[secdir] Secdir review of draft-ietf-bess-orf-covering-prefixes-03
"Brian Weis (bew)" <bew@cisco.com> Mon, 16 February 2015 22:16 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F02781A6F22; Mon, 16 Feb 2015 14:16:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmuFhQ3G6ZiL; Mon, 16 Feb 2015 14:16:28 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B07F1A6ED9; Mon, 16 Feb 2015 14:16:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1358; q=dns/txt; s=iport; t=1424124988; x=1425334588; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=jPdg5GhXh8Il9rsLMTgFoYvdNGwk+dGNAtHLaF6nslg=; b=c8YDPMcQoT5xBM+kZ1O1El1Qp3lGJSxZRpQPpsJmD5bpO8ykNWSPoGwB Tw82Ye6F85AHl/RwjsSuSeDEoeyOlKu56XUHXFOFsOj1lYZ7mU+zKNF7Y VsWrbjR9sYPyVZ8VoPjKivUGiKgl84J5UprPHJ3Q6QOn/tp+gTnjdYEh4 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHBQAXa+JU/5NdJa1bgwaBMMgtgRpDAQEBAQEBfIQTOj8SAT5CJwQBDYgyzjMBAQEBAQEBAQEBAQEBAQEBAQEBGY8iV4MdgRQFjziJN5MNIoNugXJBfwEBAQ
X-IronPort-AV: E=Sophos;i="5.09,590,1418083200"; d="scan'208";a="396592467"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-7.cisco.com with ESMTP; 16 Feb 2015 22:16:28 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t1GMGRai030043 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 16 Feb 2015 22:16:28 GMT
Received: from xmb-aln-x04.cisco.com ([169.254.9.126]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.03.0195.001; Mon, 16 Feb 2015 16:16:27 -0600
From: "Brian Weis (bew)" <bew@cisco.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Secdir review of draft-ietf-bess-orf-covering-prefixes-03
Thread-Index: AQHQSjY0yliOlRO3G0WC3nxhYyYkig==
Date: Mon, 16 Feb 2015 22:16:26 +0000
Message-ID: <DC01E021-C648-46AA-B047-0F24E4BC2F5C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.154.160.193]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E97B354A605C3F4395DA903F84C17CB9@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ku2meQxLq2L8438QAqfmfrxXRVo>
Cc: "draft-ietf-bess-orf-covering-prefixes.all@tools.ietf.org" <draft-ietf-bess-orf-covering-prefixes.all@tools.ietf.org>
Subject: [secdir] Secdir review of draft-ietf-bess-orf-covering-prefixes-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 22:16:30 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a new type of Outbound Route Filter (ORF), which is a directive sent to a BGP speaker requesting it to drop packets matching the filter. This can be used to avoid propogating traffic that will be filtered after delivery. The new ORF type is a Covering Prefixes ORF (CP-ORF), which has additional flexibility in specififying which addresses are to be filtered. The CP-ORF is stated as being useful within Virutal Hub-and-Spoke VPNs and EVPNs, both of which include a set of cooperating BGP speakers implementing a private network. Given that there is a general trust between the BGP speakers, the security considerations of the CP-ORF are few. The Security Considerations section describes how a BGP speaker can limit resource usage, and there is a pointer to the Security Considerations section of RFC 4271, which describes more generally how a BGP speaker can reject ORFs due to an unwillingness to use additional resources. I consider this document Ready To Publish. Brian
- [secdir] Secdir review of draft-ietf-bess-orf-cov… Brian Weis (bew)