Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07

"Hilarie Orman" <> Thu, 19 July 2012 18:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A55A21F86BD; Thu, 19 Jul 2012 11:22:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MjWgGBRMobFW; Thu, 19 Jul 2012 11:22:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4AD9D21F86B6; Thu, 19 Jul 2012 11:22:41 -0700 (PDT)
Received: from ([]) by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from <>) id 1SrvNs-000602-7c; Thu, 19 Jul 2012 12:23:32 -0600
Received: from ([] by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <>) id 1SrvNo-0007GT-TC; Thu, 19 Jul 2012 12:23:32 -0600
Received: from (localhost []) by (8.14.4/8.14.3/Debian-9.1ubuntu1) with ESMTP id q6JIKiKC026715; Thu, 19 Jul 2012 12:20:44 -0600
Received: (from hilarie@localhost) by (8.14.4/8.14.4/Submit) id q6JIKhGv026714; Thu, 19 Jul 2012 12:20:43 -0600
Date: Thu, 19 Jul 2012 12:20:43 -0600
Message-Id: <>
From: Hilarie Orman <>
In-reply-to: Yourmessage <>
X-XM-SPF: eid=; ; ; mid=; ; ;; ; ; ip=; ; ;; ; ; spf=none
X-XM-DomainKey:; ; ;; ; ; status=error
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ***;
X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600)
X-SA-Exim-Scanned: Yes (on
Subject: Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Hilarie Orman <>
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jul 2012 18:22:42 -0000

Thanks for explaining the GROW WG, I apologize for not reading its
charter before writing my review.  Other comments inline.

>  Date: Thu, 19 Jul 2012 00:29:58 +0200
>  From: Robert Raszuk <>
>  MIME-Version: 1.0
>  To: Hilarie Orman <>
>  CC:,,
>  Subject: Re: Security review of draft-ietf-grow-diverse-bgp-path-dist-07
>  Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>  Content-Transfer-Encoding: 7bit

>  Dear Hilarie,

>  Many thx for your comments and apologies for delayed reply. Let me 
>  attempt to clarify some of the points you raised hoping that they may 
>  shed some more light on the topic.

>  > This document presents a mechanism for distributing redundant BGP
>  > paths based on the concept of parallel route reflector planes.  It
>  > does not need any changes to the BGP protocol definition.
>  >
>  > The general notion is that different groups of route reflectors would
>  > be assigned find the "nth best route" where n varies from 1 to a small
>  > number.  All n routes would be presented to devices connected to the
>  > route reflectors.  This in turn would enable a multitude of benefits:
>  > quick routing restoration, load balancing, and churn reduction.

>  Correct.

>  > The point of making this an IETF document is odd.  Its fundamental
>  > message is "instead of using extensions to BGP for additional paths,
>  > you could use route reflectors configured for nth best path."  And, as
>  > it turns out, Cisco makes such a product.

>  I am perhaps missing the background of the above comment, but please 
>  keep in mind that this document is worked on in GROW WG. This working 
>  group is not tasked to define new protocol extensions, but to document 
>  operational solutions to existing problems. GROW WG also provides best 
>  common practices documentation. IMHO the more solutions GROW or any 
>  other working group in IETF defines which do not require new protocol 
>  extension the faster velocity of improvement to Internet and other IP 
>  based services can be accomplished.

>  > The draft is sketchy on how route reflectors actually work,

>  True. But this is very well documented in RFC4456 and this draft does 
>  not intend to update that RFC. In fact the draft does not changes any 
>  route reflection protocol assumptions.

>  > Still, we do not get to know if route reflectors put additional,
>  > proprietary, information on the wire,

>  They do not otherwise the specification would be a protocol extension 
>  which you correctly already observed it is not.

>From the draft, it was not apparent to me that RR communication was
specified in RFC4456.  I should have read the RFC, but shouldn't that
be a normative reference?  Also, as an editorial issue, it would help
to have some specific references to it in the descriptions of the
various routing plane scenarios.

>  > how a listener could inquire about their configuration,

>  I am not sure what do you mean by that in the light of regular IBGP 
>  session between route reflector and it's client.

A nit --- "its".

>  > or what the stability and failure properties might be.

>  The stability and failure property is identical to any other iBGP 
>  session today.

>  > All of this makes for difficulties in doing a security analysis.  The
>  > document asserts that all security problems are subsumed by prior work
>  > in analyzing BGP security.  This might be true, but BGP has a number
>  > of documented vulnerabilities, and the new paths might multiply them.

>  While I understand your point it is extremely broad. One way of possible 
>  comparison would be to compare it with full mesh IBGP peering as in this 
>  case all clients would see all paths in the domain (assuming best 
>  external is enabled).

My only point is that the burden of this should be on the writers of
the drafts.  I gather that it is common practice to keep saying
"no additional security concerns" without looking at what the base
security concerns are.  Surely it is worth some "consideration"?

>  > Should BGP listeners trust the additional paths?

>  Yes. Remember those are intra-domain paths. Would BGP speaker trust any 
>  other iBGP peer ?

>  > Are opportunities for spoofing increased because listeners should
>  > expect more paths?
>  > What are the interactions between spoofed failures and switching to
>  > one of the diverse paths?  Could route reflectors be tricked into
>  > permuting the path ordering so fast that paths never stabilize?

>  I am not clear what spoofing risk you are referring to above.

RFC4272 refers to several kinds of attacks that compromise the
authentication.  You might reference that in the security consideration

>  > I think that the security considerations should address potential
>  > problems in the context of the previous analyses of BGP security, if
>  > this is indeed a protocol document in the ordinary IETF sense.
>  > Perhaps it is not, maybe it is an infrastructure configuration guide
>  > or an argument against BGP add-paths extensions.  I can't tell.

>  This document is to provide very easy solution for BGP speaker to 
>  receive more then best path. In most applications two paths is sufficient.

>  So the main objective of this document is to observe that by simply 
>  adding new session between RR and it's client RR can be instructed to 
>  send a 2nd best/backup path on such session.

>  Both above described functions are already very commonly available in 
>  number of BGP implementations. Authors just combine both to achieve easy 
>  deployable solution which does not require massive network wide upgrades 
>  which as I am sure we all realize may take years.

All well and good.  I'd like to note that your text is much clearer
than anything in the draft; you might use it in the abstract.  You might
use that style (short, simple sentences) as a guide to revising the

Nonetheless, any new usage of a protocol may have security
implications, and it is worthwhile asking if known security issues
might lead to some new form of compromised functionality.