping the four-octet number to the two-octet space. The procedure for doing this is not specified. The authors identify a risk of routing loops developing when ambiguities develops as a result of a BGP speaker using the old system aggregating two or more routes carrying 4-octet attributes. In the Security Configurations Section, the authors point out that an attacker might be able to exploit this in a denial of service attack. They point out that it is a misconfiguration to assign 4-octet Member AS Numbers in a BGP confederation until all BGP speakers within the confederation have transitioned to support 4-octet numbers. I think that this is a good recommendation. I just have a couple of minor comments. It's not clear to me what the status of "misconfiguration" is in the hierarchy of IETF. Is it more like SHALL NOT or SHOULD NOT? Is there a reason why you're saying "misconfiguration" instead of one of those? I would also expect that the chance of routing loops arising out conversion from 4-octet to 2-octet occurring between confederations would be much less than of their occurring within a confederation (although one can't know for sure without knowing what the 4-octet to 2-octet mapping is), so following the recommendations in the Security Considerations would greatly reduce the probability of such a routing loop occurring. Is this correct? Cathy Meadows Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil
- [secdir] Secdir Review of draft-ietf-idr-rfc4893b… Catherine Meadows
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Stewart Bryant
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Adrian Farrel
- Re: [secdir] Spam:*******, Secdir Review of draft… Adrian Farrel
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Stewart Bryant
- Re: [secdir] Spam:*******, Secdir Review of draft… Catherine A Meadows
- Re: [secdir] Spam:*******, Re: Spam:*******, Secd… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Murphy, Sandra
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares