IETF Logo Mail Archive

Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-te-pm-bgp-13

Yoav Nir <ynir.ietf@gmail.com> Sun, 21 October 2018 17:44 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 549751294D7; Sun, 21 Oct 2018 10:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDi-Mev0zJLX; Sun, 21 Oct 2018 10:44:44 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82E1B1277C8; Sun, 21 Oct 2018 10:44:44 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id 193-v6so8033446wme.3; Sun, 21 Oct 2018 10:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nWFYWvsGvmBpI9y6EwyTL/Ug2BsRvMfBukoF+t+OQOA=; b=bICUxXbMRFQwXMOmp4anhQkyN3Lt1EsLomq1VFhebzsi2MbLmrrpy2JoiM4malY3Cz 6RRRy4Wpr6MEQGtNu7IlXSwDLbBBjBn3ToqCOzLud2QWGOofCQ59QwZWRNcQkJMowJbJ l1IZEN58D/f5cwY2tPyen/KtV3WNg7d7LCkmHEqtpDuXzY81T0FC9uWG89KTV7NOkLXB JRmHEhtvYbQlS07mqckxnttEH+V7aFPDXsXOIxoXsS8RbZ/vpqKvn3KwMCz1HgSGJXzs gJoRMseWhNbHOqrTbcFj+JsJNnU8uKC+jO43mxPWYZVUZuwQhPQUUx2CVpFMG51OF0zw y5YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nWFYWvsGvmBpI9y6EwyTL/Ug2BsRvMfBukoF+t+OQOA=; b=MVz8Y+EdAN3CfSDCs4A4oUW7N64uYclyeQOBaIkuJkoXH48ZwzSiBVCez+C3/omFYW kF5Jmtx7J+G4lZyH+0HYEnbd4Qlj+AL4YrrCiuAktZ/WxBbhz3mXGWAcLCcY67yJ/iKD WRJ1YMCE0b9HFJCZtcZ6X/KrloFxF/IfhHSu3sv+OWogDo6+kghATNn2Pm0hpJ4P0Xsi eJxA8x7lEKSYyUFvEqdZUu/uccwZZwQY/t1JA7Z0LAvrz8/aSCQuRK6OoO0DVvIFAnSE zh5uXHkRq+ReSQLxLc2D81jAj+K4oD9nBVmbTLpeJiB6NMLSMf8CMpNEn3otLVSjpp+a TSiQ==
X-Gm-Message-State: ABuFfoiAK7qDq4/U+iSaGyOKmFVwn620lghMVWyERYTW1i9QhfaVttqW 16rLLTuuAbd6rNUmmJTP1SU=
X-Google-Smtp-Source: ACcGV60uRKlyrn9h5BvXdaNLH6ycrBKAKZMvzKgu7YX9tGGuZk+BKiW3cgMf/0PU9oTxQD4SByFWXg==
X-Received: by 2002:a1c:8c46:: with SMTP id o67-v6mr12688382wmd.35.1540143882832; Sun, 21 Oct 2018 10:44:42 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id b71-v6sm13699853wma.13.2018.10.21.10.44.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Oct 2018 10:44:41 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <14949BEE-1EC4-46A0-A1FD-8FE4BCD5D417@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BAF65A53-C2C8-474B-9AB7-839922543D4F"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Date: Sun, 21 Oct 2018 20:44:39 +0300
In-Reply-To: <c22b55313bc54157853d5668a146038c@XCH-ALN-001.cisco.com>
Cc: Robert Raszuk <robert@raszuk.net>, "kaduk@mit.edu" <kaduk@mit.edu>, "idr@ietf.org" <idr@ietf.org>, "draft-ietf-idr-te-pm-bgp.all@ietf.org" <draft-ietf-idr-te-pm-bgp.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
To: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>
References: <153972468642.9298.14442375581871750001@ietfa.amsl.com> <ec43e712e8024930831a206f8e843cbb@XCH-ALN-001.cisco.com> <7655493D-9EF0-42FF-B2D3-B9CE4E78178D@gmail.com> <feec42a72bd64f31afbcb3b340dad52b@XCH-ALN-001.cisco.com> <1FFA9449-D03C-4EB6-9D08-BA4A1AA93FE3@gmail.com> <92af26fef2da470d853f292c84f026a0@XCH-ALN-001.cisco.com> <20181019002642.GX19309@kduck.kaduk.org> <CAOj+MMH1=SBV=ikiNE6UHEe1mzf5xKLPOZXnnqPEvyFHTC=83A@mail.gmail.com> <c22b55313bc54157853d5668a146038c@XCH-ALN-001.cisco.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Yb-hx3DLU22PtN6h3oGzGr9HIbs>
Subject: Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-te-pm-bgp-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Oct 2018 17:44:48 -0000

See inline.

> On 19 Oct 2018, at 17:51, Les Ginsberg (ginsberg) <ginsberg@cisco.com> wrote:
> 
> Robert’s post addresses points I also want to make.
>  
> What is being done here is to add additional BGP-LS codepoints to advertise IGP information that was not defined at the time RFC 7752 was written. We haven’t changed the  BGP-LS transport mechanism – nor is the information being advertised here (some additional TE related link attribute information) qualitatively different than a number of existing TLVs defined in RFC 7752 (see https://tools.ietf.org/html/rfc7752#section-3.3.2 <https://tools.ietf.org/html/rfc7752#section-3.3.2> ). If this information had already been defined in the IGPs at the time RFC 7752 was written it would simply have been included as a section of RFC 7752 and no additional changes to RFC 7752 would have been required.
>  
> In theory, we could have simply updated RFC 7752 rather writing a separate draft, but practically this would be a poor strategy as it would incorrectly suggest that some change was being made to the existing text in RFC 7752.
>  
> I appreciate that from the POV of the Security Area you folks are not as intimately familiar with the routing drafts and the relationship between them. It is therefore understandable that you start looking at the new draft as a standalone document – and in that context your comments are absolutely correct. But the document you are reviewing is most accurately seen as an “addendum” to RFC 7752.

[YN] Right, and as such, I believe that this document should address the part that it adds to RFC 7752. IOW it should state that the new IGP information that will now be sent through BGP does not present new/different risk to the information already defined in 7752. This is information that has up until now only been sent in IS-IS and OSPF and will not be sent in BGP, so we need a statement that it’s OK to send these attributes in BGP as well. Of course, such a statement could be challenged in WGLC or IETF LC, but it should be made.

> The issues you raise have already been addressed in RFC 7752 and it is therefore very appropriate that we address your concerns by including a reference to the RFC 7752 security discussion.
>  
> I think it is important that you note this relationship, because the nature of BGP-LS is that whenever IGP extensions are defined to advertise new information it is necessary to define corresponding BGP-LS codepoints. This is not the first such BGP-LS extension document – and it is safe to say it won’t be the last. It would be helpful to all if we reached a common understanding or this discussion will take place every time a BGP-LS extension document is being reviewed – which will cost us all time needlessly.
>  
>    Les
>

v2.23.0 | Report a Bug | By Email