Re: [secdir] Secdir review of draft-ietf-idr-ix-bgp-route-server-10
"Waltermire, David A. (Fed)" <david.waltermire@nist.gov> Fri, 10 June 2016 22:49 UTC
Return-Path: <david.waltermire@nist.gov>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50B6D12D6B9; Fri, 10 Jun 2016 15:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebl5YPWG7sq2; Fri, 10 Jun 2016 15:49:00 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0113.outbound.protection.outlook.com [23.103.200.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 063BF12B00B; Fri, 10 Jun 2016 15:48:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=welABHQt3IuupHIM6CFzpbTYIJlPiXWn9JA6iU2o3eU=; b=uMUHY+rmL2XyzLTWC8Rt1mF1jGdqgb3KQK+rq+sjf8RPwW7wPv1Yt/FUfRWBwtzDCRjOQkP1A1GP3CUC4wJCB3Yp6aXaLAncy0XG/x2vg+2ph67GAPmLBYzvVB3GK4cLZ6mx6KAsOPphrrUnfO4dObqDejssi7MY4Myurl4Bxrg=
Received: from DM2PR09MB0365.namprd09.prod.outlook.com (10.160.247.18) by DM2PR09MB0366.namprd09.prod.outlook.com (10.160.247.20) with Microsoft SMTP Server (TLS) id 15.1.517.8; Fri, 10 Jun 2016 22:48:58 +0000
Received: from DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) by DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) with mapi id 15.01.0517.005; Fri, 10 Jun 2016 22:48:58 +0000
From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
To: Nick Hilliard <nick@foobar.org>
Thread-Topic: Secdir review of draft-ietf-idr-ix-bgp-route-server-10
Thread-Index: AdG/hLlPQmwDmXgkRK61Q8ZB5wAFgwD47tCAAAAgKOA=
Date: Fri, 10 Jun 2016 22:48:57 +0000
Message-ID: <DM2PR09MB036520DB96B25FB989BBA697F0500@DM2PR09MB0365.namprd09.prod.outlook.com>
References: <DM2PR09MB0365563370AB330550517C50F05C0@DM2PR09MB0365.namprd09.prod.outlook.com> <575B40CD.2030404@foobar.org>
In-Reply-To: <575B40CD.2030404@foobar.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
x-originating-ip: [129.6.230.3]
x-ms-office365-filtering-correlation-id: 3075da9e-e9f8-4eb7-a442-08d3918168d0
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0366; 6:WMSTjBrcVFAWGL8FrOl4kLYuCn7LA1t8kbJzM1ioX7uujp2TnFiVgssbFM39DYjHrW3n+M/N3qJUj3XqejSzRNKK/Ncw+q9uRv8padkyhE0W+BiI4h4J2eP7qgDa5K5RpYvBVu9l4g2rn68UMdzndR/0ylC4gfWDo6IsCS1IW/Sc0oNVcZiznxbGehiAbw5YcC8mZAd/FecevGekZO26cv0KwaCBiE8unA1gv9GDdeedqkvcrpmKuN6vGkQFrWkvwHPCv9hH8wnzwA7SvrmJkcaL9GF2CEVxfNTBsMreVOQzi57fgw/b/SkMVP51bgf9; 5:WnuMkYmhgD8AHi3MqOQyDN3J6rFV5A7OtVTVwtR9aDcs/K07Lo1TkQG3lr3C7vY4MeVMij2UICvd8M5YF1roZIoFXiv/aP+INFsnueGP/WLWiJENxGKnmOjKQSSrCXXHemF1NFeL1pIUe95hmvDjug==; 24:F8sOtz7KxeHmoAaxGP+ggs8bRlEGIjvmsOHT5hfB5o5aaLe1YVr62+M2E/IX9vq1xM1OXZ0XJVmQ7mY4sCFyA9lurqmnmyrY2gn6zJVYPOc=; 7:NENdFFOp5VJPXtRQ9gV/JtfQFx/B0r9GpQmcQTk1oid6f9HLn4+6ORZWOJUQshFnYWhABh+e/OP0/CCWX4WdYC/e/3yLVEhhdP7OyqsFYd688Nzq1eTvT0WzsNMoX7Dv4ASUgr7G2boseIJTK20xktQBketzjQ2kmoFm0hjPbc5mVmNK89U+owmVpp8Dk+1vLvESO2v4OOQY5KS8C0d25w==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0366;
x-microsoft-antispam-prvs: <DM2PR09MB0366034A25C6C6BD5BC74519F0500@DM2PR09MB0366.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:DM2PR09MB0366; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0366;
x-forefront-prvs: 096943F07A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(51914003)(24454002)(13464003)(189002)(377454003)(199003)(5003600100002)(2900100001)(99286002)(101416001)(9686002)(86362001)(4326007)(345774005)(66066001)(230783001)(11100500001)(92566002)(97736004)(2950100001)(189998001)(2906002)(5004730100002)(110136002)(5008740100001)(19580405001)(19580395003)(3846002)(10400500002)(105586002)(77096005)(54356999)(8936002)(76176999)(50986999)(122556002)(102836003)(81156014)(87936001)(81166006)(3660700001)(8676002)(6116002)(586003)(3280700002)(106356001)(68736007)(5002640100001)(33656002)(76576001)(74316001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0366; H:DM2PR09MB0365.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; CAT:NONE; LANG:en; CAT:NONE;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2016 22:48:58.0153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0366
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/hKTGZbPaAW1lAkzATfuvpY7F41s>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-idr-ix-bgp-route-server.all@ietf.org" <draft-ietf-idr-ix-bgp-route-server.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-idr-ix-bgp-route-server-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2016 22:49:02 -0000
Nick, Thank you for following up on my review. > -----Original Message----- > From: Nick Hilliard [mailto:nick@foobar.org] > Sent: Friday, June 10, 2016 6:36 PM > To: Waltermire, David A. (Fed) <david.waltermire@nist.gov> > Cc: secdir@ietf.org; iesg@ietf.org; draft-ietf-idr-ix-bgp-route- > server.all@ietf.org > Subject: Re: Secdir review of draft-ietf-idr-ix-bgp-route-server-10 > > Hi Dave, > > thank you for your review. > > Waltermire, David A. (Fed) wrote: > > The following is a minor nit on the organization of the text: > > > > In general the security considerations section covers the issues > > fairly well. In the first paragraph, the last sentence suggests that > > steps should be taken to address path hiding, but the text does not > > point to the text in section 2.3.2 on this topic. One way to improve > > this consideration would be to move the text in 2.3.3 to the end of > > this paragraph. Section 2.3.3 is adjacent to the security > > consideration section, so I don't see this as a significant change. > > I see what you're saying here, but we wanted to have a specific > recommendations section in the main body of the draft. The security > considerations section is clear about what needs to be done and the > reference is given a couple of lines previously. We've also added some more > text to the Implementation Suggestions section (after a suggestion from > Alvaro), so in the current version, it would probably look a bit peculiar to > move the path hiding recommendation into the security considerations > section. I am ok with this. > > Some (potentially) minor issues: > > > > A number of the requirements in section 2.2 and the subsections define > > requirements that differ and often conflict with requirements in RFC > > 4271. It would be good to indicate this at the start of 2.2. > > yes, good point. [commit #8c113b3] Thanks. > > Should this relationship also be called out in the abstract? > > Mmm, it's already in the introduction and now in section 2.0. Having it in > three places would be repetitive. Agreed. > > I am not an expert in BGP security, so please consider this issue in > > that context: > > > > The statement at the end of the security considerations section points > > the reader to RFC7454. I was left wondering if this draft changes any > > of considerations in RFC7454. It would be beneficial if some text was > > added to this draft speaking to this point. Again not being an expert > > in BGP security, I am not certain what the new text should say on this > > matter. > > The short answer is that it mostly doesn't. > > The longer answer is that this ID is a draft about RS implementations rather > than RS operations. There is a parallel draft (ietf-grow-ix-bgp-route-server- > operations), where this reference and comment are more appropriate > instead. RFC7454 didn't make it into the -operations draft because it was > published after the last update was done. I've just made a note to add this > into the operations draft during AUTH48, along with a side note to say that > care needs to be taken with section 11 of RFC7454. Thanks for the clarification. What you are suggestion sounds reasonable. > > I've just posted draft -11. Can you check if this deals with your comments? > > Nick Draft -11 looks good. Thanks, Dave
- [secdir] Secdir review of draft-ietf-idr-ix-bgp-r… Waltermire, David A. (Fed)
- Re: [secdir] Secdir review of draft-ietf-idr-ix-b… Nick Hilliard
- Re: [secdir] Secdir review of draft-ietf-idr-ix-b… Waltermire, David A. (Fed)
- Re: [secdir] Secdir review of draft-ietf-idr-ix-b… Nick Hilliard