Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
Magnus Nyström <magnusn@gmail.com> Tue, 23 April 2024 20:20 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EFE8C14F617; Tue, 23 Apr 2024 13:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcBKp_QKeJ3o; Tue, 23 Apr 2024 13:19:59 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD5C1C14CE2E; Tue, 23 Apr 2024 13:19:59 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id e9e14a558f8ab-36c0ef5f7ebso9851945ab.0; Tue, 23 Apr 2024 13:19:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713903599; x=1714508399; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hBSEPzqZ9qS/jf/9ER23HIrYKDZunrMvg73XuFMP4oc=; b=K5aEna2BkIsmDVm6wfVpFIf2jDGjFKCh9D41YkDxlyf6unbubQDrwsN6/clTB0nSv7 2PQ5YreVNpPeCjp+8m+sYZ0YBJk86WkbLaB5+gys/q9My+mOeM25DcTyuzMwdGClTLq1 1iAk4jGoKXZ77UOGULLPU000GZThdaaWbk03kgq7DwNAzCB4tdP8rqmwDZ3nGFJsFciB b4B/E7IIDs//ckUzvtAO4rW5uv+yyVenQs1lbU+eVw6ar0AVRXIllyjRqDnUan0IVsw/ 46QW2hL5+iNu04VvRlhCdaOWYUHmfbAApHB8CQqq7Yb4bf+jCWm8LRZ+PVImPIgmSJFb kFGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713903599; x=1714508399; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hBSEPzqZ9qS/jf/9ER23HIrYKDZunrMvg73XuFMP4oc=; b=WE+EiRmT6ahVM6UfKYYl4CAV1UCN8o0AjEK5n5Rs+/O0CwHZb/bnnFY5hl+bbJVb5P tTafWhWptkPOrIPHd1Bcl3Yfr1WumczXWAECVQGy60Xi1twHSHr9gyrn97NbroX7ZKv8 lMIB5dM+AL4STzmbkFQ741+fT4Y/P7rpZmzIqWhRxUpkyVqcTYbZkP4ooEC3t4RsghLX Xdl9tBbohuJwvGnNGmdtTAt3bHprwRV/m3AZry+Udf8tpS5V569eGw0LM2ah2NepDWvX eRZDj2Z66YNME6tJm71YMhCDkG08FPDZiDgSNaP6je4nwxfw8DJVxFm6766IAmksOwB+ HG2Q==
X-Forwarded-Encrypted: i=1; AJvYcCW/Xd+TXcUJBHFQhJtIBPnnCSCVZT4XakQIsX2/on4WH0uvG5ZA2bTaBnEjfA+kHbbUZ8CFZExrgS22QCUXITSXQ34dLnnDGxqZrpl/9drhjWApyf7X0XJKZhPmbR2k1pT5sFmk3BUy8ANcoRJm3Wtgng==
X-Gm-Message-State: AOJu0YyzgnYt1+onKPiMjHAbvuKP4aJgDomGAJ12CmwObITZdMMC0lW6 Igk2pW1YdJdabxIac/kahCh+1GAcDAd8OmL9Qp7XEyw9KbZ7vdyQ8NHuJJvGJG2VjHP0Qa9Fph/ t8a3grTu6ou6NAt1QNIQSfETm7ZBuaXbj
X-Google-Smtp-Source: AGHT+IFL8frVuBM0J86cSeF41bF51NJ/taUI3MVtYbewGPIp3uzZ47qtcbkMLuws1iV44Wy0RiEqFNDqXImm7Sl3vsM=
X-Received: by 2002:a05:6e02:1d87:b0:36c:9b0:2e5f with SMTP id h7-20020a056e021d8700b0036c09b02e5fmr740906ila.7.1713903598965; Tue, 23 Apr 2024 13:19:58 -0700 (PDT)
MIME-Version: 1.0
References: <171255343637.3005.42205344596392120@ietfa.amsl.com> <SJ0PR05MB8632FDD8A3852BA61687C652A2072@SJ0PR05MB8632.namprd05.prod.outlook.com> <DM6PR08MB4857BF2A91EFF6DD1E3EDE3FB3072@DM6PR08MB4857.namprd08.prod.outlook.com>
In-Reply-To: <DM6PR08MB4857BF2A91EFF6DD1E3EDE3FB3072@DM6PR08MB4857.namprd08.prod.outlook.com>
From: Magnus Nyström <magnusn@gmail.com>
Date: Tue, 23 Apr 2024 13:19:47 -0700
Message-ID: <CADajj4ZODE8DjCiwnj281yWLUTw-xYMye-4Lbs0nLBNmxfS-SQ@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Cc: Kaliraj Vairavakkalai <kaliraj@juniper.net>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-bgp-ct.all@ietf.org" <draft-ietf-idr-bgp-ct.all@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000321d5d0616c94772"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/VBauylX-dKkskPtm78EEJ6Mh6Ig>
Subject: Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2024 20:20:03 -0000
Hi Sue and apologies for my tardiness. See below. On Tue, Apr 9, 2024 at 4:30 PM Susan Hares <shares@ndzh.com> wrote: > Magnus: > > > > As shepherd of the draft-ietf-idr-bgp-ct draft, I need additional > information about your review. Would you help me by answering three > questions? > > > > For these questions, imagine a series of networks cooperating to get > traffic between either: a) two data centers or b) between data centers and > user phones. > > > > Thank you, Sue Hares > > > > *Question 1: What are you assuming is involved in BGPsec solutions? * > > > > The text in draft-ietf-idr-bgp-ct-30 states in the security section: > > > > “To mitigate any risk of manipulating the routing information carried > > within a new SAFI, BGP origin validation [RFC6811] and BGPsec [RFC8205] > > MAY be used as means to increase assurance that the information > > has not been falsified.” > > > > AND > > > > “In order to mitigate the risk of the diversion of traffic from its > intended destination, > > existing BGPsec solutions could be extended and supported for this SAFI.” > > > > This points to basic protocols plus solutions augmented to support this > for the > > BGP Updates with the AFI/SAFIs that include the CT SAFI. > > > > Are you taking “BGPSec solutions” to mean: > > 1. implementations are being extended to work with CT AFI/SAFI or > 2. additions IETF protocols for BGPsec that include additional > features? > > > > My understanding is that “BGPsec solutions” in the CT document is adding > BGPsec protocol + Origin validation to implementations supporting CT. > *MN: *Right, I did not expect additions to IETF protocols for BGPsec would be required (beyond what possibly is in this memo already), but I was wondering if that "could" was intended to be a "should" (or should be a "should). I mean, pretty much everything "could" always be enhanced. > > > *2) Are you familiar with the potential additions to BGPsec and Origin > Validation? * > > > > One could secure other attributes that do not change between routers > within the BGP Update packet. These attributes could be secured separately > from the BGP Path attribute. The benefit of securing such things as the > “BGP Tunnel Encapsulation Attribute” may aid in securing the distribution > of tunnel endpoints within a domain containing multiple AS within a > network. > > > > One could register locally Origin validation specific to the transport > addresses used by CAR and CT. > *MN: *I am not familiar with those additions and not sure how they would read on this CT work, I will have to defer to others on this. > > > *3) Are you familiar with the amount of Configuration involved in these > features? * > > > > You mention this text in your review: > > > > "The restriction of the applicability of this SAFI to its intended > well-defined scope limits the > likelihood of traffic diversions. Furthermore, as long as the filtering and > appropriate configuration mechanisms discussed previously are applied > diligently, risk of the diversion of the traffic is significantly > mitigated." > > > > This text was written to indicate (as described in the CT document) > > 1. Networks are filtering offered data traffic into different service > levels (e.g. gold, silver, bronze service levels), > > This filtering includes normal filtering of traffic against DDOS and other > attack traffic. > > > > 2. Data Traffic is placed on set-up transport pathways created by the > BGP protocols. > 3. Back-up pathways are also set-up by the BGP protocol with input > from IGP protocols. > > > > All of this setup requires a great deal of configuration on the nodes. > *MN: *I agree, and this goes back to my question there - are the extensions a "could" or a "should". For example, if the configuration will be so involved as to be likely to cause incidents because of incorrectness from a security perspective, maybe that "could" is a "should"? Thanks > > > > > > > > > *From:* Kaliraj Vairavakkalai <kaliraj@juniper.net> > *Sent:* Monday, April 8, 2024 10:38 PM > *To:* Magnus Nyström <magnusn@gmail.com>; secdir@ietf.org > *Cc:* draft-ietf-idr-bgp-ct.all@ietf.org; idr@ietf.org > *Subject:* Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30 > > > > > > Hi Magnus, > > > > > was this meant to say "existing BGPsec solutions" or "the existing BGP > solution"? > > > > I think we should change it to ‘existing BGP solutions’. Agree. > > > > Thanks, > > Kaliraj > > > > > > Juniper Business Use Only > > *From: *Idr <idr-bounces@ietf.org> on behalf of Magnus Nyström via > Datatracker <noreply@ietf.org> > *Date: *Sunday, April 7, 2024 at 10:17 PM > *To: *secdir@ietf.org <secdir@ietf.org> > *Cc: *draft-ietf-idr-bgp-ct.all@ietf.org < > draft-ietf-idr-bgp-ct.all@ietf.org>, idr@ietf.org <idr@ietf.org> > *Subject: *[Idr] Secdir early review of draft-ietf-idr-bgp-ct-30 > > [External Email. Be cautious of content] > > > Reviewer: Magnus Nyström > Review result: Has Nits > > Comparing with my original review (-18) the authors have addressed my > concerns. > There is one remaining, probably smaller, issue: The Security > Considerations > section states: "In order to mitigate the risk of the diversion of traffic > from > its intended destination, existing BGPsec solution could be extended and > supported for this SAFI." - was this meant to say "existing BGPsec > solutions" > or "the existing BGP solution"? Also, it isn't clear how BGPsec should be > extended - and if it would provide any substantial benefit over the > mechanisms > described herein (the remainder of this paragraph states: "The restriction > of > the aplicability of this SAFI to its intended well-defined scope limits the > likelihood of traffic diversions. Furthermore, as long as the filtering and > appropriate configuration mechanisms discussed previously are applied > diligently, risk of the diversion of the traffic is significantly > mitigated."). > > > _______________________________________________ > Idr mailing list > Idr@ietf.org > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!B2BvMqPMR2r1KICWj3Vip_HLeDU5abmgtAXxyMwbmZhtzxUlyiprfSYhkYvbMBSGgTiBOIH3LSaGNns$ > <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!B2BvMqPMR2r1KICWj3Vip_HLeDU5abmgtAXxyMwbmZhtzxUlyiprfSYhkYvbMBSGgTiBOIH3LSaGNns$> > -- -- Magnus
- [secdir] Secdir early review of draft-ietf-idr-bg… Magnus Nyström via Datatracker
- Re: [secdir] [Idr] Secdir early review of draft-i… Kaliraj Vairavakkalai
- Re: [secdir] [Idr] Secdir early review of draft-i… Susan Hares
- Re: [secdir] [Idr] Secdir early review of draft-i… Magnus Nyström
- Re: [secdir] [Idr] Secdir early review of draft-i… Susan Hares
- Re: [secdir] [Idr] Secdir early review of draft-i… Magnus Nyström