IETF Logo Mail Archive

Re: [secdir] New Routing Area Security Design Team

Richard Barnes <rlb@ipv.sx> Sun, 22 April 2018 22:51 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F40F9126FDC for <secdir@ietfa.amsl.com>; Sun, 22 Apr 2018 15:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5GT-2B03dGP for <secdir@ietfa.amsl.com>; Sun, 22 Apr 2018 15:51:48 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FAA1200FC for <secdir@ietf.org>; Sun, 22 Apr 2018 15:51:47 -0700 (PDT)
Received: by mail-oi0-x22e.google.com with SMTP id x9-v6so12592123oig.7 for <secdir@ietf.org>; Sun, 22 Apr 2018 15:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gSZQdzu17KQj92kVAXUmuL0TaFAMjNF6xHNYVwXyaao=; b=bgQqMcV1LbtvUQZyg/3YnC4i3do5bDQ2/oerRfYPB/GjNY8DCrfnz1qonR49flFGWC 0CN4G6n6assMt3mJgXD6/5m8iWXG6HXBXcUl8ovBAkNeJidWwuHAJbELXloR/wxmGsvz d6iySk8MHEWq1W07xIqfYAaqot7z82JJXbKYzgjgrvZIU4CwDFciHWMbj7gN9cI5dVWD bL5vdrKN8qw4lsviefyQvu77rXr50M8Y7q23pY3gCbPanVyQz5u+93t5Kch4SxUxro6H o2lWiFxg+BkPJyhyuVXk+WUi5LCGwE+W51qNLR0j59x9550WmZVe0psBK0/0OK5fQdnS SZMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gSZQdzu17KQj92kVAXUmuL0TaFAMjNF6xHNYVwXyaao=; b=oey9FOsRtVv2dNa0nayrO3FH5zHbs44s3j1+9e6QCPVeCcr+0Hfy0Kj8nHVKiWheRH IQj5wQXz8obE/ObQ9UlFBK0x/kZW1CeJjKnShxOT8HuDvxe1nLNWjO0NX0vnmRaRcCqG vthYlYmZDDZlMNQwqQWfTrBzjUJdeqEvCm5oj2uNm+6S6WjSv2AMVXpnUENqZxveyERd yL9NC5rMcvIhoPxPazwC3gJJNt/btnl6Bu/+MOHxHAKMks/lrjRcLQkn9UlPnSi/+JJu TIia5QwypusWZfhuThUrrMhW9CrPvhTWDM4bXbJma9JbMLw2lf8wFxXlwfehdyWf2gWg YGGg==
X-Gm-Message-State: ALQs6tD7k/pLrmfst8/yKOio0lTyPPfPsP9nYO8/USgZhWZgLRZq9J2N mZj4Cge3vzXvTzrlwfRsowW7IKm91F7FGolAFNnWWg==
X-Google-Smtp-Source: AIpwx49t807orkxQleGHmkfLxtsLrLhU9TyHoFueHAMyIkdOZf5JnwbvU8WTm98UuBZj39oMoNOdS1+wkZrbFQzxC9Y=
X-Received: by 2002:a54:400e:: with SMTP id x14-v6mr5954047oie.77.1524437507174; Sun, 22 Apr 2018 15:51:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.93.90 with HTTP; Sun, 22 Apr 2018 15:51:46 -0700 (PDT)
In-Reply-To: <1c18b4e6-d7ba-1d63-ba53-9292995ad7b0@huitema.net>
References: <F64C10EAA68C8044B33656FA214632C8882C74A7@MISOUT7MSGUSRDE.ITServices.sbc.com> <CAL02cgS9rZKVtZs4aRWJmaQj-anaSqYj8rn8roDdxP+JhBR++A@mail.gmail.com> <F64B6EFA-1CB3-454B-B827-B5886A723D36@pfrc.org> <d37721c3-8e78-6eb8-c0ae-ba0e57a623c3@huitema.net> <026301d3d4e4$380d8b00$a828a100$@riw.us> <209F0EB5-AC41-4D00-8FE6-755802946061@pfrc.org> <CAL02cgTOOVXUXmvoE4JK97i8EeYnHevk4V9ecTepGLcB1YA-2w@mail.gmail.com> <2AD240AE-DF39-4D76-8D6B-BB8AADC6C267@pfrc.org> <024301d3d588$2b8ac6a0$82a053e0$@riw.us> <CAL02cgQaUGi7uq3GA4kdE54z2AUCOqBNYjbYsZT_wAsH-4aYgQ@mail.gmail.com> <0B9DB69A-472E-4FF5-9164-FCFB59C26D64@pfrc.org> <CABBF7D4-2B9B-4403-9C00-63C76906E631@sn3rd.com> <97CBB44D-3236-405C-B62C-C3BEF8DB933D@pfrc.org> <1c18b4e6-d7ba-1d63-ba53-9292995ad7b0@huitema.net>
From: Richard Barnes <rlb@ipv.sx>
Date: Sun, 22 Apr 2018 18:51:46 -0400
Message-ID: <CAL02cgSa+1_BhZ1zBbNo2aAHLemhwYnEA-KBjhw8evmOmT7POQ@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Jeffrey Haas <jhaas@pfrc.org>, Sean Turner <sean@sn3rd.com>, Russ White <russ@riw.us>, Stewart Bryant <stewart.bryant@gmail.com>, "Acee Lindem (acee)" <acee@cisco.com>, "BRUNGARD, DEBORAH A" <db3546@att.com>, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000190bde056a77c4ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/c4Art7jkT4iQ9-Hqh-KyO_ypUZU>
Subject: Re: [secdir] New Routing Area Security Design Team
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Apr 2018 22:51:51 -0000

On Sun, Apr 22, 2018 at 6:17 PM, Christian Huitema <huitema@huitema.net>
wrote:

> On 4/22/2018 2:57 PM, Jeffrey Haas wrote:
>
> > As I point out in my slides, a significant part of this headache is an
> ecosystem issue.  I write mostly BGP related software as part of my day
> job.  I'm aware of better security practices.  I don't control the TCP/IP
> stack I get to use - and these things are not implemented in our routing
> suite.  Yelling at me to have better security at those layers is a NOP; at
> best I pass them back up to product managers to get it done in the people
> who manage those layers.**
>
> That's actually part of the secure transport selection problem. TCP-MD5
> and TCP-AO are not used a lot outside of BGP. They may be standardized,
> but they are not really "mainline". And as such, you may or may not find
> it available in your OS of choice. And as you write, as BGP developer
> you have little control over that. Mainline applications are content
> with TLS, but that won't solve the TCP-RST issue that you are concerned
> about. IPSEC will solve it, but at the cost of interesting management
> issues. I really wonder whether the practical solution might be to
> standardize on a transport like QUIC that runs over UDP. Of course, QUIC
> is not really mainline, at least not yet. But the code can be compiled
> with the application, independently of the OS. So as a BGP developer,
> you could just ship it with your code. You would in fact control the
> transport stack that you use.
>

This seems like a really useful analysis approach.  The bias in this work
should be toward transport protocols that other apps use -- since in the
context we're talking about here, routing is just another application.  So
we should start with the default, mainline protocols (TLS, IPsec), and look
at where they don't fit.

In otherwords: I would prefer to see this group not have as a goal
"Universal deployment of TCP-[MD5|AO]", but rather "Removal of custom hacks
from the ecosystem and replacement by a more mainline protocol".   Let's
bring routing protocols into the applications fold to the greatest degree
possible.

--Richard




>
> -- Christian Huitema
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>

v2.23.0 | Report a Bug | By Email