IETF Logo Mail Archive

Re: [secdir] New Routing Area Security Design Team

"BRUNGARD, DEBORAH A" <db3546@att.com> Fri, 13 April 2018 22:00 UTC

Return-Path: <db3546@att.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B18B6129C6D for <secdir@ietfa.amsl.com>; Fri, 13 Apr 2018 15:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.611
X-Spam-Level:
X-Spam-Status: No, score=-0.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-Ei9XbD6r1P for <secdir@ietfa.amsl.com>; Fri, 13 Apr 2018 15:00:52 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE52129C59 for <secdir@ietf.org>; Fri, 13 Apr 2018 15:00:52 -0700 (PDT)
Received: from pps.filterd (m0049287.ppops.net [127.0.0.1]) by m0049287.ppops.net-00191d01. (8.16.0.21/8.16.0.21) with SMTP id w3DLtnwN002537; Fri, 13 Apr 2018 18:00:49 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049287.ppops.net-00191d01. with ESMTP id 2hb2mmb8nr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Apr 2018 18:00:49 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w3DLtlwk012421; Fri, 13 Apr 2018 17:55:47 -0400
Received: from zlp27126.vci.att.com (zlp27126.vci.att.com [135.66.87.47]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id w3DLteSs012341; Fri, 13 Apr 2018 17:55:40 -0400
Received: from zlp27126.vci.att.com (zlp27126.vci.att.com [127.0.0.1]) by zlp27126.vci.att.com (Service) with ESMTP id 6A4124014782; Fri, 13 Apr 2018 21:55:40 +0000 (GMT)
Received: from MISOUT7MSGHUBAB.ITServices.sbc.com (unknown [130.9.129.146]) by zlp27126.vci.att.com (Service) with ESMTPS id 54AB840006BE; Fri, 13 Apr 2018 21:55:40 +0000 (GMT)
Received: from MISOUT7MSGUSRDE.ITServices.sbc.com ([169.254.5.210]) by MISOUT7MSGHUBAB.ITServices.sbc.com ([130.9.129.146]) with mapi id 14.03.0361.001; Fri, 13 Apr 2018 17:55:40 -0400
From: "BRUNGARD, DEBORAH A" <db3546@att.com>
To: Richard Barnes <rlb@ipv.sx>
CC: "secdir@ietf.org" <secdir@ietf.org>, "russ@riw.us" <russ@riw.us>, "Jeffrey Haas (jhaas@pfrc.org)" <jhaas@pfrc.org>, "Stewart Bryant (stewart.bryant@gmail.com)" <stewart.bryant@gmail.com>, "Acee Lindem (acee) (acee@cisco.com)" <acee@cisco.com>
Thread-Topic: [secdir] New Routing Area Security Design Team
Thread-Index: AdPTYCpdxrWraEBxSTyykispJqF3TQAJkpIAAAdQxTA=
Date: Fri, 13 Apr 2018 21:55:39 +0000
Message-ID: <F64C10EAA68C8044B33656FA214632C8882C7627@MISOUT7MSGUSRDE.ITServices.sbc.com>
References: <F64C10EAA68C8044B33656FA214632C8882C74A7@MISOUT7MSGUSRDE.ITServices.sbc.com> <CAL02cgS9rZKVtZs4aRWJmaQj-anaSqYj8rn8roDdxP+JhBR++A@mail.gmail.com>
In-Reply-To: <CAL02cgS9rZKVtZs4aRWJmaQj-anaSqYj8rn8roDdxP+JhBR++A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.10.240.56]
Content-Type: multipart/alternative; boundary="_000_F64C10EAA68C8044B33656FA214632C8882C7627MISOUT7MSGUSRDE_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-04-13_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804130202
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_b5MqBUS1LMEg85_gwMQcVZGaNE>
Subject: Re: [secdir] New Routing Area Security Design Team
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 22:00:55 -0000

Hi Richard,

Thanks for the mail-

I see Acee has already answered – as he says – the first step is to nail down what are the real security considerations vs. the blanket over top “No new security considerations introduced”.

We all know there is a significant time window for deployment of any new capability. There are many dependencies, vendors not supporting, operators not giving priority. And the “big one”, it is very difficult for an operator to upgrade if everything is working fine today because we all know at least one upgrade claiming to be failsafe which went wrong. We can write MOPs/simulate/test all day long, but the folks “pushing the button” into production are the ones with the nervous breakdowns.

We tried with KARP to improve, but it was very difficult. With this team, we want to review “what are the use cases/threat models”, “what should be the security considerations”. The target is to understand where we can improve - have we (IETF) made a smooth transition operationally possible? Are there gaps – security or operationally which would help deployments? We’ve already discussed with the Security ADs and OPS ADs – and they are ready to support us  – hopefully this time we can do better.

As you say – we need more than RFCs if we are to raise awareness/support deployment. All possibilities are on the table.

Deborah


From: Richard Barnes [mailto:rlb@ipv.sx]
Sent: Friday, April 13, 2018 4:21 PM
To: BRUNGARD, DEBORAH A <db3546@att.com>
Cc: secdir@ietf.org; russ@riw.us; Jeffrey Haas (jhaas@pfrc.org) <jhaas@pfrc.org>; Stewart Bryant (stewart.bryant@gmail.com) <stewart.bryant@gmail.com>; Acee Lindem (acee) (acee@cisco.com) <acee@cisco.com>
Subject: Re: [secdir] New Routing Area Security Design Team

(trimming the CC list a bit)

Hey Deborah,

Delighted to hear this news.  Do you have an idea of what the initial deliverables are for this group?  What security problems are they going to try to address?

TBH, it seems like the headline problem at the Internet level is BGP abuse.  The base RPKI docs have been out for several years now, and BGPSEC is pretty much finished, but the deployment numbers continue to hover around 8-9% for even the most basic protections.  It would be delightful to have a group take a look at what the deployment blockers are here, and whether there's anything the IETF could do to help, whether it's updating protocols, producing deployment guides, writing code, etc.  We shouldn't think that RFCs are the only tool in our arsenal.

Thanks,
--Richard

[1] https://rpki-monitor.antd.nist.gov/<https://urldefense.proofpoint.com/v2/url?u=https-3A__rpki-2Dmonitor.antd.nist.gov_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=tJd-krV2J7BY160mJ7Ah0N53NG9EJ5NqiloCxwpXjwM&s=DmpDQL8wLFsXb6ByqzKOGVWuxdLtC8B0c9ojbL153rs&e=>


On Fri, Apr 13, 2018 at 4:11 PM, BRUNGARD, DEBORAH A <db3546@att.com<mailto:db3546@att.com>> wrote:
The Routing ADs have chartered a design team as described below.

I will be the AD-contact: db3546@att.com<mailto:db3546@att.com>

Routing Area Security Design Team Charter

Internet security threats have evolved in the last couple of years and questions are arising about the security properties of many long-standing IETF routing protocols and new protocols under development. This is an opportunity for the Routing Area to evaluate current assumptions and make recommendations for new work.

The Routing Area will kick off a Routing Area-wide Design team with support from the OPS Area and Security Area. The first phase will consist of a small team:

Stewart Bryant stewart.bryant@gmail.com<mailto:stewart.bryant@gmail.com>
Jeff Haas jhaas@pfrc.org<mailto:jhaas@pfrc.org>
Acee Lindem acee@cisco.com<mailto:acee@cisco.com>
Russ White russ@riw.us<mailto:russ@riw.us>

They will be responsible to set up an environment (e..g. wiki), identify work items, and coordinating overall the work effort. It is the expectation this initial phase will be done by May 1. A second phase will consist of small teams working on targeted items. Work items will include review of current deployments (use models) and threat models, evaluation criteria and useful advice when doing new work (on existing protocols and new protocols), and recommendations on where new work is needed in cooperation with the responsible working group. The work will have support from the Security Area and OPS Area.

The design team will have a private mailing list for this first phase and can be reached at rt-dt-security@ietf.org<mailto:rt-dt-security@ietf.org>.

Regards,
Deborah



_______________________________________________
secdir mailing list
secdir@ietf.org<mailto:secdir@ietf.org>
https://www.ietf.org/mailman/listinfo/secdir<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_secdir&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=tJd-krV2J7BY160mJ7Ah0N53NG9EJ5NqiloCxwpXjwM&s=9OVVpttOvj6EVHn34P-MjYobNZc1qm8pK4pRHrc0xdQ&e=>
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview<https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org_area_sec_trac_wiki_SecDirReview&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=tJd-krV2J7BY160mJ7Ah0N53NG9EJ5NqiloCxwpXjwM&s=e1mX6z7DgaSk5RLu624MyPPCt4lyKp_5S2Q4B8R_R9U&e=>

v2.23.0 | Report a Bug | By Email