Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07

Stephen Kent <stkent@verizon.net> Fri, 02 February 2018 22:06 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82F312D7EC for <secdir@ietfa.amsl.com>; Fri, 2 Feb 2018 14:06:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGm0ZVaeGfv8 for <secdir@ietfa.amsl.com>; Fri, 2 Feb 2018 14:06:52 -0800 (PST)
Received: from omr-m008e.mx.aol.com (omr-m008e.mx.aol.com [204.29.186.7]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70E2126C23 for <secdir@ietf.org>; Fri, 2 Feb 2018 14:06:51 -0800 (PST)
Received: from mtaout-maa02.mx.aol.com (mtaout-maa02.mx.aol.com [172.26.222.142]) by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id 6B10D3800157; Fri, 2 Feb 2018 17:06:50 -0500 (EST)
Received: from iMac-Study.fios-router.home (pool-108-49-30-217.bstnma.fios.verizon.net [108.49.30.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mtaout-maa02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 655D438000084; Fri, 2 Feb 2018 17:06:49 -0500 (EST)
To: Alvaro Retana <aretana.ietf@gmail.com>, wim.henderickx@nokia.com, sajassi@cisco.com, uttaro@att.com, jorge.rabadan@nokia.com, stephane.litkowski@orange.com, martin.vigoureux@nokia.com, secdir@ietf.org, senad.palislamovic@nokia.com
References: <e507416e-202b-defb-b8e9-cd3cb75c877a@verizon.net> <CAMMESsyfe=NL-HwMES5yCUgDhSzkdrN6cpycV3WjNKEJscPo3w@mail.gmail.com>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <18631468-67d6-e3ca-0bef-92cdcb3ccd66@verizon.net>
Date: Fri, 2 Feb 2018 17:06:48 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <CAMMESsyfe=NL-HwMES5yCUgDhSzkdrN6cpycV3WjNKEJscPo3w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------463283F9B20D6FC7131D2707"
Content-Language: en-US
x-aol-global-disposition: G
x-aol-sid: 3039ac1ade8e5a74e0f91d4c
X-AOL-IP: 108.49.30.217
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GnJ6a5X1jwSAHQY8BkugxxPYoi8>
Subject: Re: [secdir] SECDIR review of draft-ietf- bess-evpn-usage-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 22:06:54 -0000

Alvaro,
> On February 2, 2018 at 1:16:28 PM, Stephen Kent (stkent@verizon.net 
> <mailto:stkent@verizon.net>) wrote:
>
> Steve:
>
> Hi!  How are you?
I'm well. Thanks for asking.
>
> ...
>>
>> Section 10 (Security Considerations) consists of only one sentence, 
>> which refers to the corresponding discussion in RFC 7432. Additional 
>> text should be provided here to explain why this document does not 
>> add any new security considerations. Presumably the rationale is that 
>> the provisioning model and initialization procedures described here 
>> are a subset of the more general discussion in 7432 and thus no new 
>> security concerns arise as a result of this more detailed 
>> information. I am not in a position to judge whether that potential 
>> rationale is true.
>>
> Fair enough.
>
Good.
>>
>> I reviewed the Security Considerations section of RFC 7432. It 
>> contains about 1.5 pages of text. The first paragraph there cites 
>> security considerations text in RFCs 4761, 4762, and 4364 and the 
>> text there is generally well-written. However, there is a significant 
>> omission, one that should have been noted in the SECDIR review of 
>> that document. Specifically, 7432 cites NONE of the BGP security RFCs 
>> produced by the SIDR WG (e.g., RFCs 6480-93 et al), even though they 
>> preceded publication of that RFC. Since those documents represented 
>> the latest proposals for improving BGP security at the time, they 
>> ought to have been cited and a very brief discussion of their 
>> relevance to EVPN BGP MPLS deployments. I suggest that this document 
>> rectify this omission, i.e., cite several of the BGP secure origin 
>> authentication RFCs, and the recent BGPSec RFCs (8205-11), and note 
>> the relevance of those standards to EVPN BGP MPLS deployments.
>>
> The work from sidr doesn’t directly apply to EVPN simply because the 
> ROAs and BGPSec have been specified only for IPv4/IPv6 and not for the 
> Address Family used by EVPN.
>
> Maybe a statement like that is what you’re looking for — but I don’t 
> think it is appropriate to go any further in this document.
>
A statement explaining why AS origin authentication and BGPSec are not 
relevant would address my concerns.

Thanks,

Stevce