Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07

Robert Raszuk <robert@raszuk.net> Wed, 18 July 2012 22:29 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0BC11E81D9 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 15:29:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGQHXCi3U2v7 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 15:29:09 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id 21EE411E81C9 for <secdir@ietf.org>; Wed, 18 Jul 2012 15:29:08 -0700 (PDT)
Received: (qmail 28231 invoked by uid 399); 18 Jul 2012 22:29:59 -0000
Received: from unknown (HELO ?216.69.69.240?) (pbs:robert@raszuk.net@216.69.69.240) by mail1310.opentransfer.com with ESMTPM; 18 Jul 2012 22:29:59 -0000
X-Originating-IP: 216.69.69.240
Message-ID: <500738E6.9070902@raszuk.net>
Date: Thu, 19 Jul 2012 00:29:58 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: Hilarie Orman <hilarie@purplestreak.com>
References: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
In-Reply-To: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 18 Jul 2012 15:38:39 -0700
Cc: draft-ietf-grow-diverse-bgp-path-dist.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 22:29:10 -0000

Dear Hilarie,

Many thx for your comments and apologies for delayed reply. Let me 
attempt to clarify some of the points you raised hoping that they may 
shed some more light on the topic.

> This document presents a mechanism for distributing redundant BGP
> paths based on the concept of parallel route reflector planes.  It
> does not need any changes to the BGP protocol definition.
>
> The general notion is that different groups of route reflectors would
> be assigned find the "nth best route" where n varies from 1 to a small
> number.  All n routes would be presented to devices connected to the
> route reflectors.  This in turn would enable a multitude of benefits:
> quick routing restoration, load balancing, and churn reduction.

Correct.

> The point of making this an IETF document is odd.  Its fundamental
> message is "instead of using extensions to BGP for additional paths,
> you could use route reflectors configured for nth best path."  And, as
> it turns out, Cisco makes such a product.

I am perhaps missing the background of the above comment, but please 
keep in mind that this document is worked on in GROW WG. This working 
group is not tasked to define new protocol extensions, but to document 
operational solutions to existing problems. GROW WG also provides best 
common practices documentation. IMHO the more solutions GROW or any 
other working group in IETF defines which do not require new protocol 
extension the faster velocity of improvement to Internet and other IP 
based services can be accomplished.


> The draft is sketchy on how route reflectors actually work,

True. But this is very well documented in RFC4456 and this draft does 
not intend to update that RFC. In fact the draft does not changes any 
route reflection protocol assumptions.

> Still, we do not get to know if route reflectors put additional,
> proprietary, information on the wire,

They do not otherwise the specification would be a protocol extension 
which you correctly already observed it is not.

> how a listener could inquire about their configuration,

I am not sure what do you mean by that in the light of regular IBGP 
session between route reflector and it's client.

> or what the stability and failure properties might be.

The stability and failure property is identical to any other iBGP 
session today.

> All of this makes for difficulties in doing a security analysis.  The
> document asserts that all security problems are subsumed by prior work
> in analyzing BGP security.  This might be true, but BGP has a number
> of documented vulnerabilities, and the new paths might multiply them.

While I understand your point it is extremely broad. One way of possible 
comparison would be to compare it with full mesh IBGP peering as in this 
case all clients would see all paths in the domain (assuming best 
external is enabled).

> Should BGP listeners trust the additional paths?

Yes. Remember those are intra-domain paths. Would BGP speaker trust any 
other iBGP peer ?

> Are opportunities for spoofing increased because listeners should
> expect more paths?
> What are the interactions between spoofed failures and switching to
> one of the diverse paths?  Could route reflectors be tricked into
> permuting the path ordering so fast that paths never stabilize?

I am not clear what spoofing risk you are referring to above.

> I think that the security considerations should address potential
> problems in the context of the previous analyses of BGP security, if
> this is indeed a protocol document in the ordinary IETF sense.
> Perhaps it is not, maybe it is an infrastructure configuration guide
> or an argument against BGP add-paths extensions.  I can't tell.

This document is to provide very easy solution for BGP speaker to 
receive more then best path. In most applications two paths is sufficient.

So the main objective of this document is to observe that by simply 
adding new session between RR and it's client RR can be instructed to 
send a 2nd best/backup path on such session.

Both above described functions are already very commonly available in 
number of BGP implementations. Authors just combine both to achieve easy 
deployable solution which does not require massive network wide upgrades 
which as I am sure we all realize may take years.

Best regards,
R.

> Hilarie
>
> ---------------------------
> NB: "Hilarie Orman" is my actual name and not a pseudonym for any
> other person with similar knowledge or interests.