Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-te-pm-bgp-13

["Susan Hares" <shares@ndzh.com>]

Robert: 

 

I disagree with many of your comment below.  However,  a discussion of these points is no longer appropriate on this thread. Les has indicated my suggested resolution of a revision to RFC7752 is not an acceptable alternative.   He wishes to focus on directly resolving these issues with the secdir.  This thread is closed to any further discussions on a revision of RFC7752.  

 

If you wish to discuss these offline, you can send me email.   If you wish to discuss these on a different thread, please start that specific thread.   

 

Sue

 

PS – The point of my questions were to explore if recasting the web of RFC7752 BGP peers as a trusted domain with the restrictions in RFC8402 would resolve security concerns related to RFC7752.  

 

From: Robert Raszuk [mailto:robert@raszuk.net] 
Sent: Friday, October 19, 2018 6:28 PM
To: shares@ndzh.com
Cc: Les Ginsberg (ginsberg); kaduk@mit.edu; idr@ietf.org; draft-ietf-idr-te-pm-bgp.all@ietf.org; ietf@ietf.org; Yoav Nir; secdir@ietf.org
Subject: Re: [Idr] [secdir] Secdir early review of draft-ietf-idr-te-pm-bgp-13

 

Hello Sue,

 

However, I would like your feedback on whether you believe RFC7752 has security that is equivalent to, less than, or greater than a trusted domain? 

 

The spring routing architecture (RFC8402) indicates that be default SR operates within a trusted domain. 

 

“Traffic MUST be filtered at the domain boundaries. The use of best practices to reduce the risk of tampering within the trusted domain is important.  Such practices are discussed in [RFC4381 <https://tools.ietf.org/html/rfc4381> ] and are applicable to both SR-MPLS and SRv6.”

 

 

Reading your comments I am also similarly to Les's feelings quite not sure what the point here is. 

 

SR Architecture while completely irrelevant to this thread talks about trusted domain in the context of data plane. Bringing in L3VPNs out of the sudden only because some SR document referred to it's security analysis is also quite a bizarre maneuver. 

 

With control plane and especially with BGP the notion of trusted vs untrusted domain is not something anyone can just pick or state on what his or her believe is. 

 

The short answer is that BGP operates on a per AFI/SAFI basis and level of trust is directly related to the actual configuration applied including level of policy inserted when using such apparatus to distribute various forms of information. 

 

Same SAFI can be configured by one operator quite strictly limiting it to one AS and someone else will like to share his information with entire world publishing it to a looking glass. Are we here to restrict this ? What means of control is there to enforce such restrictions other then perhaps stating simple recommendation in an advisory fashion that one should be a bit careful when publishing content of his LSDB or TED beyond devices he trusts ? **

 

** Note that even if TE infrastructure addresses or other information are accidentally leaked - there should be no great immediate harm - since well managed network prevents on ingress to the domain any flows which would aim at internal infrastructure address space. 

 

Thx,
R.