IETF Logo Mail Archive

Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30

Susan Hares <shares@ndzh.com> Tue, 23 April 2024 23:18 UTC

Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F1FC151989; Tue, 23 Apr 2024 16:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yiJYlvAzlKax; Tue, 23 Apr 2024 16:18:34 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11hn2249.outbound.protection.outlook.com [52.100.171.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A43C1516F8; Tue, 23 Apr 2024 16:18:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UgNxMVXZeBu9le2pqZdZhsst5kuFEHb5Qykc+jKO0IqjVp1n2mlF2ONrRvN2Ol4QTHpz5R7VLk6CbaiF5sVjf9rUCu7ucr8Yibw4xeOAqnE+M8dkDo1nDlui3iWwUDGOtFPV6QcqrlYaK7ff50TG23QRp293TbJgLp0YEBVca6ARFe/KylNqrsseGCWoM8bud9BHzk1gUi3pPe/q4lEPya0R3mBrvbv1DqKO+f7jwbCVRMZisp4Kkpkw50/81yo66DVY/VqAqRdcjTvhRTmg2XoBzv1fw4rMpMY/RGty0MHJ+gh+ihH8uxILrSHag5mUAebG94JTsZifPEBbcyXkHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o1g0fY3Q7PNYX5GvSHHmehPyveXiXw4dciGQ9atHsVU=; b=WIrfa+SgzjiNE2Q/galRbzaw8VU1Th3RvPx7grn2J2w7ud4awvz2HlAfzmNJxjxgOKykWvwY9zB7y8q/jfgeIeuN61wusFgRrQprXAA6TDS4eLqPng3ZOVQa4ruRDnO+0wnieuOK+uXoaQBSRffGbx23FFile1JxALs80JpaDYwIihdlDqbysVoz0p2bEcTQEMxJjMmR7O2qzBQc04lLohdbXrhfHQx+l5S14FFjrGcg7siKrq0m+ocjjV6pJFFsT4g1uL54+OE7Nyowa6JmRHqnQwvJuoqWNRo4pQ7hg1PGLkMct2UKshonc7xXx4SOwhWhE/USpjeXnDZ3K4xf+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.55.169) smtp.rcpttodomain=gmail.com smtp.mailfrom=ndzh.com; dmarc=bestguesspass action=none header.from=ndzh.com; dkim=none (message not signed); arc=none (0)
Received: from BN0PR02CA0051.namprd02.prod.outlook.com (2603:10b6:408:e5::26) by CH3PR08MB9208.namprd08.prod.outlook.com (2603:10b6:610:1cb::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.44; Tue, 23 Apr 2024 23:18:29 +0000
Received: from BN1PEPF0000468B.namprd05.prod.outlook.com (2603:10b6:408:e5:cafe::e9) by BN0PR02CA0051.outlook.office365.com (2603:10b6:408:e5::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7495.34 via Frontend Transport; Tue, 23 Apr 2024 23:18:29 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 104.47.55.169) smtp.mailfrom=ndzh.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=ndzh.com;
Received-SPF: Pass (protection.outlook.com: domain of ndzh.com designates 104.47.55.169 as permitted sender) receiver=protection.outlook.com; client-ip=104.47.55.169; helo=NAM12-BN8-obe.outbound.protection.outlook.com; pr=C
Received: from obx-outbound.inkyphishfence.com (13.59.96.180) by BN1PEPF0000468B.mail.protection.outlook.com (10.167.243.136) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7519.19 via Frontend Transport; Tue, 23 Apr 2024 23:18:29 +0000
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2169.outbound.protection.outlook.com [104.47.55.169]) by obx-inbound.inkyphishfence.com (Postfix) with ESMTPS id 3F54E57A7A; Tue, 23 Apr 2024 23:18:28 +0000 (UTC)
Received: from CO1PR08MB6611.namprd08.prod.outlook.com (2603:10b6:303:98::12) by DM3PR08MB9621.namprd08.prod.outlook.com (2603:10b6:0:14::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.22; Tue, 23 Apr 2024 23:18:24 +0000
Received: from CO1PR08MB6611.namprd08.prod.outlook.com ([fe80::7744:8abd:9769:c2bf]) by CO1PR08MB6611.namprd08.prod.outlook.com ([fe80::7744:8abd:9769:c2bf%7]) with mapi id 15.20.7472.045; Tue, 23 Apr 2024 23:18:24 +0000
From: Susan Hares <shares@ndzh.com>
To: Magnus Nyström <magnusn@gmail.com>
CC: Kaliraj Vairavakkalai <kaliraj@juniper.net>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-bgp-ct.all@ietf.org" <draft-ietf-idr-bgp-ct.all@ietf.org>, "idr@ietf.org" <idr@ietf.org>
Thread-Topic: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
Thread-Index: AQHaiXQK3PI+jRyB00qvX7Puqf/H97FfOvoAgAFTnHCAFdWugIAALh/g
Date: Tue, 23 Apr 2024 23:18:24 +0000
Message-ID: <CO1PR08MB6611165230FC47F88B7AAC8EB3112@CO1PR08MB6611.namprd08.prod.outlook.com>
References: <171255343637.3005.42205344596392120@ietfa.amsl.com> <SJ0PR05MB8632FDD8A3852BA61687C652A2072@SJ0PR05MB8632.namprd05.prod.outlook.com> <DM6PR08MB4857BF2A91EFF6DD1E3EDE3FB3072@DM6PR08MB4857.namprd08.prod.outlook.com> <CADajj4ZODE8DjCiwnj281yWLUTw-xYMye-4Lbs0nLBNmxfS-SQ@mail.gmail.com>
In-Reply-To: <CADajj4ZODE8DjCiwnj281yWLUTw-xYMye-4Lbs0nLBNmxfS-SQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-traffictypediagnostic: CO1PR08MB6611:EE_|DM3PR08MB9621:EE_|BN1PEPF0000468B:EE_|CH3PR08MB9208:EE_
X-MS-Office365-Filtering-Correlation-Id: 7d5e20c0-8883-4729-e7b8-08dc63ebaf70
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0; ARA:13230031|376005|366007|1800799015|38070700009;
X-Microsoft-Antispam-Message-Info-Original: kIDxrwfHj1TEaJHMceA+k0nLE4zTnXCINUtVlzCLBqFUksYEk5sVOd+ugHrAiuu+54UGoNEsdNjHIUt7iVHMKUgTCDCthcI81CXgsLyV0FT7dxFtvDB/dit8Cus2Aii3UKpdOzjUERcCm6/4TEBQR6+LHz/qZ0j2+ecsAq+zmJ9hZsY1uEtdZzxi6n5PriIwOVkGENyLbC96/nwv86Crf1noHz5Pqpb23YpSksVRTDK396ge6kyVoS7xhKXnbkc+aGLyIPvQt2dr/CIGLPF97VnWBUb2FgMfiqUQ1tM+lOkBNKyFp5KlMlEQiRWLmS0Dwnc8FBHNBfO4BDbfkf6aklIkbivFPEEHJ9i1X/4eeWbrdjfex7TlB97CB6lz4bSkQt79fyMMP70q9TT70kmfRxNRcHGtC6gOTFmQTMD3PyyujG6J7moutVhPIqzSwbrexfra6ZtLryKvMZY+EjAltPfLg6K8npb9L90mANxn1N8LK8Bwl/+HXk+1Z9elrR8YY23agYAuBFGRKqAMCntMs1QmNrv3+GmmbDpfQ9wdv0WOwGXsWhVh5vJnYivtHpBsLrJI0jU3XGKV5BnMDg/vB/55W8YzUBcGS7dvZgm8eQ2PWtD0pIS8dFw2aDNArGJz4ejZD93pAW4bMgWkWde1zGCjFqfuUS4DsoOOw2V1igNDHD2wgFniDYuCi01eyT1rxStdpSj8z3GHFtQwkFUpO78wtyS6h0aOKSwW+w/2NCb3BI4aUC62zkrXgUIcIIdhCwad49SsqLuaUb/zdi/PyGIrhHAovjRyo4QGCtCJfDI0GCzNZ6H56CUkUm6N+jL8p/YgevUBvrTV7HNBE5fupZccHUcbJu/Yj1j8NThDQrX8awKiH4/5VsjYYWdhMJJ6KI2+Ylp7kgxtp7GVryTIdUrs3guXWhi5/fxWBuszEezCAqsQG4GDSFnwrPscYSLHBLbnUjvHpPjlmuSbm9s9yNvQodQgSV5gegmUFqnxSI80JmtHsEl8bLePbq9dLtoykjHZ5oFzRkpCt6W0Nt+QY39Cq1Xpx4ukGsgOSMNWnBCN2sKFg2+ReXxJPSahMxoRIMmVL//eidoHRHWaNBVo6F3XZZkStdLJJzrCKwOu0OoxlFcMSTefJPrXBl3k4YShcBt50PNOgguqwXUfdrsSW1LvIaPfCA7tQICpS2iToatoa/0eNIprQf2/6lNJzdNOr8fiJOzeXUN2hLd72HL29DtSoSlMm/wkfOksN4Oiq3ai5v1mBcqVUcM2scIhqubGLHp6ptMPbBN2RvR+cK5hXnDWPwjw3ISO48bTqvGPOBcpNgRd3QlbYLL+uAVg72eTNG7/U2vesxxu3tiIjS2trg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR08MB6611.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015)(38070700009); DIR:OUT; SFP:1102;
Content-Type: multipart/alternative; boundary="_000_CO1PR08MB6611165230FC47F88B7AAC8EB3112CO1PR08MB6611namp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR08MB9621
X-Inky-Outbound-Processed: True
X-EOPAttributedMessage: 0
X-MS-Exchange-SkipListedInternetSender: ip=[104.47.55.169]; domain=NAM12-BN8-obe.outbound.protection.outlook.com
X-MS-Exchange-ExternalOriginalInternetSender: ip=[104.47.55.169]; domain=NAM12-BN8-obe.outbound.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped: BN1PEPF0000468B.namprd05.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 3607004f-db85-4eaa-cbe6-08dc63ebac78
X-IPW-GroupMember: False
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Ipf39Ak247/zmghjRdKDRg1eCZYjeNrUel/wCeeYh0azKw7443qWcM/+Xon78ZCgpE++xKz2E6HjVj3az2AmGL9m/ZEl7IW6+7ESw10iL/+69JtVtXWVhfZ9QtkJsYr4j42K/eBufMXtEPzYWHnVfU4p2KEEcBDlyLFzJQmKl0E4E113AUHWlCM1IRIvLst6zR1cRHZW4Y6HXviDQDgPoDxChdgkHan2COtHU1fK14pImfTvcxF8SS6MBThoXZmXClzwFmy8ToUvRXhoABaRP8FcvqI24vDNt2ybR2Wk9F/puwyPYzDBikRXVkaqOa2dExisw+Sfu3hVOzUTE9wjrewKRd1g7O0MslwL8EjRSfWBVlMoo0iQntVL9piep9Uhjo8n+biVnLxdsCscLRv4pCR58xu1XFHwbBBw/l8KkbHoT0vEs/iW08rrqtJ32lLYiYPSOW9MAyQ1m3SNQ9pQcqdPDeEMsL5xMa4oJbj4Cmp6rEd8hs4Cx4MN3ddTrvZ5zukDzbyiDhV+cZ1aCIFx5A0fgUHZfroyk6o5uVL9DEVrIV1k3JDuc3WoPqnmww+hm/FnQ12YfzYRFN9TZWfM04mXKrCrR7QLg1vBveHa7l8aKF3BsnXxSB8aVxbzUEHQx6EPRf2kYep3jtd1LmPD3iQhghBggBzRC2ZTm6D2Zd4rQ5+DzapAv5bBLkxjrvdGVF2egRXU0jfL5dHCArPLFTOVQXR4e55wgjZ4MQ+MSFPEgwKAeLiLJg/ebbsEbii9MHpweBzNqezmXAKaqWd4rjodu3N01bT9t5BEmSoJaK3iP/v5IvQNe77VaDG/UeUwZRKhmN/+YtfbfeqY5xpxug==
X-Forefront-Antispam-Report: CIP:13.59.96.180; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:NAM12-BN8-obe.outbound.protection.outlook.com; PTR:mail-bn8nam12lp2169.outbound.protection.outlook.com; CAT:NONE; SFS:(13230031)(36860700004)(376005)(82310400014)(1800799015)(11100799042); DIR:OUT; SFP:1501;
X-OriginatorOrg: ndzh.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2024 23:18:29.0863 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d5e20c0-8883-4729-e7b8-08dc63ebaf70
X-MS-Exchange-CrossTenant-Id: d6c573f1-34ce-4e5a-8411-94cc752db3e5
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d6c573f1-34ce-4e5a-8411-94cc752db3e5; Ip=[13.59.96.180]; Helo=[obx-outbound.inkyphishfence.com]
X-MS-Exchange-CrossTenant-AuthSource: BN1PEPF0000468B.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR08MB9208
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YrcJeLUs_Ikxmqqv-CKEtOVz5ok>
Subject: Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2024 23:18:39 -0000

Magnus:

Thank you for your feedback.  See my comments below.

I will request that the authors change the “could” to a “should” before submitting to the draft-ietf-idr-bgp-ct in the following sentence:
Old text: /  “In order to mitigate the risk of the diversion of traffic from its intended destination,  existing BGPsec solutions could be extended and supported for this SAFI.”/
New text:/ “In order to mitigate the risk of the diversion of traffic from its intended destination,  existing BGPsec solutions should be extended and supported for this SAFI.”/
Cheerily, Sue Hares

From: Magnus Nyström <magnusn@gmail.com>
Sent: Tuesday, April 23, 2024 4:20 PM
To: Susan Hares <shares@ndzh.com>
Cc: Kaliraj Vairavakkalai <kaliraj@juniper.net>; secdir@ietf.org; draft-ietf-idr-bgp-ct.all@ietf.org; idr@ietf.org
Subject: Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30

Hi Sue and apologies for my tardiness. See below.  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌  ‌
Caution: External (magnusn@gmail.com<mailto:magnusn@gmail.com>)
First-Time Sender   Details<https://protection.inkyphishfence.com/details?id=bmV0b3JnMTA1ODY5MTIvc2hhcmVzQG5kemguY29tL2Q0ZDJlZTcyNzI0OWZmYTNlMWE3OTI5NDRkNGJlNWIxLzE3MTM5MDM2MDYuNTk=#key=44c92ef9f86225febd54e903faf7f4ef>
  Report This Email<https://protection.inkyphishfence.com/report?id=bmV0b3JnMTA1ODY5MTIvc2hhcmVzQG5kemguY29tL2Q0ZDJlZTcyNzI0OWZmYTNlMWE3OTI5NDRkNGJlNWIxLzE3MTM5MDM2MDYuNTk=#key=44c92ef9f86225febd54e903faf7f4ef>  FAQ<https://www.godaddy.com/help/report-email-with-advanced-email-security-40813>  GoDaddy Advanced Email Security, Powered by INKY<https://www.inky.com/protection-by-inky>

Hi Sue and apologies for my tardiness. See below.

On Tue, Apr 9, 2024 at 4:30 PM Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>> wrote:
Magnus:

As shepherd of the draft-ietf-idr-bgp-ct draft,  I need additional information about your review.   Would you help me by answering three questions?
For these questions, imagine a series of networks cooperating to get traffic between either: a) two data centers or b) between data centers and user phones.
Thank you, Sue Hares
Question 1:  What are you assuming is involved in BGPsec solutions?
The text in draft-ietf-idr-bgp-ct-30 states in the security section:
“To mitigate any risk of manipulating the routing information carried within a new SAFI, BGP origin validation [RFC6811] and BGPsec [RFC8205]  MAY be used as means to increase assurance that the information  has not been falsified.”
 AND
 “In order to mitigate the risk of the diversion of traffic from its intended destination,  existing BGPsec solutions could be extended and supported for this SAFI.”
 This points to basic protocols plus solutions augmented to support this for the BGP Updates with the AFI/SAFIs that include the CT SAFI.
Are you taking “BGPSec solutions” to mean:

  1.  implementations are being extended to work with CT AFI/SAFI or

b.      additions IETF protocols for BGPsec that include additional features?
My understanding is that “BGPsec solutions” in the CT document is adding BGPsec protocol + Origin validation to implementations supporting CT.

MN: Right, I did not expect additions to IETF protocols for BGPsec would be required (beyond what possibly is in this memo already), but I was wondering if that "could" was intended to be a "should" (or should be a "should). I mean, pretty much everything "could" always be enhanced.

Sue2: Many operators utilize the Origin validation along with private-links to provide scalable security. Since CT is target at the providers space with private-links, this may be the most deployed solution.  BGPsec could be extended to support this SAFI.
Sue2: I’ll suggest the authors change the following sentence to:

Old text:/  “In order to mitigate the risk of the diversion of traffic from its intended destination,  existing BGPsec solutions could be extended and supported for this SAFI.”/
New text:/  “In order to mitigate the risk of the diversion of traffic from its intended destination,
       existing BGPsec solutions (e.g. BGPsec or Route Origin Validation) should be extended and supported for this SAFI.”/

2) Are you familiar with the potential additions to BGPsec and Origin Validation?

One could secure other attributes that do not change between routers within the BGP Update packet.  These attributes could be secured separately from the BGP Path attribute.   The benefit of securing such things as the “BGP Tunnel Encapsulation Attribute” may aid in securing the distribution of tunnel endpoints within a domain containing multiple AS within a network.

One could register locally Origin validation specific to the transport addresses used by CAR and CT.

MN: I am not familiar with those additions and not sure how they would read on this CT work, I will have to defer to others on this.
Sue-2: Thank you for letting me know.

3) Are you familiar with the amount of Configuration involved in these features?
You mention this text in your review:
"The restriction of the applicability of this SAFI to its intended well-defined scope limits the
likelihood of traffic diversions. Furthermore, as long as the filtering and
appropriate configuration mechanisms discussed previously are applied
diligently, risk of the diversion of the traffic is significantly mitigated."
This text was written to indicate (as described in the CT document)

  1.  Networks are filtering offered data traffic into different service levels (e.g. gold, silver, bronze service levels),

This filtering includes normal filtering of traffic against DDOS and other attack traffic.

  1.  Data Traffic is placed on set-up transport pathways created by the BGP protocols.

3.      Back-up pathways are also set-up by the BGP protocol with input from IGP protocols.
All of this setup requires a great deal of configuration on the nodes.

MN: I agree, and this goes back to my question there - are the extensions a "could" or a "should". For example, if the configuration will be so involved as to be likely to cause incidents because of incorrectness from a security perspective, maybe that "could" is a "should"?

Sue-2:  Thank you for your response. Most operators run the configuration from automated system where double checks are made before deploy.  Origin Validation catches a many of the current set of issues, but BGP should continually work toward improving security levels.

Sue-2: (resolution):  I agree with adding should the previous sentence.





From: Kaliraj Vairavakkalai <kaliraj@juniper.net<mailto:kaliraj@juniper.net>>
Sent: Monday, April 8, 2024 10:38 PM
To: Magnus Nyström <magnusn@gmail.com<mailto:magnusn@gmail.com>>; secdir@ietf.org<mailto:secdir@ietf.org>
Cc: draft-ietf-idr-bgp-ct.all@ietf.org<mailto:draft-ietf-idr-bgp-ct.all@ietf.org>; idr@ietf.org<mailto:idr@ietf.org>
Subject: Re: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30


Hi Magnus,

> was this meant to say "existing BGPsec solutions" or "the existing BGP solution"?

I think we should change it to ‘existing BGP solutions’. Agree.

Thanks,
Kaliraj



Juniper Business Use Only
From: Idr <idr-bounces@ietf.org<mailto:idr-bounces@ietf.org>> on behalf of Magnus Nyström via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>>
Date: Sunday, April 7, 2024 at 10:17 PM
To: secdir@ietf.org<mailto:secdir@ietf.org> <secdir@ietf.org<mailto:secdir@ietf.org>>
Cc: draft-ietf-idr-bgp-ct.all@ietf.org<mailto:draft-ietf-idr-bgp-ct.all@ietf.org> <draft-ietf-idr-bgp-ct.all@ietf.org<mailto:draft-ietf-idr-bgp-ct.all@ietf.org>>, idr@ietf.org<mailto:idr@ietf.org> <idr@ietf.org<mailto:idr@ietf.org>>
Subject: [Idr] Secdir early review of draft-ietf-idr-bgp-ct-30
[External Email. Be cautious of content]


Reviewer: Magnus Nyström
Review result: Has Nits

Comparing with my original review (-18) the authors have addressed my concerns.
There is one remaining, probably smaller, issue: The Security Considerations
section states: "In order to mitigate the risk of the diversion of traffic from
its intended destination, existing BGPsec solution could be extended and
supported for this SAFI." - was this meant to say "existing BGPsec solutions"
or "the existing BGP solution"? Also, it isn't clear how BGPsec should be
extended - and if it would provide any substantial benefit over the mechanisms
described herein (the remainder of this paragraph states: "The restriction of
the aplicability of this SAFI to its intended well-defined scope limits the
likelihood of traffic diversions. Furthermore, as long as the filtering and
appropriate configuration mechanisms discussed previously are applied
diligently, risk of the diversion of the traffic is significantly mitigated.").


_______________________________________________
Idr mailing list
Idr@ietf.org<mailto:Idr@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/idr__;!!NEt6yMaO-gk!B2BvMqPMR2r1KICWj3Vip_HLeDU5abmgtAXxyMwbmZhtzxUlyiprfSYhkYvbMBSGgTiBOIH3LSaGNns$<https://shared.outlook.inky.com/link?domain=urldefense.com&t=h.eJxVkF1PgzAUQP_KID4qpeVL5stEzbY4NiNOnS-k2AIVKNh2MGb8767GFx_vPcnJuffL3IvanE7MUqlOTgE4jYTmlEtqvbcN6B2Qpn9sGAaLUZVbrShAg1ndYA5qJhXjeQsYEWl6ZRjrO-WPMd5cFJURoaiPPx_iRyTg_fLm5cN5Zl26WNHbrYezplDXr4cxHrLmrVTHw7YeWSfyZFdWuz6Lo2RePLFos1w4qwTP11yemecTs9K1nKpTBLS9Sz-ECMgSCypnnBzL32riEkRpgALkhnmOHQpxEKLQdYmbUS-DAAbQCW3Ht33LC7WVamuDC76XfFbo47RIE6LJv43SD4PfP6VmZNY.MEUCIFx7lz_jEQwRAxGmeonrXp5_HPLAEH40BUGOtg2oWrS4AiEA3G8-ZbNvIuOkJ_RuyFWGo5lYCiRFInDXyFXxRMtXR7o>


--
-- Magnus

v2.43.4 | Report a Bug | By Email | System Status