Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
"Adrian Farrel" <adrian@olddog.co.uk> Tue, 17 July 2012 15:43 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0FC321F85AD; Tue, 17 Jul 2012 08:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level:
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9Ng2GMDJKlc; Tue, 17 Jul 2012 08:43:25 -0700 (PDT)
Received: from asmtp4.iomartmail.com (asmtp4.iomartmail.com [62.128.201.175]) by ietfa.amsl.com (Postfix) with ESMTP id E53F221F858A; Tue, 17 Jul 2012 08:43:24 -0700 (PDT)
Received: from asmtp4.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id q6HFi9ZE012415; Tue, 17 Jul 2012 16:44:09 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id q6HFi7qq012403 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 17 Jul 2012 16:44:08 +0100
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Susan Hares' <shares@ndzh.com>, "'John G. Scudder'" <jgs@juniper.net>, stbryant@cisco.com
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com> <5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com>
In-Reply-To: <001301cd6431$87944a30$96bcde90$@ndzh.com>
Date: Tue, 17 Jul 2012 16:44:07 +0100
Message-ID: <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7Guwlf9QZyA=
Content-Language: en-gb
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 15:43:26 -0000
IMHO, you are right Sue. Stating "MUST NOT" in a specification does not prevent something from happening. Using "MUST NOT" for a specification is fine because we can test for conformance to that and strike an implementation that does not respect the language. Using "MUST NOT" in a description of an operator process is not as strong or useful. I think that "weakening" loop detection is a bad thing, but it is also a price an operator might want to pay to get moved to 4byte AS numbers quickly when a few corner boxes might take another 12 months to be upgraded. I agree with John that the text is not security-related. So, I would rephrase and reposition the text. - Do explain the risk of switching to 4bytes before everyone is upgraded. - Do explain the boundaries to the risk - Do expect operators to consider the implications - Don't mandate what an operator does in the privacy of their own bedroom A > -----Original Message----- > From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of Susan > Hares > Sent: 17 July 2012 16:34 > To: 'John G. Scudder'; stbryant@cisco.com > Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org; iesg@ietf.org; > 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org > Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend > of a resend) > > John and Stuart: > > This an acceptable text, and we can go on with this draft. > > However, my question to Catherine was substantive. I wish to discuss with > the Routing AD(s), Security people, and Benoit/Ron to understand the > Routing/Operational issues. > > "Must Not" configure is unrealistic. People misconfigure. Yankee Group and > other research houses places have indicated year-on-year 15-30% outages are > caused by this misconfigured. It's like the statement "stuff happens." > Stating "Must not" is like spitting into the wind. You end up with stuff on > your face. What is the security area stating? How does this review match > with the path validation/security in SIDR. > > Can we get Catherine or other security people to respond to my question? > Cross-area review is useful to find wholes in our process and our > assumptions. I want to make sure I understand the valuable technical > feedback the security review is providing. > > > Sue > > -----Original Message----- > From: John G. Scudder [mailto:jgs@juniper.net] > Sent: Tuesday, July 17, 2012 10:38 AM > To: stbryant@cisco.com > Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org; > secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org; 'Murphy, > Sandra' > Subject: Re: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 > (resend of a resend) > > Stewart, > > I'm fine with the text you propose. > > (I do find it a little odd to have this text -- either old or new -- in the > Security section since routing loops aren't normally though of as a security > issue unless maliciously triggered -- which this one isn't described as > being. So I would also be fine with changing the text but moving it to a > different section. But that is quibbling.) > > --John > > On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote: > > > Sue, John, > > > > Is there any reason not to reword the text concerned to more > > conventional format: > > > > OLD > > It is a misconfiguration to assign a non-mappable four-octet AS > > number as the "Member AS Number" in a BGP confederation before all > > the BGP speakers within the confederation have transitioned to > > support four-octet AS numbers. Such a misconfiguration would weaken > > the AS path loop detection within a confederation. > > > > NEW > > > > > A network operator MUST NOT assign a non-mappable four-octet AS number > > as the "Member AS Number" in a BGP confederation before all the BGP > > speakers within the confederation have transitioned to support > > four-octet AS numbers, as such an assignment would weaken the AS path > > loop detection within a confederation. > > > > Stewart > > > > On 17/07/2012 00:28, Susan Hares wrote: > >> Catherine: > >> > >> I've read and re-read this email for a week (7/9 - 7/16). > >> > >> Misconfiguration is a fact of life in networks. Security profiles must > deal with this point. We can all say you should not misconfigure networks - > but life happens. Therefore, I'm confused by your question. I would > consider it is just a security event the authors pointing happens. > >> > >> On your second comment > >> > >> "I would also expect that the chance of routing loops arising out > >> conversion from 4-octet to 2-octet occurring between confederations > >> would be much less than of their occurring within a confederation > >> (although one can't know for sure without knowing what the 4-octet to > >> 2-octet mapping is), so following the recommendations in the Security > >> Considerations would greatly reduce the probability of such a routing > >> loop occurring. Is this correct? " > >> > >> It depends if someone configures a confederation within a confederation. > [see earlier comment on mis-configuration.] I've copied Sandy Murphy in case > as SIDR chair can put this discussion into a different "security" specific > light. > >> > >> Confused, > >> > >> Sue > >> > >> > >> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] > >> Sent: Monday, July 09, 2012 2:25 PM > >> To: iesg@ietf.org; secdir@ietf.org; > >> draft-ietf-idr-rfc4893bis.all@tools.ietf.org > >> Cc: Catherine Meadows > >> Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 > >> (resend of a resend) > >> > >> I managed to screw up the email address again. Here it is for what I > hope is the last time. > >> My apologies again to everyone who receives *three* copies of this > message. > >> > >> I have reviewed this document as part of the security directorate's > >> ongoing effort to review all IETF documents being processed by the > >> IESG. These comments were written primarily for the benefit of the > >> security area directors. Document editors and WG chairs should treat > >> these comments just like any other last call comments. > >> > >> This document describes an added capability for four-octet Autonomous > >> System > >> (AS) numbers in BGP. This is intended to replace the older > >> two-octet AS numbers, since that space is filling up. > >> > >> In order to preserve backward compatibility, AS's using the > >> four-octet systems (called New BGP speakers in the document) must > advertise both four-octet and two-octet AS numbers. > >> This is the case even if the New BGP Speaker does not have a globally > unique two-octet number. > >> The document says that in this case the two-octet number is obtained > >> by mapping the four-octet number to the two-octet space. The procedure > for doing this is not specified. > >> > >> The authors identify a risk of routing loops developing when > >> ambiguities develops as a result of a BGP speaker using the old > >> system aggregating two or more routes carrying 4-octet attributes. > >> In the Security Configurations Section, the authors point out that an > >> attacker might be able to exploit this in a denial of service attack. > >> They point out that it is a misconfiguration to assign 4-octet Member AS > Numbers in a BGP confederation until all BGP speakers within the > confederation have transitioned to support 4-octet numbers. > >> > >> I think that this is a good recommendation. I just have a couple of > minor comments. > >> > >> It's not clear to me what the status of "misconfiguration" is in the > hierarchy of IETF. > >> Is it more like SHALL NOT or SHOULD NOT? Is there a reason why > >> you're saying "misconfiguration" instead of one of those? > >> > >> I would also expect that the chance of routing loops arising out > >> conversion from 4-octet to 2-octet occurring between confederations > >> would be much less than of their occurring within a confederation > >> (although one can't know for sure without knowing what the 4-octet to > >> 2-octet mapping is), so following the recommendations in the Security > Considerations would greatly reduce the probability of such a routing loop > occurring. Is this correct? > >> > >> Cathy Meadows > >> Catherine Meadows > >> Naval Research Laboratory > >> Code 5543 > >> 4555 Overlook Ave., S.W. > >> Washington DC, 20375 > >> phone: 202-767-3490 > >> fax: 202-404-7942 > >> email: catherine.meadows@nrl.navy.mil > >> > > > > > > -- > > For corporate legal information go to: > > > > > > http://www.cisco.com/web/about/doing_business/legal/cri/index.html > > > > > >
- [secdir] Secdir Review of draft-ietf-idr-rfc4893b… Catherine Meadows
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Stewart Bryant
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Adrian Farrel
- Re: [secdir] Spam:*******, Secdir Review of draft… Adrian Farrel
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Stewart Bryant
- Re: [secdir] Spam:*******, Secdir Review of draft… Catherine A Meadows
- Re: [secdir] Spam:*******, Re: Spam:*******, Secd… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Murphy, Sandra
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares