[secdir] Security review of draft-ietf-grow-ops-reqs-for-bgp-error-handling-05
"Hilarie Orman" <ho@alum.mit.edu> Thu, 13 September 2012 05:50 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA3E121F84FE; Wed, 12 Sep 2012 22:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.372
X-Spam-Level:
X-Spam-Status: No, score=-2.372 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_SUB_OBFU_Q1=0.227]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SvmZkccxYMAx; Wed, 12 Sep 2012 22:50:59 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by ietfa.amsl.com (Postfix) with ESMTP id 64C9F21F84FA; Wed, 12 Sep 2012 22:50:59 -0700 (PDT)
Received: from mx03.mta.xmission.com ([166.70.13.213]) by out01.mta.xmission.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from <hilarie@purplestreak.com>) id 1TC2KE-0000og-R2; Wed, 12 Sep 2012 23:50:54 -0600
Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=sylvester.rhmr.com) by mx03.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1TC2K6-0003Hh-UD; Wed, 12 Sep 2012 23:50:54 -0600
Received: from sylvester.rhmr.com (localhost [127.0.0.1]) by sylvester.rhmr.com (8.14.4/8.14.3/Debian-9.1ubuntu1) with ESMTP id q8D5ohVf024951; Wed, 12 Sep 2012 23:50:43 -0600
Received: (from hilarie@localhost) by sylvester.rhmr.com (8.14.4/8.14.4/Submit) id q8D5ofpj024949; Wed, 12 Sep 2012 23:50:41 -0600
Date: Wed, 12 Sep 2012 23:50:41 -0600
Message-Id: <201209130550.q8D5ofpj024949@sylvester.rhmr.com>
From: Hilarie Orman <ho@alum.mit.edu>
To: iesg@ietf.org, secdir@ietf.org
X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx03.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-DomainKey: sender_domain=alum.mit.edu; ; ; sender=ho@alum.mit.edu; ; ; status=error
X-SA-Exim-Connect-IP: 166.70.57.249
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: *;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600)
X-SA-Exim-Scanned: Yes (on mx03.mta.xmission.com)
Cc: draft-ietf-grow-ops-reqs-for-bgp-error-handling@tools.ietf.org, rob.shakir@bt.com
Subject: [secdir] Security review of draft-ietf-grow-ops-reqs-for-bgp-error-handling-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Hilarie Orman <ho@alum.mit.edu>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2012 05:51:00 -0000
Secdir review of Operational Requirements for Enhanced Error Handling Behaviour in BGP-4 draft-ietf-grow-ops-reqs-for-bgp-error-handling-05 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document intends to specify "requirements for ongoing work" in handling errors in BGP-4 protocol messages. The document says that it will not define the protocol mechanisms for implementing solutions. A lot of experience and thought has gone into writing this document. Nonetheless, I had a great deal of trouble finding the requirements because the writing is narrative and overly wordy. I would like to see the requirements stated clearly and separated from the rationalization. There are many requirements that seem to be dictated (not to be the subject of "ongoing work", apparently) and others that are quite vague: There is a requirement that where subsets of the RIB on a device are no longer reachable from a BGP speaker, or indeed an AS, that some visibility of this situation, alongside a mechanism to determine the cause is available to an operator. Whilst, to some extent, this can be solved by mandating a sub-requirement of each of the aforementioned requirements that a BGP speaker must log where such errors occur, and are hence handled, this does not solve all cases. It's difficult to untangle this sort of thing into analyzable requirements. >From a security standpoint, the requirement that offending BGP messages be returned to the sender is problematic. BGP has a lightweight cryptographic mechanism for protecting message integrity and providing authentication. The returned erroneous messages might help an attacker undermine the protection and thus insert bogus messages into a channel. The security considerations should point out that any new form of error handling requires cryptanalysis. Some minor editorial comments: "Whilst" is rarely used in American English. The synonym "while" is preferred, but in this document the word "although" would be a better replacement. In many cases omission altogether would improve the sentence. In this introductory paragraph "... numerous incidents have been recorded due to the manner in which [RFC4271] specifies errors in routing information should be handled." we do not learn why the "incidents" require any changes to error handling. The very term "incident" appears to be a pejorative in the mind of the author. Grammo: "It should, however, be noted" replace with "It should be noted, however" or "Note that ..."
- [secdir] Security review of draft-ietf-grow-ops-r… Hilarie Orman