[secdir] Secdir review of draft-ietf-bess-orf-covering-prefixes-03

"Brian Weis (bew)" <bew@cisco.com> Mon, 16 February 2015 22:16 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id F02781A6F22; Mon, 16 Feb 2015 14:16:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id YmuFhQ3G6ZiL; Mon, 16 Feb 2015 14:16:28 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B07F1A6ED9; Mon, 16 Feb 2015 14:16:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1358; q=dns/txt; s=iport; t=1424124988; x=1425334588; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=jPdg5GhXh8Il9rsLMTgFoYvdNGwk+dGNAtHLaF6nslg=; b=c8YDPMcQoT5xBM+kZ1O1El1Qp3lGJSxZRpQPpsJmD5bpO8ykNWSPoGwB Tw82Ye6F85AHl/RwjsSuSeDEoeyOlKu56XUHXFOFsOj1lYZ7mU+zKNF7Y VsWrbjR9sYPyVZ8VoPjKivUGiKgl84J5UprPHJ3Q6QOn/tp+gTnjdYEh4 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.09,590,1418083200"; d="scan'208";a="396592467"
Received: from rcdn-core-11.cisco.com ([]) by rcdn-iport-7.cisco.com with ESMTP; 16 Feb 2015 22:16:28 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com []) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t1GMGRai030043 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 16 Feb 2015 22:16:28 GMT
Received: from xmb-aln-x04.cisco.com ([]) by xhc-rcd-x09.cisco.com ([]) with mapi id 14.03.0195.001; Mon, 16 Feb 2015 16:16:27 -0600
From: "Brian Weis (bew)" <bew@cisco.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Secdir review of draft-ietf-bess-orf-covering-prefixes-03
Thread-Index: AQHQSjY0yliOlRO3G0WC3nxhYyYkig==
Date: Mon, 16 Feb 2015 22:16:26 +0000
Message-ID: <DC01E021-C648-46AA-B047-0F24E4BC2F5C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E97B354A605C3F4395DA903F84C17CB9@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ku2meQxLq2L8438QAqfmfrxXRVo>
Cc: "draft-ietf-bess-orf-covering-prefixes.all@tools.ietf.org" <draft-ietf-bess-orf-covering-prefixes.all@tools.ietf.org>
Subject: [secdir] Secdir review of draft-ietf-bess-orf-covering-prefixes-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 22:16:30 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should
treat these comments just like any other last call comments.

This document defines a new type of Outbound Route Filter (ORF),
which is a directive sent to a BGP speaker requesting it to drop
packets matching the filter. This can be used to avoid propogating
traffic that will be filtered after delivery. The new ORF type is
a Covering Prefixes ORF (CP-ORF), which has additional flexibility
in specififying which addresses are to be filtered.

The CP-ORF is stated as being useful within Virutal Hub-and-Spoke
VPNs and EVPNs, both of which include a set of cooperating BGP
speakers implementing a private network. Given that there is a
general trust between the BGP speakers, the security considerations
of the CP-ORF are few. The Security Considerations section describes
how a BGP speaker can limit resource usage, and there is a pointer
to the Security Considerations section of RFC 4271, which describes
more generally how a BGP speaker can reject ORFs due to an 
unwillingness to use additional resources.

I consider this document Ready To Publish.