[secdir] SecDir review of draft-ietf-rtgwg-bgp-routing-large-dc-10

Yoav Nir <ynir.ietf@gmail.com> Thu, 05 May 2016 07:24 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5D69412B03B; Thu, 5 May 2016 00:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id g_isuExteTDn; Thu, 5 May 2016 00:24:31 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8406F12D10E; Thu, 5 May 2016 00:24:28 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id n129so9145179wmn.1; Thu, 05 May 2016 00:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=xf+4OfetbAPrKWQ6zVKUsGG+RRvjgw9B+fLUA4juyHo=; b=JUsJOt8cWA8SIVUSrxu+a3axOFX1S1JZ2+dKPQT3TMwVMPoJRhk7JSrhUYxd2Vfs5B hYoPayH2MhRGQeyovIGEkH1PXRMGowOCIJ5pWaBSri0KVyR33Na5HIRJhSVUsseyBxuB IcqkGdczSh21mZAvEFQNmYB49A/rVwXRaW3J3H+5rJ4svadTkOZNXol51IaeIvDg+nMM OjXkM1n7ed1ohKqvJ7WvtMqVa0d0WVpeQcIMKQet08rTbYhpHe57VHH92DHF0WnoCIam geCLQ2YKq1VIGenylL1QSJxwKrrPKgZMZWe7bsXlcVIkI5hCFBuB+5R5608TuRSp6DMX hs5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=xf+4OfetbAPrKWQ6zVKUsGG+RRvjgw9B+fLUA4juyHo=; b=D64Ktcq3p/1fLzhgA+741fEOCv2ga+hHP6/11KE9FQWLczmRtRDLgBJIqdPGMHeyai J1KQI2Vm7w+eEwcDu3eU4mvsSOVW2t+ZfmaYIozo+gur0iRl44TB8KN4P34kqJVd7qV/ 5t9SZMer1EameS/+nt5ChDCI4c2jCKg6XSQHYUnWUkF5TE0GsWAlarvE8xSNoTmKRB1s VJyvxiC2fGjRdAc8yDQWxSTm85Q2iSkz/hI5vPqN9lsFc7+yxs3lBTOXay53Etb1Ic36 MLxdpYQA5qMCiAvd6hHzcXktSI/Sy7ie/dMe8RTv0Uk2rSuJNxT8uTn92s/Ton29qt+4 xSnQ==
X-Gm-Message-State: AOPr4FWqfztE/FAIQaEEN7jbE9oK8nZbYihZnGg2Qtl37Q4tpln5VmEMhXcqwocIZsTdOQ==
X-Received: by with SMTP id k130mr1654083wmg.81.1462433067048; Thu, 05 May 2016 00:24:27 -0700 (PDT)
Received: from [] ([]) by smtp.gmail.com with ESMTPSA id cf6sm8237730wjc.12.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 05 May 2016 00:24:26 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <E5B612D4-1F40-4061-8180-797394A96784@gmail.com>
Date: Thu, 5 May 2016 10:24:24 +0300
To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-rtgwg-bgp-routing-large-dc.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Jo7BYnPQqsgH4xnQbTbdkjiE3LE>
Subject: [secdir] SecDir review of draft-ietf-rtgwg-bgp-routing-large-dc-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2016 07:24:33 -0000


I have reviewed this document as part of the security directorate's  ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat  these comments just like any other last call comments.

Summary: Almost Ready

This document is an Informational discussion of packet routing within data centers. It describes existing practice with using layer-2 protocols such as STP or TRILL, hybrid setups, and layer-3 routing protocols, mostly IGPs. It finally recommends replacing these with EBGP and a Clos structure. The document is very clear and quite an interesting read.

The document does not deal with security questions such as what kind of damage a rogue node can do, and that is fine. That is not the subject of this document. 

My one issue is with the Security Considerations section. Section 9 defers to the BGP RFCs (4271 and 4272) for the security considerations. This is a common pattern and it's usually fine, but in this case it is missing something. RFC 4271 requires the use of TCP-MD5 (RFC 2385) for authenticating the BGP connections between routers. RFC 4271 also mentions (but does not solve) the problem of key management. ISTM that in a large-scale and dynamically scalable data center, the problem of key management should be addressed. It might also be nice to use something less antiquated than TCP-MD5. 

Now it's possible to decide that all elements within the data center are trusted and under the administrator's control, and that therefore no authentication is necessary as long as BGP is somehow blocked from outside the DC to internal nodes. But if these assumptions exist, I believe they should be stated.