IETF Logo Mail Archive

Re: [secdir] Secdir early review of draft-ietf-rtgwg-net2cloud-problem-statement-22

Uri Blumenthal <uri@mit.edu> Tue, 25 April 2023 07:12 UTC

Return-Path: <uri@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F55C151556 for <secdir@ietfa.amsl.com>; Tue, 25 Apr 2023 00:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRuxXq44NFwi for <secdir@ietfa.amsl.com>; Tue, 25 Apr 2023 00:12:44 -0700 (PDT)
Received: from outgoing-exchange-3.mit.edu (outgoing-exchange-3.mit.edu [18.9.28.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48BA5C14CF18 for <secdir@ietf.org>; Tue, 25 Apr 2023 00:12:43 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-3.mit.edu (8.14.7/8.12.4) with ESMTP id 33P7CbcT014103; Tue, 25 Apr 2023 03:12:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1682406759; bh=8cYtvuyMap4dcJS3OKqb5Q7TrJ/8f4B7J/QgjSAgzwU=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=BiapvlR4L0jdAR1syTqd9M5muZt5n7W7zWLHZb13p+JZN+ob6pmOXxcTtJJ2jHSAc +QKWthaAg9XZa6yvpCGd950yogqj7lSA+gULSLgYKrjKYCjgRGheBW0Gg2ej/gTvku 2SKulfRBA9r2OilenRZ8KpUhNq9USGFVJ29I5Uti3+qDUQjvMBUsBQH6PcnTRW22IK OMs32DkICyuAL67P23ui3y/ytdkvGzVvLgwo/acHfFHu5cKpdShiG/7j7DnUWj5pLZ TFXSAe5nj69auXo2E084NaPIGUouISNIDE1CdQYqBeeD17e+XgH8aGfyqnLV5IanVG OEXHuvgo5HpGA==
Received: from w92expo20.exchange.mit.edu (18.7.74.74) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 25 Apr 2023 03:12:19 -0400
Received: from oc11exhyb2.exchange.mit.edu (18.9.1.98) by w92expo20.exchange.mit.edu (18.7.74.74) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Tue, 25 Apr 2023 03:12:37 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.168) by oc11exhyb2.exchange.mit.edu (18.9.1.98) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Tue, 25 Apr 2023 03:12:37 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kzwxB4gKgNnbLSXefdR1ePNt/BtMekIfnCKEra+DF05msq+hN+ruCxcltyZqb80qWsauGTAeaEEDr65xIyiqD97xUXu1LvXQCd7VDKUhCcHf08uGnMWotSiaZbFeC9XfnL1tMYIjd+Qg6F0Y5yJT/otMEhqLbCX1UcoHBlM1h8Nu7SbAtv/kNwloUKTdX25ZU/WfC7gs9owee+7YPHOgMZRm4LKcNRLl+t5QYOVCeM0JrDV4Wg1Mn6QejHwHPjEwVmCg1Lm/Qdf5K03PSGBJqUaIebdZOK/Ls40aa6yT0C8yA495u5DCc6NjpYbn02ghv3F4C2MTO+N6V5hKDvQ4xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8cYtvuyMap4dcJS3OKqb5Q7TrJ/8f4B7J/QgjSAgzwU=; b=iK6tE0cCYfyvWF1seeUDzS9q/XS8txX5xg4W+6tueYKBDHh8DSYnOqDHgBnhs8DxCRpXv+bfJAyoJVwDpupXBKbslG3S7SC1qvd810pMU5QvkaraF9LKFyMfLgUyIGMw4vOQUf6qHOinDrm4k3r8aTeOkveVy6uuSB2aAk1u3zgJaAQMQIWNPS1wuXi9aAMNlTZgMWKlf+vQX3QGD7TLLIZ6i/raKyCZbbDDUdvnzIKLD/dM126tSLIMUY2olVgYzB5GXdSXoGHpU+jx/d/tMLG/CngnFKvlc4ofHhPc8u7FTi3ZTfRZJkTZbgjvcJf9xvGcFKp153ULoAc/ls+xDw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from BN7PR01MB3667.prod.exchangelabs.com (2603:10b6:406:81::32) by DM6PR01MB5403.prod.exchangelabs.com (2603:10b6:5:154::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6340.19; Tue, 25 Apr 2023 07:12:33 +0000
Received: from BN7PR01MB3667.prod.exchangelabs.com ([fe80::6b78:85b2:b827:ada3]) by BN7PR01MB3667.prod.exchangelabs.com ([fe80::6b78:85b2:b827:ada3%5]) with mapi id 15.20.6340.020; Tue, 25 Apr 2023 07:12:33 +0000
From: Uri Blumenthal <uri@mit.edu>
To: Robert Raszuk <robert@raszuk.net>
CC: Linda Dunbar <linda.dunbar@futurewei.com>, Deb Cooley <debcooley1@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org" <draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Thread-Topic: [secdir] Secdir early review of draft-ietf-rtgwg-net2cloud-problem-statement-22
Thread-Index: AQHZatJLCYBx8P5zoUKeP3+TQu6T4a8i1vCAgAVIroCAAojWgIAJruSAgAawoYCAACPjVoAAE88AgAAoSxiAAEKCgIAACn52
Date: Tue, 25 Apr 2023 07:12:33 +0000
Message-ID: <769944E3-5835-454F-8004-B764299CDC21@mit.edu>
References: <168103791733.43307.11737105219506688508@ietfa.amsl.com> <643A15FC-6BFB-4723-93C4-6ECA22C128FE@gmail.com> <CO1PR13MB492092C6FEF537BB817A25F8859B9@CO1PR13MB4920.namprd13.prod.outlook.com> <CAGgd1OcSzYtfCFO5sVG_VhZuCwU0FWj-xyYRp=r7rJ41B+i5rg@mail.gmail.com> <CAGgd1Ofuau_y5x1TznUuOBrjM+BX4MrJ-iP8rTZnGc6VFOZ7+Q@mail.gmail.com> <CO1PR13MB4920D4AC874DE8A007E2FC2A85679@CO1PR13MB4920.namprd13.prod.outlook.com> <598327D8-E9D8-492E-A5B0-FD134EB19A0A@mit.edu> <CO1PR13MB49206255AD7771A1B499064085649@CO1PR13MB4920.namprd13.prod.outlook.com> <A1FDB15C-AE02-45EF-8F1B-9BC9168939B9@mit.edu> <CAOj+MMHLJcDE2028vyJOUBjE80Sxks5NzR-f1ohNerx2_beNog@mail.gmail.com>
In-Reply-To: <CAOj+MMHLJcDE2028vyJOUBjE80Sxks5NzR-f1ohNerx2_beNog@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN7PR01MB3667:EE_|DM6PR01MB5403:EE_
x-ms-office365-filtering-correlation-id: 45b05d21-d4ba-4ef0-921f-08db455c709e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sB/4Uk099NAxBMG92nBKMWgeBzqbGlbju3LpqMhzjaKBznzbyTLrdNHI7lbINspwc4KzquuOOKBcMP3RYA7mqygM7zY1gbC0mWlomLgD0ZKGvAwcWTUojy8OVReipEr7EM+xrwSEErpQ693PUbRI8c+pEwJNzAr0gtBHmivpY/bsffBn9l7WIT5T+FzDt9ZWswkRUwJyV4BbUvuu9wjTUJKxNOHZUIJ/icoHIOWhOsyVWI+9EHCm/N28QmAw9EtPFUXp1C7XvTl1zG9K5K2KrzTgM3RndJGjDnUBDYNieWLXJzAHdOQnagPP9d4mMbPMDFdZkDf+md8BHAs/lCKqBKlDkBGvA7uNfM9GANGlRhdnvqQRpqulA25xb3ZR2LP/3oFxhdAlyRasj+HVBz4MydoSi55Cuz6W3ir5kHmI+etWh6rJqJSZySL0GNsnr+3tN5DW8WAxDJMd/a2NyMyJQ2fOe1PrCurlgrnlnvHq823P0L7H3Qi9NGJqg+sg7zsBF19l/h761wjycbDIoqiXB0CyHwgJsODeEdXnLNroG7TkF6j32PU4+UK5qvflh5DEoEV7m6BMwzQnCTAOaQ6bOWIuVFUMzCEcYQXW7BYff68w1isFi09HI1WAAEGTwJzT/fAqt9GCfXO4aKiZ+3HwEg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR01MB3667.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(346002)(366004)(396003)(39860400002)(136003)(451199021)(478600001)(75432002)(54906003)(86362001)(966005)(36756003)(186003)(53546011)(6486002)(45080400002)(26005)(6512007)(6506007)(33656002)(71200400001)(4326008)(6916009)(66446008)(66476007)(66556008)(64756008)(316002)(786003)(66946007)(83380400001)(91956017)(76116006)(2906002)(30864003)(38100700002)(166002)(8676002)(122000001)(41300700001)(38070700005)(5660300002)(8936002)(66574015)(2616005)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: B9EvYWIOzAMLh8loHMmigqLLtBIJVXiM2Kq4pMeoJBOZ8k563toR96WY/a/GGZqgbUb91JP0fvuwAGXZH+uOGXj8HL86yq9afnALCxm3yA/YOlORNCiNq3dyNHFNDAP6/8mHl7vXll0BCvhNXuLsHrPjTuZMzVpc/bqmj1aVszUBbASRbHKufGFJKQIqHz2Y0WGIl/6c8iOCrn8uM/DnEyyT351cJpUfNs35VeJlQf5rjXh/PhPRyjpQGqd8Ep3NYArk6P5GRc+F4/A00JWWzrgCOqvP8mYXhu87XFOY1mjFZNYgXjZKDUKDQe4foeZnlysqTjwp6d7RCI363KyjrPb6f+PmhClkgl1NMPoolp3oiB8VdoYhFl2bBxQPmodV8NgFRMIdLnX+gN6ZSrD2bprGgWftyTXhBGllEcngkytQCwTrOW3A+T66QF3OEgZB9IlC97tZesBOh7MQO0+75Kg7blf9/cDtlXnky1wQ5+GuednsZ1IvIm3sZKkyNf8w6LDPi95kfRWk2dJQm4ryf4fiiXZQJ3uChoyxCk102n6NzBAS/SWzuUt+M3JdnbpKno0zJEteN3qAvl6qNm73DOXhcfxrxmGMYw87qNhoEwMKcw+BnhPA8aQtzI+5JVhej1M3OfMLUW58TZI4R4JQOkwZxdPZHNys3VxeQW2DmFFnDpD03hsxHRIWSm/136KoiBF36K+8QlzoL1EDlGZl/08Y04bfQvg+yEkpNxOrCneIVCvm8WgJ6iyHOy7OY2fBFO2rpbS45NgSwPcG+/i8RhcyAzjqj2I8wOhLTGp+25KOPS6BQ/TJWFWuhjvBfH2HcPWQFSfFl2Vub23L1dZ4GX88exp+ow2KCu38cAZ9axX7JG0/yIC+KwJI89ZwsaQ6LfQlyOb0fwyO2q2p6FhDKRzvSR8aRhVv+SYpdojReM2qdTfRLmrqKGxboB6sdSHZrTwKSIDQ7bNemdw5afYxUgLxxTlqPg0xrlSrX3+6rLcd7qnJvhKsTeOkH020lt+pVJZbebO+3mwr7l+8FRiYSXAP0PKAKU28vvuwDtzQIB87u2yay20CnuTqZHzfmd5tJ7UnY55QRO1pKTRsFpZn3H/qnKV1PupVfHNPSoBPbPCuUcBxLOD7aZHeTUGDXTscHTS4v/3+1IMbcWj1RPZL9G+E1wCw2yKOeMX7OpfonjKlRLrSsdBqKgrBDAAo0orw+/2XrPppSit7TI3UVxJrO623GPqSRCH7qbwtwYgwgvSP15Z+KxpRACJe77RMCBr838nx5mkmXSyVUla4rO7z54F0JPXzIR1LFI3HtOCqPKJwS5RBgxYFr55QuapUkpdfsipqw29cVyFobmus+8LRqlqpWhILP0CQ4TUuVWy3HBSR68mIRVvqe6ALnZAgJOyw0xxCYJ9dVAj1N/MAWYq28GukBzyZEWMpw/3dKZLMzER1qrH+u+PzfVHt8AdPxuOBH/quwHO5GOfglmRQnZ5KtKxnHEXimz5kOFIcCVpTLKv054IBIScQXVUJcZbq8p+1rJT2FuzKyuRmNvT9N4y50tsbxOrJ7qE/O8LGawBOU8w=
Content-Type: multipart/alternative; boundary="_000_769944E35835454F8004B764299CDC21mitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR01MB3667.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45b05d21-d4ba-4ef0-921f-08db455c709e
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2023 07:12:33.1209 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jWCnFrR7qdzXQJVtLVRKdLjCMig3EoamXcbyl44aYB3mLDQntDNzic0U5YFO6+Az
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5403
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OaB4LA3yKGeGLNVtVY24V3pLQzA>
Subject: Re: [secdir] Secdir early review of draft-ietf-rtgwg-net2cloud-problem-statement-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2023 07:12:49 -0000

Robert,

Yes, I think we're in complete agreement.

One thing I'm not sure I understand is where public Internet fits here.

Perhaps, all that needs to be said is something like "you should tunnel your traffic via IPsec through public Internet segments, if they are present"? And, as I mentioned before, augment Security Considerations?

Thx

On Apr 25, 2023, at 02:35, Robert Raszuk <robert@raszuk.net> wrote:


Hi Uri,

> from the security point of view MPLS is useless over the public Internet

Well MPLS does not operate natively over public Internet - never did - never will.**

For this discussion it is important to recognize that MPLS-VPNs provide traffic isolation no security. Only early days some marketing slides were trying to say that MPLS-VPN security is high .. but all they meant to say was that all they provide is isolation and as good as ATM or Frame Relay.

So comparing IPSec or DTLS or wireguard or LISP+Sec etc ... to closed domains VPNs is not comparing apples to apples.

** Sure one could send MPLS VPN labeled packets (used for demux) over IP tunneling (replacing MPLS transport with IP transport), but this needs to also be accompanied by signalling and whoever sends this needs to own the remote demux point.

Best,
Robert


On Tue, Apr 25, 2023 at 4:37 AM Uri Blumenthal <uri@mit.edu<mailto:uri@mit.edu>> wrote:
From the performance and QoSv points of view, MPLS is a winner, no questions.

But if my understanding is correct, from the security point of view MPLS is useless over the public Internet - it's applicable only when the network path is composed exclusively of trusted collaborating providers. And even then - with the caveats I mentioned.

Perhaps,  you may want to
1. Replace "minimize ... over" with "limit ... to";
2. Add the caveats I listed to the Security Considerations.

Thnx

On Apr 24, 2023, at 20:13, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:


Uri,

I see your points. How about changing the sentence to:
As the private VPNs provide higher quality of services, choosing a PE closest to the Cloud GW for the IPsec tunnel is desirable to minimize the IPsec tunnel distance over the public Internet.


Linda
From: Uri Blumenthal <uri@mit.edu<mailto:uri@mit.edu>>
Sent: Monday, April 24, 2023 6:02 PM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Cc: Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>; secdir@ietf.org<mailto:secdir@ietf.org>; draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org<mailto:draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org>; rtgwg@ietf.org<mailto:rtgwg@ietf.org>
Subject: Re: [secdir] Secdir early review of draft-ietf-rtgwg-net2cloud-problem-statement-22

Linda,
I  respectfully disagree with your statement that MPLS VPN is more secure than IPsec.

IPsec is end-to-end protection, immune by design to any action by the (potentially hostile part of the) infrastructure. As long as the connecting nodes correctly implement the protocol, it is secure, period.

MPLS is only as secure as the infrastructure it's running on, depending on every switch between the end-points be ok, not compromised, etc. In other words, it's enough to compromise one switch that is handling your traffic to bring security down to zero.

You could argue that switches are more secure than end-boxes or routers that hold IPsec connections. My answer would be - it depends.

In summary: no, MPLS is less, not more, secure than IPsec.


On Apr 24, 2023, at 16:54, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:

Deb,

Thank you for the additional comments.

Resolutions to your comments are inserted below:

Linda

From: Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>
Sent: Thursday, April 20, 2023 9:44 AM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Cc: secdir@ietf.org<mailto:secdir@ietf.org>; draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org<mailto:draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org>; rtgwg@ietf.org<mailto:rtgwg@ietf.org>
Subject: Re: [secdir] Secdir early review of draft-ietf-rtgwg-net2cloud-problem-statement-22


Apologies, it has been a busy week...I recognize that writing a draft like this is difficult.

My remaining concerns are:

Section 4, sentence 1:  Grammar - 'will be mixed of different' should be 'will

be a mix of different'.

This now says 'a mixed of different'.  Most definitely the smallest of nits.

[Linda] thanks for catching it.

New:  Section 4.3, para 3:  I am unfamiliar with MPLS VPNs, are they really 'more secure' than IPSec?  I can easily believe that they have better quality services, and may perform better.

[Linda] Section 4.3 has now changed “Extending Private VPNs to Hybrid Cloud DCs.”. Private VPNs, including private circuits, MPLS based VPN, use network service provider’s physical links/wavelengths. Their traffic running over Private VPNs don’t mix with Internet traffic. Therefore, more secure.



New:  Section 5.1:  The discussion about the security risk of IPSec group encryption should be added to section 7.



[Linda] Section 5.1 is about Scaling IPsec, instead of Pairwise Tunnels which needs N square number of tunnels, the draft suggest improvement.





Deb Cooley

On Fri, Apr 14, 2023 at 6:51 AM Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>> wrote:

I'm including my final set of comments.  I made the mistake of submitting the wrong version.  I've noted the ones you have addressed already in blue.  I apologize for the confusion.



I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.



Document: draft-ietf-rtgwg-net2cloud-problem-statement-22<https://datatracker.ietf.org/doc/draft-ietf-rtgwg-net2cloud-problem-statement/22/>

Reviewer: Deb Cooley

Review Date: 2023-04-06 (early review)



Please note that I know almost nothing about BGP, MPLS or routing.



The summary of the review is 'not ready'.



Section 3:  perhaps move this whole section to Section 7?  Sections 4, 5, and 6

seem like they should come before Section 3 anyway?



partially done (moved Section 3.5 to 7)



Section 3.1, para 1, sentence 2: Grammar: 'with more variety of parties' could

be 'with a larger variety of parties.'



Apologies, I meant this sentence:  'Cloud GWs need to peer with more variety of parties, via private circuits or IPsec over public internet.'





Section 3.1, para 2, sentence 2:  'IP tunnels', does this imply IPSec?  Or

something else?



done



Section 3.1, para 3:  By setting up default eBGP routes, these don't count as

routes from an external entity?  The rest of the paragraph addresses the

handling of exceeding the maximum route threshold?  But there appears to be an

option to keep the BGP session?  This paragraph is confusing.



done



Section 3.2, paragraph 2:  IGP?  AS?  I can't tell what this is trying to say.



done



Section 3.2, paragraph 3:  If there is a site failure, how is the Cloud GW

'running fine'?  Is this GW using a different site?  BFD expands to what?



done - I understand...



Section 3.2:  Para 1 states why a site might go down.  Para 2-6 outline the

routing (?) issues that occur when a site goes down. I think these could be

better organized.  Only the last para suggests mitigations.



I think most of this fits better into Section 7?



Section 3.3 I'm not an expert, but isn't this an issue to any routing scenario?

Can this be combined with Section 3.6?



ok



Section 3.4, para 3, item 1:  Is this a problem?  Or a feature?  If it is a

problem, can you say why?



done - this is better!



Section 3.6, last paragraph:  A globally unique name won't 'resolve the same

way from every perspective'?  Other than being restricted (previous paragraph),

what does this mean? If this is covered in the previous para, I would recommend

deleting the phrase.



fine



Section 4, sentence 1:  Grammar - 'will be mixed of different' should be 'will

be a mix of different'.



Section 4.2, para 2:  Use of a shared key in IPSec implies that IKE isn't used

(shared key was only possible with IKEv1 I believe, which is deprecated).  I

would remove the phrase 'using a shared key'.

On Wed, Apr 12, 2023 at 4:09 PM Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:
Deb,

We really appreciate your review and comments to the document. Please see below for the resolution to your comments.

Linda

-----Original Message-----
From: Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>
Sent: Sunday, April 9, 2023 6:28 AM
To: secdir@ietf.org<mailto:secdir@ietf.org>; draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org<mailto:draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org>; rtgwg@ietf.org<mailto:rtgwg@ietf.org>
Subject: Re: [secdir] Secdir early review of draft-ietf-rtgwg-net2cloud-problem-statement-22

Note:  I hit ‘send’ too early, ugh.  Please see the comments on the datatracker for the correct version.

Deb Cooley

> On Apr 9, 2023, at 6:59 AM, Deb Cooley via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>
> Reviewer: Deb Cooley
> Review result: Not Ready
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Document: draft-ietf-rtgwg-net2cloud-problem-statement-22
> Reviewer: Deb Cooley
> Review Date: 2023-04-06 (early review)
>
> Please note that I know almost nothing about BGP, MPLS or routing.
>
> The summary of the review is
>
> Section 3.1, para 1, sentence 2: Grammar: 'with more variety of
> parties' could be 'with a larger variety of parties.'
>
[Linda] Per RTGarea Director suggestion, the text has been changed to the following. Is it Okay with you?
Site failures include (but not limited to) a site capacity degradation or entire site going down. The reasons for these capacity degradations or failures can include: a) fiber cut for links connecting to the site or among pods within the site, b) cooling failures, c) insufficient backup power, d) cyber threat attacks, e) too many changes outside of the maintenance window, or other errors. Fiber-cut is not uncommon within a Cloud site or between sites.


> Section 3.1, para 2, sentence 2:  'IP tunnels', does this imply IPSec?
> Or something else?
>
[Linda] changed.

> Section 3.1, para 3:  By setting up default eBGP routes, these don't
> count as routes from an external entity?  The rest of the paragraph
> addresses the handling of exceeding the maximum route threshold?  But
> there appears to be an option to keep the BGP session?  This paragraph is confusing.
[Linda] The intent is to say:
When inbound routes exceed the maximum routes threshold for a peer, the current common practice is generating out of band alerts (e.g., Syslog) via management system to the peer, or terminating the BGP session (with cease notification messages [RFC 4486] being sent).  However, it would be useful if IETF can specify some in-band alert messages to indicate the inbound routes exceeding the threshold.
>
> Section 3.2, paragraph 2:  IGP?  AS?  I can't tell what this is trying to say.
>
[Linda] changed to domain.

> Section 3.2, paragraph 3:  If there is a site failure, how is the
> Cloud GW 'running fine'?  Is this GW using a different site?  BFD?
[Linda] Failures within a site like a fiber cut between two racks. So the GW is still running fine.

>
> Section 3.2:  Para 1 states why a site might go down.  Para 2-6
> outline the routing (?) issues that occur when a site goes down. I
> think these could be better organized.  Only the last para suggests mitigations.
[Linda] changed to the "Failures within a site".

>
> Section 3.3 I'm not an expert, but isn't this an issue to any routing scenario?
> Can this be combined with Section 3.6?
[Linda] Section 3.3 is to introduce the problem of multiple instances available at different sites for one service (such as using ANYCAST address). The site with the shortest distance might not be the optimal service instance as the site might be overloaded.
Section 3.6 is about DNS resolution at different sites.  .


>
> Section 3.4, para 3, item 1:  Is this a problem?  Or a feature?  If it
> is a problem, can you say why?
[Linda] Item 1 is meant to say:
The difference of routing distances to multiple server instances in different edge Cloud is relatively small. Therefore, the edge Cloud that is the closest doesn’t contribute much to the performance.

>
> Section 3.5:  I would suggest moving this to Section 7.  There are a
> couple of mitigations listed - anti-DDOS, DTLS, IPSec, monitoring.
>
[Linda] Good suggestion. Changed.

> Section 3.6, last paragraph:  A globally unique name won't 'resolve
> the same way from every perspective'?  Other than being restricted
> (previous paragraph), what does this mean? If this is covered in the
> previous para, I would recommend deleting the phrase.
>
[Linda] DNSOPS director insisted on adding this paragraph to empathize that not all globally unique names can be resolved.


> Stopped at Section 4.
>
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org<mailto:secdir@ietf.org>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww<https://www/>.
> ietf.org<http://ietf.org/>%2Fmailman%2Flistinfo%2Fsecdir&data=05%7C01%7Clinda.dunbar%40f
> uturewei.com<http://uturewei.com/>%7C07fbc4f2cc284e39624f08db38ed774e%7C0fee8ff2a3b240189c75
> 3a1d5591fedc%7C1%7C0%7C638166364798968574%7CUnknown%7CTWFpbGZsb3d8eyJW
> IjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%
> 7C%7C%7C&sdata=2SVXI%2BaoyU%2Bc4Aa8RRvb6BEQUIMmwTz%2BsqF6Z5o%2FnuU%3D&
> reserved=0
> wiki:
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac<https://trac/>
> .ietf.org<http://ietf.org/>%2Ftrac%2Fsec%2Fwiki%2FSecDirReview&data=05%7C01%7Clinda.dunb
> ar%40futurewei.com<http://40futurewei.com/>%7C07fbc4f2cc284e39624f08db38ed774e%7C0fee8ff2a3b240
> 189c753a1d5591fedc%7C1%7C0%7C638166364798968574%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
> C3000%7C%7C%7C&sdata=vbmjW7gi%2BOgn9xbql5S4grf6NZayrZ%2B%2BgFYC3%2B0yK
> cE%3D&reserved=0

_______________________________________________
secdir mailing list
secdir@ietf.org<mailto:secdir@ietf.org>
https://www.ietf.org/mailman/listinfo/secdir
wiki: https://trac.ietf.org/trac/sec/wiki/SecDirReview
_______________________________________________
rtgwg mailing list
rtgwg@ietf.org<mailto:rtgwg@ietf.org>
https://www.ietf.org/mailman/listinfo/rtgwg

v2.23.0 | Report a Bug | By Email