Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
Robert Raszuk <robert@raszuk.net> Wed, 18 July 2012 22:29 UTC
Return-Path: <robert@raszuk.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0BC11E81D9 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 15:29:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGQHXCi3U2v7 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 15:29:09 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id 21EE411E81C9 for <secdir@ietf.org>; Wed, 18 Jul 2012 15:29:08 -0700 (PDT)
Received: (qmail 28231 invoked by uid 399); 18 Jul 2012 22:29:59 -0000
Received: from unknown (HELO ?216.69.69.240?) (pbs:robert@raszuk.net@216.69.69.240) by mail1310.opentransfer.com with ESMTPM; 18 Jul 2012 22:29:59 -0000
X-Originating-IP: 216.69.69.240
Message-ID: <500738E6.9070902@raszuk.net>
Date: Thu, 19 Jul 2012 00:29:58 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: Hilarie Orman <hilarie@purplestreak.com>
References: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
In-Reply-To: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 18 Jul 2012 15:38:39 -0700
Cc: draft-ietf-grow-diverse-bgp-path-dist.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 22:29:10 -0000
Dear Hilarie, Many thx for your comments and apologies for delayed reply. Let me attempt to clarify some of the points you raised hoping that they may shed some more light on the topic. > This document presents a mechanism for distributing redundant BGP > paths based on the concept of parallel route reflector planes. It > does not need any changes to the BGP protocol definition. > > The general notion is that different groups of route reflectors would > be assigned find the "nth best route" where n varies from 1 to a small > number. All n routes would be presented to devices connected to the > route reflectors. This in turn would enable a multitude of benefits: > quick routing restoration, load balancing, and churn reduction. Correct. > The point of making this an IETF document is odd. Its fundamental > message is "instead of using extensions to BGP for additional paths, > you could use route reflectors configured for nth best path." And, as > it turns out, Cisco makes such a product. I am perhaps missing the background of the above comment, but please keep in mind that this document is worked on in GROW WG. This working group is not tasked to define new protocol extensions, but to document operational solutions to existing problems. GROW WG also provides best common practices documentation. IMHO the more solutions GROW or any other working group in IETF defines which do not require new protocol extension the faster velocity of improvement to Internet and other IP based services can be accomplished. > The draft is sketchy on how route reflectors actually work, True. But this is very well documented in RFC4456 and this draft does not intend to update that RFC. In fact the draft does not changes any route reflection protocol assumptions. > Still, we do not get to know if route reflectors put additional, > proprietary, information on the wire, They do not otherwise the specification would be a protocol extension which you correctly already observed it is not. > how a listener could inquire about their configuration, I am not sure what do you mean by that in the light of regular IBGP session between route reflector and it's client. > or what the stability and failure properties might be. The stability and failure property is identical to any other iBGP session today. > All of this makes for difficulties in doing a security analysis. The > document asserts that all security problems are subsumed by prior work > in analyzing BGP security. This might be true, but BGP has a number > of documented vulnerabilities, and the new paths might multiply them. While I understand your point it is extremely broad. One way of possible comparison would be to compare it with full mesh IBGP peering as in this case all clients would see all paths in the domain (assuming best external is enabled). > Should BGP listeners trust the additional paths? Yes. Remember those are intra-domain paths. Would BGP speaker trust any other iBGP peer ? > Are opportunities for spoofing increased because listeners should > expect more paths? > What are the interactions between spoofed failures and switching to > one of the diverse paths? Could route reflectors be tricked into > permuting the path ordering so fast that paths never stabilize? I am not clear what spoofing risk you are referring to above. > I think that the security considerations should address potential > problems in the context of the previous analyses of BGP security, if > this is indeed a protocol document in the ordinary IETF sense. > Perhaps it is not, maybe it is an infrastructure configuration guide > or an argument against BGP add-paths extensions. I can't tell. This document is to provide very easy solution for BGP speaker to receive more then best path. In most applications two paths is sufficient. So the main objective of this document is to observe that by simply adding new session between RR and it's client RR can be instructed to send a 2nd best/backup path on such session. Both above described functions are already very commonly available in number of BGP implementations. Authors just combine both to achieve easy deployable solution which does not require massive network wide upgrades which as I am sure we all realize may take years. Best regards, R. > Hilarie > > --------------------------- > NB: "Hilarie Orman" is my actual name and not a pseudonym for any > other person with similar knowledge or interests.
- [secdir] Security review of draft-ietf-grow-diver… Hilarie Orman
- Re: [secdir] Security review of draft-ietf-grow-d… Robert Raszuk
- Re: [secdir] Security review of draft-ietf-grow-d… Hilarie Orman