Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
Stewart Bryant <stbryant@cisco.com> Tue, 17 July 2012 07:23 UTC
Return-Path: <stbryant@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B7311E8083; Tue, 17 Jul 2012 00:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.568
X-Spam-Level:
X-Spam-Status: No, score=-110.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yYgjne-y9+vj; Tue, 17 Jul 2012 00:23:50 -0700 (PDT)
Received: from ams-iport-3.cisco.com (ams-iport-3.cisco.com [144.254.224.146]) by ietfa.amsl.com (Postfix) with ESMTP id 21DE221F857A; Tue, 17 Jul 2012 00:23:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=stbryant@cisco.com; l=18222; q=dns/txt; s=iport; t=1342509876; x=1343719476; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to; bh=lK+d891Z0LOSdrZfwsa6kE8mkLGrWkFYxHO1b88g0tw=; b=C4AvC60v0/ZJooUWciOW2tuyp4sSoSFLAwKpNe7+V7bmCccfB3LTxJq7 k0hcZ2WRQup/BZPNAXSh7skmaWmOoYquntO7KVaI3jM5gwf01q5ewCKWt K1Q2Xqn5Dz8iTsucrSAs2sK7bEYn8GFg4E/Y2n11V4ev6XL6poMTKfgG2 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhYFAPoRBVCQ/khN/2dsb2JhbAA7BwOCSoh/rhaBB4IgAQEBBBIBAhhLAQ4CCxEEAQEBCRYIBwkDAgECAQkrCQgGDQEFAgEBFQmHawucLYNIEJxPBIs6EIMWgyEDlTuOIIEEYoJggV4
X-IronPort-AV: E=Sophos;i="4.77,599,1336348800"; d="scan'208,217";a="6686239"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-3.cisco.com with ESMTP; 17 Jul 2012 07:24:34 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q6H7OYYi000396 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Jul 2012 07:24:34 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id q6H7OUvu008545; Tue, 17 Jul 2012 08:24:31 +0100 (BST)
Message-ID: <5005132E.9000000@cisco.com>
Date: Tue, 17 Jul 2012 08:24:30 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: "idr-chairs@tools.ietf.org" <idr-chairs@tools.ietf.org>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com>
In-Reply-To: <005401cd63aa$baeac2b0$30c04810$@ndzh.com>
Content-Type: multipart/alternative; boundary="------------040108060400060003010205"
Cc: "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, draft-ietf-idr-rfc4893bis.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 07:23:52 -0000
Sue, John,
Is there any reason not to reword the text concerned to more
conventional format:
OLD
It is a misconfiguration to assign a non-mappable four-octet AS
number as the "Member AS Number" in a BGP confederation before all
the BGP speakers within the confederation have transitioned to
support four-octet AS numbers. Such a misconfiguration would weaken
the AS path loop detection within a confederation.
NEW
A network operator MUST NOT assign a non-mappable four-octet AS
number as the "Member AS Number" in a BGP confederation before all
the BGP speakers within the confederation have transitioned to
support four-octet AS numbers, as such an assignment would weaken
the AS path loop detection within a confederation.
Stewart
On 17/07/2012 00:28, Susan Hares wrote:
>
> Catherine:
>
> I've read and re-read this email for a week (7/9 -- 7/16).
>
> Misconfiguration is a fact of life in networks. Security profiles
> must deal with this point. We can all say you should not misconfigure
> networks -- but life happens. Therefore, I'm confused by your
> question. I would consider it is just a security event the authors
> pointing happens.
>
> On your second comment
>
> "I would also expect that the chance of routing loops arising out
> conversion from 4-octet
> to 2-octet occurring between confederations would be much less than of
> their occurring
> within a confederation (although one can't know for sure without
> knowing what the 4-octet
> to 2-octet mapping is), so following the recommendations in the
> Security Considerations would
> greatly reduce the probability of such a routing loop occurring. Is
> this correct? "
>
> It depends if someone configures a confederation within a
> confederation. [see earlier comment on mis-configuration.] I've
> copied Sandy Murphy in case as SIDR chair can put this discussion into
> a different "security" specific light.
>
> Confused,
>
> Sue
>
> *From:*Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
> *Sent:* Monday, July 09, 2012 2:25 PM
> *To:* iesg@ietf.org; secdir@ietf.org;
> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> *Cc:* Catherine Meadows
> *Subject:* Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
> (resend of a resend)
>
> I managed to screw up the email address again. Here it is for what I
> hope is the last time.
>
> My apologies again to everyone who receives *three* copies of this
> message.
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document describes an added capability for four-octet Autonomous
> System
> (AS) numbers in BGP. This is intended to replace the older two-octet
> AS numbers,
> since that space is filling up.
>
> In order to preserve backward compatibility, AS's using the four-octet
> systems (called New
> BGP speakers in the document) must advertise both four-octet and
> two-octet AS numbers.
> This is the case even if the New BGP Speaker does not have a globally
> unique two-octet number.
> The document says that in this case the two-octet number is obtained
> by mapping the four-octet
> number to the two-octet space. The procedure for doing this is not
> specified.
>
> The authors identify a risk of routing loops developing when
> ambiguities develops as a
> result of a BGP speaker using the old system aggregating two or more
> routes carrying
> 4-octet attributes. In the Security Configurations Section, the
> authors point out that an
> attacker might be able to exploit this in a denial of service attack.
> They point out that it is
> a misconfiguration to assign 4-octet Member AS Numbers in a BGP
> confederation until all BGP speakers
> within the confederation have transitioned to support 4-octet numbers.
>
> I think that this is a good recommendation. I just have a couple of
> minor comments.
>
> It's not clear to me what the status of "misconfiguration" is in the
> hierarchy of IETF.
> Is it more like SHALL NOT or SHOULD NOT? Is there a reason why you're
> saying
> "misconfiguration" instead of one of those?
>
> I would also expect that the chance of routing loops arising out
> conversion from 4-octet
> to 2-octet occurring between confederations would be much less than of
> their occurring
> within a confederation (although one can't know for sure without
> knowing what the 4-octet
> to 2-octet mapping is), so following the recommendations in the
> Security Considerations would
> greatly reduce the probability of such a routing loop occurring. Is
> this correct?
>
> Cathy Meadows
>
> Catherine Meadows
> Naval Research Laboratory
> Code 5543
> 4555 Overlook Ave., S.W.
> Washington DC, 20375
> phone: 202-767-3490
> fax: 202-404-7942
> email: catherine.meadows@nrl.navy.mil
> <mailto:catherine.meadows@nrl.navy.mil>
>
--
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- [secdir] Secdir Review of draft-ietf-idr-rfc4893b… Catherine Meadows
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Stewart Bryant
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Adrian Farrel
- Re: [secdir] Spam:*******, Secdir Review of draft… Adrian Farrel
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… Stewart Bryant
- Re: [secdir] Spam:*******, Secdir Review of draft… Catherine A Meadows
- Re: [secdir] Spam:*******, Re: Spam:*******, Secd… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Murphy, Sandra
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares
- Re: [secdir] Spam:*******, Secdir Review of draft… John G. Scudder
- Re: [secdir] Spam:*******, Secdir Review of draft… Susan Hares