[secdir] Security review of draft-ietf-grow-ops-reqs-for-bgp-error-handling-05

"Hilarie Orman" <ho@alum.mit.edu> Thu, 13 September 2012 05:50 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA3E121F84FE; Wed, 12 Sep 2012 22:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.372
X-Spam-Level:
X-Spam-Status: No, score=-2.372 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_OBFU_Q1=0.227]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SvmZkccxYMAx; Wed, 12 Sep 2012 22:50:59 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by ietfa.amsl.com (Postfix) with ESMTP id 64C9F21F84FA; Wed, 12 Sep 2012 22:50:59 -0700 (PDT)
Received: from mx03.mta.xmission.com ([166.70.13.213]) by out01.mta.xmission.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from <hilarie@purplestreak.com>) id 1TC2KE-0000og-R2; Wed, 12 Sep 2012 23:50:54 -0600
Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=sylvester.rhmr.com) by mx03.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1TC2K6-0003Hh-UD; Wed, 12 Sep 2012 23:50:54 -0600
Received: from sylvester.rhmr.com (localhost [127.0.0.1]) by sylvester.rhmr.com (8.14.4/8.14.3/Debian-9.1ubuntu1) with ESMTP id q8D5ohVf024951; Wed, 12 Sep 2012 23:50:43 -0600
Received: (from hilarie@localhost) by sylvester.rhmr.com (8.14.4/8.14.4/Submit) id q8D5ofpj024949; Wed, 12 Sep 2012 23:50:41 -0600
Date: Wed, 12 Sep 2012 23:50:41 -0600
Message-Id: <201209130550.q8D5ofpj024949@sylvester.rhmr.com>
From: "Hilarie Orman" <ho@alum.mit.edu>
To: iesg@ietf.org, secdir@ietf.org
X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx03.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-DomainKey: sender_domain=alum.mit.edu; ; ; sender=ho@alum.mit.edu; ; ; status=error
X-SA-Exim-Connect-IP: 166.70.57.249
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: *;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600)
X-SA-Exim-Scanned: Yes (on mx03.mta.xmission.com)
Cc: draft-ietf-grow-ops-reqs-for-bgp-error-handling@tools.ietf.org, rob.shakir@bt.com
Subject: [secdir] Security review of draft-ietf-grow-ops-reqs-for-bgp-error-handling-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Hilarie Orman <ho@alum.mit.edu>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2012 05:51:00 -0000

Secdir review of 
Operational Requirements for Enhanced Error Handling Behaviour in BGP-4
draft-ietf-grow-ops-reqs-for-bgp-error-handling-05

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors. Document editors and
WG chairs should treat these comments just like any other last call
comments.

The document intends to specify "requirements for ongoing work" in
handling errors in BGP-4 protocol messages.  The document says that
it will not define the protocol mechanisms for implementing solutions.

A lot of experience and thought has gone into writing this document.
Nonetheless, I had a great deal of trouble finding the requirements
because the writing is narrative and overly wordy.  I would like to
see the requirements stated clearly and separated from the
rationalization.

There are many requirements that seem to be dictated (not to be the
subject of "ongoing work", apparently) and others that are quite vague:

   There is a requirement that where subsets of the
   RIB on a device are no longer reachable from a BGP speaker, or indeed
   an AS, that some visibility of this situation, alongside a mechanism
   to determine the cause is available to an operator.  Whilst, to some
   extent, this can be solved by mandating a sub-requirement of each of
   the aforementioned requirements that a BGP speaker must log where
   such errors occur, and are hence handled, this does not solve all
   cases.

It's difficult to untangle this sort of thing into analyzable requirements.

>From a security standpoint, the requirement that offending BGP
messages be returned to the sender is problematic.  BGP has a
lightweight cryptographic mechanism for protecting message integrity
and providing authentication.  The returned erroneous messages might
help an attacker undermine the protection and thus insert bogus
messages into a channel.  The security considerations should point
out that any new form of error handling requires cryptanalysis.

Some minor editorial comments:

"Whilst" is rarely used in American English.  The synonym "while" is
preferred, but in this document the word "although" would be a better
replacement.  In many cases omission altogether would improve the
sentence.

In this introductory paragraph
   "... numerous incidents have been recorded due to the
   manner in which [RFC4271] specifies errors in routing information
   should be handled."
we do not learn why the "incidents" require any changes to error
handling.  The very term "incident" appears to be a pejorative in the
mind of the author.

Grammo:
	 "It should, however, be noted"
replace with
	 "It should be noted, however"
	 or
	 "Note that ..."