[secdir] review of draft-ietf-l3vpn-as4octet-ext-community-03

Stephen Kent <kent@bbn.com> Thu, 09 July 2009 18:32 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 4F68E28C27E for <secdir@core3.amsl.com>; Thu, 9 Jul 2009 11:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id Cwi1s6UFnFv1 for <secdir@core3.amsl.com>; Thu, 9 Jul 2009 11:32:34 -0700 (PDT)
Received: from mx3.bbn.com (mx3.bbn.com []) by core3.amsl.com (Postfix) with ESMTP id 2B6433A6B81 for <secdir@core3.amsl.com>; Thu, 9 Jul 2009 11:32:33 -0700 (PDT)
Received: from dhcp89-089-096.bbn.com ([]) by mx3.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1MOyQU-0006RR-AX; Thu, 09 Jul 2009 14:32:59 -0400
Mime-Version: 1.0
Message-Id: <p06240808c67be7f4dfdd@[]>
Date: Thu, 09 Jul 2009 14:32:56 -0400
To: secdir@core3.amsl.com
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-964958118==_ma============"
Cc: yakov@juniper.net, Dan.Tappan@Gmail.com, rsrihari@cisco.com
Subject: [secdir] review of draft-ietf-l3vpn-as4octet-ext-community-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2009 18:32:38 -0000

I reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

Draft-ietf-l3vpn-as4octet-ext-community-03.txt is a very brief (6 
page) document that defines a new type of BGP extended community, one 
that can carry 32-bit AS numbers. It is a simple, logical successor 
to the existing extended community structure, which is limited to 
representing 16-bit AS numbers.

The Security Considerations section states that "All the security 
considerations for BGP Extended Communities apply here."  This may 
not be very informative for the average reader. I thought it might be 
preferable to include references here to relevant Security 
Considerations sections from prior RFCs dealing with this topic. So, 
I looked at RFC 4360 (BGP Extended Communities Attribute), since that 
is the document that is being extended to accommodate 32-bit ASNs. 
However, that document has a largely vacuous security considerations 

"This extension to BGP has similar security implications as BGP 
Communities [RFC1997].

This extension to BGP does not change the underlying security issues. 
Specifically, an operator who is relying on the information carried 
in BGP must have a transitive trust relationship back to the source 
of the information.  Specifying the mechanism(s) to provide such a 
relationship is beyond the scope of this document."

I then looked at RFC 1997, and discovered that its Security 
Considerations section states:

"Security issues are not discussed in this memo."

I suggest the authors take the time to write a meaningful Security 
Considerations section addressing BGP Extended Communities, since 
none of the prior documents on this topic seem to have done so.