IETF Logo Mail Archive

Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30

Magnus Nyström <magnusn@gmail.com> Wed, 24 April 2024 19:16 UTC

Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4C6C14F5FC; Wed, 24 Apr 2024 12:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMh_D9DklBlm; Wed, 24 Apr 2024 12:16:11 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00F4AC14F6E1; Wed, 24 Apr 2024 12:16:06 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id ca18e2360f4ac-7d5e4097a9aso8804439f.3; Wed, 24 Apr 2024 12:16:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713986166; x=1714590966; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=V0Yh7sEk5m8kur8Z02A18ggvOyzxG3Bfb3e99FD9b4o=; b=l/GY8XrTzMj853RnhUxbsOYRxsV3m5jjSlSWGp7nmG53cZ0zl3g/nnYfDPSecM1yNZ TqqJr6z+sw5sqK55l+pTeyIoGVQuCQLDd1spIiBFP4dMudLj7JTWKZnO3edgEfrGQoD4 t74ZKUlUi0ljK3VXHZPrkcp6Xv7CX3bgZIEE92ww/SvpJJ+3zH+Wy5k9lO6j0p9gC3Ca w4ko2bgrw05TaaieMdPzBmZ6+gsQLIwa/Ly0FEIQxXdfXxsXsu+CCUBdmcQ+s+Xmdkvu zJuijEFjMgiqRmbeEtxiHZk8up78vXYyyGCvhjNqy2j9NSOqEw2QkGdwdAGobfEXdXO+ Iz9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713986166; x=1714590966; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=V0Yh7sEk5m8kur8Z02A18ggvOyzxG3Bfb3e99FD9b4o=; b=D0w88j7+GeHEVNcbWh/pp1IuVWADCVmxXDpqRiufBptwrokxNjEKMsE+hundijvzZL dqEADJNOAmeVxHGYSelMMuVcFTW78bPpbKyaSltzixXhHQyNEGuRqcWlFNQ2MeLqKEYm gWKYu4WqrVXZMbsSqefg7rJrVSxbntbUMTZZ66GR/jbuBSezruv7GsqxQWxuPh7fix7C DcyQIqMumpri0WtuCmDZd28xyFKENngLMSDWfccXQtKncov195pWZsUOBdz0wIaFxSRN 89cibn/Thtasa46Kvw8cMbgBhmNaTy/efkTov6C+KHHZKyzm4cwcb/GX3lGP5PaT3IfS trPA==
X-Forwarded-Encrypted: i=1; AJvYcCVq1srRyj3cpZx0LoH6AJj/iCysJMgoFp9aSrWHi3VIkDRFDi+ke07LthH1JGsnLJkLCWo1gNJ3Y32BoaXvytEKU2HFAUL0aqlIRsXw8QUdQ4mm93lVkDkdNTG/+6iUyBisoeqXgVJhmOyJokng5YYzsQ==
X-Gm-Message-State: AOJu0Ywt7jiW3E6/TKB4lfmCCpX/eI1wJYD05EQD1/QJkfgm0x+dk0t9 ZQRmIcGnY7S8BVqeUOzS7PuIS68UFVpF1YzM/6pzELxvi64A6ZaKnX3eqOvjUvKgYNduIbfkb9h 5zBP20nq4JbNcC7TiclK0T/D/N4wg/RWb
X-Google-Smtp-Source: AGHT+IHWR8kDyxuZhuOjhYTBIshmtBxQxSEU8X+HpgEiYkFvG3sx2bY8uAWL4HJdrQejADZ1fDowfxFBCDbiB9f/1rM=
X-Received: by 2002:a05:6e02:b26:b0:36c:f0b:4f01 with SMTP id e6-20020a056e020b2600b0036c0f0b4f01mr5127833ilu.6.1713986165674; Wed, 24 Apr 2024 12:16:05 -0700 (PDT)
MIME-Version: 1.0
References: <171255343637.3005.42205344596392120@ietfa.amsl.com> <SJ0PR05MB8632FDD8A3852BA61687C652A2072@SJ0PR05MB8632.namprd05.prod.outlook.com> <DM6PR08MB4857BF2A91EFF6DD1E3EDE3FB3072@DM6PR08MB4857.namprd08.prod.outlook.com> <CADajj4ZODE8DjCiwnj281yWLUTw-xYMye-4Lbs0nLBNmxfS-SQ@mail.gmail.com> <CO1PR08MB6611165230FC47F88B7AAC8EB3112@CO1PR08MB6611.namprd08.prod.outlook.com>
In-Reply-To: <CO1PR08MB6611165230FC47F88B7AAC8EB3112@CO1PR08MB6611.namprd08.prod.outlook.com>
From: Magnus Nyström <magnusn@gmail.com>
Date: Wed, 24 Apr 2024 12:15:54 -0700
Message-ID: <CADajj4a30_Cwd_dKLoDEReg=Wh1cCR3Q74c6LaD3g70QpZUoFA@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Cc: Kaliraj Vairavakkalai <kaliraj@juniper.net>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-bgp-ct.all@ietf.org" <draft-ietf-idr-bgp-ct.all@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008e1dcf0616dc8000"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/MO6BPGhp7O8aUN0xJi1RB2adJp0>
Subject: Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2024 19:16:16 -0000

Aligned, thanks!

On Tue, Apr 23, 2024 at 4:18 PM Susan Hares <shares@ndzh.com> wrote:

> Magnus:
>
>
>
> Thank you for your feedback.  See my comments below.
>
>
>
> I will request that the authors change the “*could*” to a “*should*”
> before submitting to the draft-ietf-idr-bgp-ct in the following sentence:
>
> Old text: /  “In order to mitigate the risk of the diversion of traffic
> from its intended destination,  existing BGPsec solutions *could* be
> extended and supported for this SAFI.”/
>
> New text:/ “In order to mitigate the risk of the diversion of traffic from
> its intended destination,  existing BGPsec solutions *should* be extended
> and supported for this SAFI.”/
>
> Cheerily, Sue Hares
>
>
>
> *From:* Magnus Nyström <magnusn@gmail.com>
> *Sent:* Tuesday, April 23, 2024 4:20 PM
> *To:* Susan Hares <shares@ndzh.com>
> *Cc:* Kaliraj Vairavakkalai <kaliraj@juniper.net>; secdir@ietf.org;
> draft-ietf-idr-bgp-ct.all@ietf.org; idr@ietf.org
> *Subject:* Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
>
>
>
>
>
> Hi Sue and apologies for my tardiness. See below.
>
>
>
> On Tue, Apr 9, 2024 at 4:30 PM Susan Hares <shares@ndzh.com> wrote:
>
> Magnus:
>
>
>
> As shepherd of the draft-ietf-idr-bgp-ct draft,  I need additional
> information about your review.   Would you help me by answering three
> questions?
>
> For these questions, imagine a series of networks cooperating to get
> traffic between either: a) two data centers or b) between data centers and
> user phones.
>
> Thank you, Sue Hares
>
> *Question 1:  What are you assuming is involved in BGPsec solutions? *
>
> The text in draft-ietf-idr-bgp-ct-30 states in the security section:
>
> “To mitigate any risk of manipulating the routing information carried
> within a new SAFI, BGP origin validation [RFC6811] and BGPsec [RFC8205]  MAY
> be used as means to increase assurance that the information  has not been
> falsified.”
>
>  AND
>
>  “In order to mitigate the risk of the diversion of traffic from its
> intended destination,  existing BGPsec solutions could be extended and
> supported for this SAFI.”
>
>  This points to basic protocols plus solutions augmented to support this
> for the BGP Updates with the AFI/SAFIs that include the CT SAFI.
>
> Are you taking “BGPSec solutions” to mean:
>
>    1. implementations are being extended to work with CT AFI/SAFI or
>
> b.      additions IETF protocols for BGPsec that include additional
> features?
>
> My understanding is that “BGPsec solutions” in the CT document is adding
> BGPsec protocol + Origin validation to implementations supporting CT.
>
>
>
> *MN: *Right, I did not expect additions to IETF protocols for BGPsec
> would be required (beyond what possibly is in this memo already), but I was
> wondering if that "could" was intended to be a "should" (or should be a
> "should). I mean, pretty much everything "could" always be enhanced.
>
>
>
> *Sue2: *Many operators utilize the Origin validation along with
> private-links to provide scalable security. Since CT is target at the
> providers space with private-links, this may be the most deployed
> solution.  BGPsec could be extended to support this SAFI.
>
> *Sue2:* I’ll suggest the authors change the following sentence to:
>
>
>
> Old text:/  “In order to mitigate the risk of the diversion of traffic
> from its intended destination,  existing BGPsec solutions could be
> extended and supported for this SAFI.”/
>
> New text:/  “In order to mitigate the risk of the diversion of traffic
> from its intended destination,
>
>        existing BGPsec solutions (e.g. BGPsec or Route Origin Validation)
> should be extended and supported for this SAFI.”/
>
>
>
> *2) Are you familiar with the potential additions to BGPsec and Origin
> Validation? *
>
>
>
> One could secure other attributes that do not change between routers
> within the BGP Update packet.  These attributes could be secured separately
> from the BGP Path attribute.   The benefit of securing such things as the
> “BGP Tunnel Encapsulation Attribute” may aid in securing the distribution
> of tunnel endpoints within a domain containing multiple AS within a
> network.
>
>
>
> One could register locally Origin validation specific to the transport
> addresses used by CAR and CT.
>
>
>
> *MN: *I am not familiar with those additions and not sure how they would
> read on this CT work, I will have to defer to others on this.
>
> *Sue-2: *Thank you for letting me know.
>
>
>
> *3) Are you familiar with the amount of Configuration involved in these
> features?  *
>
> You mention this text in your review:
>
> "The restriction of the applicability of this SAFI to its intended
> well-defined scope limits the
> likelihood of traffic diversions. Furthermore, as long as the filtering and
> appropriate configuration mechanisms discussed previously are applied
> diligently, risk of the diversion of the traffic is significantly
> mitigated."
>
> This text was written to indicate (as described in the CT document)
>
>    1. Networks are filtering offered data traffic into different service
>    levels (e.g. gold, silver, bronze service levels),
>
> This filtering includes normal filtering of traffic against DDOS and other
> attack traffic.
>
>    2. Data Traffic is placed on set-up transport pathways created by the
>    BGP protocols.
>
> 3.      Back-up pathways are also set-up by the BGP protocol with input
> from IGP protocols.
>
> All of this setup requires a great deal of configuration on the nodes.
>
>
>
> *MN: *I agree, and this goes back to my question there - are the
> extensions a "could" or a "should". For example, if the configuration will
> be so involved as to be likely to cause incidents because of incorrectness
> from a security perspective, maybe that "could" is a "should"?
>
>
>
> *Sue-2:  *Thank you for your response. Most operators run the
> configuration from automated system where double checks are made before
> deploy.  Origin Validation catches a many of the current set of issues, but
> BGP should continually work toward improving security levels.
>
>
>
> Sue-2: (resolution):  I agree with adding should the previous sentence.
>
>
>
>
>
>
>
>
>
>
>
> *From:* Kaliraj Vairavakkalai <kaliraj@juniper.net>
> *Sent:* Monday, April 8, 2024 10:38 PM
> *To:* Magnus Nyström <magnusn@gmail.com>; secdir@ietf.org
> *Cc:* draft-ietf-idr-bgp-ct.all@ietf.org; idr@ietf.org
> *Subject:* Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
>
>
>
>
>
> Hi Magnus,
>
>
>
> > was this meant to say "existing BGPsec solutions" or "the existing BGP
> solution"?
>
>
>
> I think we should change it to ‘existing BGP solutions’. Agree.
>
>
>
> Thanks,
>
> Kaliraj
>
>
>
>
>
> Juniper Business Use Only
>
> *From: *Idr <idr-bounces@ietf.org> on behalf of Magnus Nyström via
> Datatracker <noreply@ietf.org>
> *Date: *Sunday, April 7, 2024 at 10:17 PM
> *To: *secdir@ietf.org <secdir@ietf.org>
> *Cc: *draft-ietf-idr-bgp-ct.all@ietf.org <
> draft-ietf-idr-bgp-ct.all@ietf.org>, idr@ietf.org <idr@ietf.org>
> *Subject: *[Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
>
> [External Email. Be cautious of content]
>
>
> Reviewer: Magnus Nyström
> Review result: Has Nits
>
> Comparing with my original review (-18) the authors have addressed my
> concerns.
> There is one remaining, probably smaller, issue: The Security
> Considerations
> section states: "In order to mitigate the risk of the diversion of traffic
> from
> its intended destination, existing BGPsec solution could be extended and
> supported for this SAFI." - was this meant to say "existing BGPsec
> solutions"
> or "the existing BGP solution"? Also, it isn't clear how BGPsec should be
> extended - and if it would provide any substantial benefit over the
> mechanisms
> described herein (the remainder of this paragraph states: "The restriction
> of
> the aplicability of this SAFI to its intended well-defined scope limits the
> likelihood of traffic diversions. Furthermore, as long as the filtering and
> appropriate configuration mechanisms discussed previously are applied
> diligently, risk of the diversion of the traffic is significantly
> mitigated.").
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!B2BvMqPMR2r1KICWj3Vip_HLeDU5abmgtAXxyMwbmZhtzxUlyiprfSYhkYvbMBSGgTiBOIH3LSaGNns$
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!B2BvMqPMR2r1KICWj3Vip_HLeDU5abmgtAXxyMwbmZhtzxUlyiprfSYhkYvbMBSGgTiBOIH3LSaGNns$>
>
>
>
> --
>
> -- Magnus
>


-- 
-- Magnus

v2.45.0 | Report a Bug | By Email | System Status