Re: [secdir] Secdir review of draft-ietf-idr-bgp-flowspec-oid-13

"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Mon, 03 May 2021 10:36 UTC

Return-Path: <jalcaide@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8083A1888; Mon, 3 May 2021 03:36:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.916
X-Spam-Level:
X-Spam-Status: No, score=-11.916 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=RmI7yhbA; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=EGavVyl6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOOVr79qhC2V; Mon, 3 May 2021 03:36:17 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0941F3A1886; Mon, 3 May 2021 03:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=28232; q=dns/txt; s=iport; t=1620038176; x=1621247776; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=itKBnU2/VqWuIUW2ERydRVjpuEl07qT7SRd6uRIIC5k=; b=RmI7yhbATEDR/LWa2JrabDF8WT7MMIvZRo07Y9sZPDUVNbROWGlAbW7S DFeDrmFmgXIonqboBcb1gvq6JaJ4ZrFgIZbr/nkNMOrWSCuM8mWhPsA35 iTAjPBMh5NQJCQqd4vJRJ/Ke7wX+njb76QJvMZBdrfgVoOQD0ulhdLXhl M=;
X-IPAS-Result: =?us-ascii?q?A0CWAACE0Y9g/4oNJK1aHAEBAQEBAQcBARIBAQQEAQGCB?= =?us-ascii?q?AYBAQsBgSIwUQd3WjYxC4Q5g0gDhTmIbwOKM48egS4UgREDVAsBAQENAQEqC?= =?us-ascii?q?AIEAQGEUAIXgWQCJTUIDgIEAQEBAwIDAQEBAQEFAQEBAgEGBHEThVANhkQBA?= =?us-ascii?q?QEEIwoTAQE4DwIBCBEEAQErAgICHxEdCAIEARIIgmqBflcDLwEDCz6cWQKKH?= =?us-ascii?q?3qBMoEBggQBAQYEBIU9DQuCEwMGgToBgniEDAEBhlknHIFJQoEVQ4FfgQA+g?= =?us-ascii?q?h5CAQECAYFDAhorgmo2giuBWWsIYgEDIhkICAYCgQUTKgg6DgELDZEOg16He?= =?us-ascii?q?oNWiTOQVzlbCoMQiXmNc4VZEINUoU6VL4IWiWmDHY9PCoRrAgQCBAUCDgEBB?= =?us-ascii?q?oEjMgE4gVlwFYMkUBcCDo4fDBaDToUUhUlzAjYCBgEJAQEDCXyJTQICJAeBB?= =?us-ascii?q?wEyXQEB?=
IronPort-PHdr: A9a23:QR9PKBTIXKcFzjXpuexCxW+JVdpso0/LVj590bIulq5Of6K//p/rI E3Y47B3gUTUWZnAg9pLjuPXt+brXmlTqZqCsXVXdptKWldFjMgNhAUvDYaDDlGzN//laSE2X aEgHF9o9n22Kw5ZTcD5YVCBrXi77DpUERL6ZkJ5I+3vEdvUiMK6n+m555zUZVBOgzywKbN/J Rm7t0PfrM4T1IBjMa02jBDOpyggRg==
IronPort-HdrOrdr: A9a23:LnOtj6mCba2jWhiYsfdqslUuFirpDfN2jmdD5ilNYBxZY6Wkvu iUtrAyyQL0hDENWHsphNCHP+26TWnB8INuiLNxAZ6LZyOjnGezNolt4c/ZwzPmEzDj7eI178 ldWoBEIpnLAVB+5PyU3CCRGdwt2cTC1aiui/vXwXsFd3AXV4hL6QBlBgGHVmh/QwdbDZQ0fa DsmfZvjTymZHgRc4CHFmAINtKz6OHjubDHRVo9BxAh4BSTlj/A0t7HOjWRwxt2aUI2/Z4M6m 7A+jaJg5mLk/b+8RPE0n+W0pI+oqqd9vJmJOihzvcYMS/tjAHAXvUuZ5SnsCouqO+irHYG+e O82CsIBMh453PPcmzdm3KEsGOMvEdMmh3f4GSVjnf5rcvySChSMbs6uatibhDb50A81esMt5 5j4mODu5JbSTPGkSjtjuK4Li1Cq0uurXIu1dMUlnxUOLFuDoN5kIp3xjIwLL4wWAbBrKw3Gu hnC8/RoNxMd0mBUnzftm5zhPSxQ3UaBH69Mwk/k/3Q9wITsGFyzkMeysBatGwH7ogBR55N4P mBGrh0lYtJUtQdYctGdac8aPryLlaIbQPHMWqUL1iiProAIWjxp5n+56hww+22ZpoSzt8XlI 7aWF1V8U4+EnieSvGm7dluyFTgUW+9VTPixoV1/J5ioIDxQ7LtLGmNU1Yrn8y8o+gOA8HSVv qpUagmRsPLHC/LI8Jkzgf+U55dJT01S8sOoOs2XFqIv4bKJ+TRx6jmWceWAICoPScvW2v5DH dGdiP0Pt984keiXWK9hBDQXnjqa1Hu5J4YKtmcw8EjjKw2cqFcuAkcjlq0ouuRLydZj6AwdE xiZLX9kq26omGy9X3S73pgPwdcCko92sSjb1p64Ssxd2/ke7cKvNuSPUpI2mGcGxN5R8TKVB JEq09v4qKxJZyIzSUkA9aqW1jqyUc7lTavddMxi6eD7cDqdtcEFZ4gQrV2DhiOPQdygxxWpG BKbxIkSkfTGij1s7isiIUZCYjkBoBBqTbuBfQRiHrE8W2AuMkkRxIgLkCTeP/SpTxreh15qR la9bQFjL+JhDC1QFFP8dgQARlrc2SYALVPEQKfQp5b84qbID1YfCOtmSGQjQ01dy7M8Ugf71 aRdxG8SLXsHkdXvGxe3+LR1G5MMk+Zf052dxlBwNZAPGzbp3d+1vKKbKKv022XLkAP2P0ZLS utW0pjHip+g9+wzxKbgzCECDEvwYgvJPXUCPA5f6jUwW7FEvzDqYgWW/tV9o1iLtbgr6sCVv +eYRacKFrDeqsU8h3QonYuIy9vrnY41fvuxR3+9WC9mHoyG+DbLlgjR7YVJbinniPZbufN1J VyltQuu+Ssdm33d96d0KnSKydZNQm7mx/Ac8g47ZRP+a4ivrp6GJfWFTPOyXFcxR07aMP5jl kXTqh36K3IU7UfMvA6amZc5B4khd6PJEwkvkjtDugycUokgnXbM9mKioC44IYHEwmEvk/9KF Of+ypS87PZRCOFz6cdEL91LmJMakQwgU4SsN+qZsnVEkGteO5C9lbhbSP4f79ZVaSfGbIf6h x9+MqFmueLdyz+nADc1AELV55m4iKiW4e1BgnJBOtDt9q9Ml6IirGx4MGygCzsIAHLHXgwlM lAbwgIcs9HijM+l4U53Si5V7zvrise4iljyCAikkSox5Ov72jaF1xXKAHVgp1ZWj9IL3iD5P 61hdSwxTD6+zhK2Z7KCUdWcJVPArErP/vKExs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,268,1613433600"; d="scan'208,217";a="692827641"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 May 2021 10:36:14 +0000
Received: from mail.cisco.com (xbe-aln-006.cisco.com [173.36.7.21]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 143AaEnm022266 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 3 May 2021 10:36:14 GMT
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xbe-aln-006.cisco.com (173.36.7.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Mon, 3 May 2021 05:36:14 -0500
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Mon, 3 May 2021 05:36:13 -0500
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Mon, 3 May 2021 05:36:13 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b4+ZvSb+xVfmeLvvCvX96dBk+r95Zw4wA3hNshMz0R7520TfH3CPa2LqRL0RE1nEMq7PT26FoOJyqKvNAqvIpeqNOhzhX+cqzvCd0ubtzNY6C+QRiS2oxz5WIws+zRvDYBUvZgwybMUxFq7vDU04/gB2CJridY5v+e95gpNq2YFNHvUyNWhDeV5PVXfan/xYYsiDDliMzNyv/yeA7YU8uWnD8ViWvm5VMe1rB9OY1Okcj4NDWMd6EnkiI+g1LKmTI2qGCNfhKHSosMYnbt+cMLPVAt1UXsBpVNJqQxNgGxX/XYgM5qe9mvNjloOyZIQsmcuRSM4NEvPQM2eV12u1SA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=itKBnU2/VqWuIUW2ERydRVjpuEl07qT7SRd6uRIIC5k=; b=awn/g/wzbmuOvVX4Ehz9XqXKa+T8TJsgnjh+ZUZmuxlCAAwPJpmQOQec/aqw5ahAJy64gZTDA/CAar1HdMpK0rvhGDThzqr4rzx8kM3Hc+K/c4u+F0cpuAd0jSYPSEzVEYsCm/tCVzG5b4ExkZELpqepfpkUk14XaN1drcWlh+SJoIWxYBxZcLt9PlE8muKzJZ5Cn2FdFejlNXzjZpjB00M3Tkvz81tzKQbzvBf5hsyKly6sciEvlSl+oeZOv50lG+z7PPZpC6qNpHVy0WZ24yWSXlOQmn5S74lT130R1nyUDZEVrfnTusfyTz0ifVC8V2wjQd45MQF3wiqCQRfDBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=itKBnU2/VqWuIUW2ERydRVjpuEl07qT7SRd6uRIIC5k=; b=EGavVyl696F1tZgDU03gkWepUzvaUzQcpwTuOE261adkN72TuAAlfDUQ1UJ3RdKGmAb7hYLBmAa2xjNMnq2GBkCYmi+ppqf1tC7RF05qFjxTTuYJfEhDYgWARbWNlFp1H+GpsLU/ssDALUGPmw2QPw2xyiNcsqVQ4kDQWvbZCVI=
Received: from DM6PR11MB3194.namprd11.prod.outlook.com (2603:10b6:5:5c::25) by DM6PR11MB3594.namprd11.prod.outlook.com (2603:10b6:5:13b::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.44; Mon, 3 May 2021 10:36:12 +0000
Received: from DM6PR11MB3194.namprd11.prod.outlook.com ([fe80::e4e0:cf18:7be1:8019]) by DM6PR11MB3194.namprd11.prod.outlook.com ([fe80::e4e0:cf18:7be1:8019%7]) with mapi id 15.20.4087.043; Mon, 3 May 2021 10:36:12 +0000
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
To: =?utf-8?B?TWFnbnVzIE55c3Ryw7Zt?= <magnusn@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Thread-Topic: Secdir review of draft-ietf-idr-bgp-flowspec-oid-13
Thread-Index: AQHXP9b+AhhGGu0YA0eUTG7ppR6g/arRhrnQ
Date: Mon, 3 May 2021 10:36:11 +0000
Message-ID: <DM6PR11MB3194503DF53A14C12FC749E4CD5B9@DM6PR11MB3194.namprd11.prod.outlook.com>
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com> <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com> <CADajj4Yw13QWbSqF_hd+P_fcNA4_YvdwqF=OgJ4pdS_1vrWphA@mail.gmail.com> <CADajj4Zw+Js8neUujMbekReVdMMFcz46NDwdHsMdWXob6Upc_w@mail.gmail.com> <CADajj4aoBaSYTFFnvAjcL7mTnfoUJOWzvve=NRhgB3qe5X8uWQ@mail.gmail.com> <CADajj4ZTBoCHo2=RJhYFNMi+5L5JJwc_EqBkeyYUUfYsVk-vVw@mail.gmail.com> <CADajj4aN=cr-sxjMrmiSxsptwpOZWcH73dWhrtPrruahEQcNJg@mail.gmail.com>
In-Reply-To: <CADajj4aN=cr-sxjMrmiSxsptwpOZWcH73dWhrtPrruahEQcNJg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [83.38.90.229]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6fb80b48-351e-4a65-280c-08d90e1f4577
x-ms-traffictypediagnostic: DM6PR11MB3594:
x-microsoft-antispam-prvs: <DM6PR11MB35943C8AE45376A3F429E1A3CD5B9@DM6PR11MB3594.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NDqGq+jEgkCGqC7lMyjKmh5LjUVJzeqM3u5ti9eC9OxWPUtKcQvlIpWzUBku8mjAXBDkcflbP2JHeWymgC9Vzp399t+0FQS2H+9M0jI8B863mI3B4s/V+1t1JBXtQXlPVRye4ExjA5XD8gDMSK9Day1xl5Gv35rv2jSlLP5g/1hH6WDyeJCm9YbfW/3Iw71YO9bgjeBQ8M9737HfG+9J0S9JFVvCJuiHAeIoRTtRzryO9JzvlL87DmZzQiOm2r/5iILDnu/MMV6zWKGAM1H4sa2OSnGErICyYT62t812WIyo0wYTFlfPdLI7PDf52g33QRUFjd//N3KOvHZBFWKKp5loVm28avkIvRUY16gs0++UITHOBzyZZVJL1LzybX57yrllZwm+rCud+uvRAm9XQWVFOW2I7ILUskKhqfp0Kx+WBuiaaH1dYLFcTQF8jZcBC8O7enBcJphZZk++2LYqxWqQCNRZ8L+0XOy7+qszCa4Bkph5VRfBy2/fi0zy5HbK+DRGWD8T9Eg86QnbAedWjzLmoO8gbgMymyVfk4gEA3aYZLVnovFVxiFO+Llyjl/ofalBzbRUd8fNrqMItQ02uk9DjA0fIvTb/Yt29M1c11biEb/K/Zi4d9aZX69fG7m+89wGIqrzjhMUl48ujU3UVSDnZb8JAl2zhNtGg1TgomVbfsNhDK8CkMs8YBnnAwJm
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB3194.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(396003)(136003)(346002)(39860400002)(366004)(478600001)(38100700002)(33656002)(52536014)(186003)(66574015)(26005)(5660300002)(8676002)(83380400001)(8936002)(66556008)(76116006)(66476007)(66946007)(316002)(2906002)(7696005)(55016002)(9686003)(122000001)(53546011)(6506007)(86362001)(110136005)(71200400001)(64756008)(66446008)(166002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?eXhKRXJiWkVjbytWNXFZRHE0MEZHVTU0VlloYlROdGpFV1IvbGhFVTdvaW9G?= =?utf-8?B?QTAveVRxSHBWMFl5V3d4L21aK1RyNjRWUkw5V1RnbWVOOWJMTUdIN2w0T3pM?= =?utf-8?B?TC8yQWNvS2xOUlF6WDVGM2RlVjNRMkl6TEh6ZFZ5U3NhVzNqUW1oY281ZklP?= =?utf-8?B?ODNRL1g2QUNKRWZGdy9lOVNPdDR4bExmdTYvWWQ2Z0NQQlliSGFPdm1KUHJs?= =?utf-8?B?b2R4YXRNSzFKQTNIai9Nbmc4L0ZlTnQ0UXR0UGNxalI5MUpZYzJmOUNvWFBK?= =?utf-8?B?elpPWU5HcjkyRUlxSS9iaWZBUWhhNHRUM01walVRSVEvWlRIYiszTHd3YXA0?= =?utf-8?B?RlU4UWkrczZYWUNZN29VQ3pwcCt1dTBLY0xIczlRdmtia2Q5M25hOVBjSzhm?= =?utf-8?B?dDlVbzVZQXFtc09aS3ZCWW8xK1VjK2VyZkdyZEVYUE1mWTYveUZLdGtJWlph?= =?utf-8?B?Z0VDQzExNE8vY3hqVExqVGs4UGdCaTgxOTllRXlyQklmQ2Yzc2VXSnpUdnVa?= =?utf-8?B?T1puVmtJR1paRGtwVjV3bHVoMDJsOW5DeUpXVWZUenl2QzRxaXUxOVhzY3p0?= =?utf-8?B?b3JMU1lZdXdYcGRRM0l3SzVabTJmUGxzZ3FaQnk3TnU5RTlXQlluaVh1dEo4?= =?utf-8?B?YVAzZkdMYVpuMFQwVEZrZXFPditZQjJQa3JyZWgvQTJyMFlkemVpZm15SytN?= =?utf-8?B?VVFIREN3TWozcnR6T0puMGhXcS93OFFXbTZXWnlrQUJWdEpORmQrb3ZvSC9E?= =?utf-8?B?RkxzYmtFWDZ5cVpJNTcrR2JCSGRLb3FBZTcvb2xVc01nQ1J4YmNGM2F3TWdT?= =?utf-8?B?MkxsNWFHK2tyTlRPQnpSNGJXSTV6M2pwekc4UmFYOVFFS1BtREZwL29jakhF?= =?utf-8?B?dGR6MGpGYzhmVDVoc3pkSUVRRm1oY0ttWkdnYXAzWVJ2MDFhci9nSTQ4dk1N?= =?utf-8?B?NzBPeTBPa3hIQ01wSjZObkZtakErYmptZVpXdTdFeW10ZFZwOTc2UUVkbXJo?= =?utf-8?B?V29Td01ybGJmeCtDdkJRRUo1dnA1cG0zNThhMmw1bTJkK2t3cmxHL2hHN1Vr?= =?utf-8?B?ZFp5NU9NaEF4Sm02M1JRYVpvelZMTlpPNmU3aEJPbkk2ZVVkZTdySnJ6THJB?= =?utf-8?B?UHNFZUdUM1h3L2JwZHBNUG1UMEtoc1RUakRoeEV4ZjZSbWNtWkc1V1pRSGl1?= =?utf-8?B?YjNsMERzVXYvaE44WFo1Y0IzWUJsZ0Y0Q1JVRFZsZytlWlhlemR1VmdkTnM1?= =?utf-8?B?T1VJZEtIOHA4b01Ya0VFc2hQT2M1d2t0UjBPQ1dqY0lUSG5sakl5SWxkU3Fr?= =?utf-8?B?UnNGdEFOMUVLUytWVm5odDNmWlAvdEJhOTB5VFVMZzlGYjFwSCtBRVlhbmFG?= =?utf-8?B?N08yZ1U4cUxJYjlaVWFqSS8xUlF3Tzd6eUNZVytabFYvbytidDE1ZStzTllN?= =?utf-8?B?TDBjUmV4NGVkekVTOCs2OGs1cFlGcGlmWUtpcWg4UmxORm5Oc1pCSEZFR2lO?= =?utf-8?B?dnlIcFpxU1pTT3hsTGtESDlDS3pJNE1XTGo5Sy8rdUFiU0EzSElxcUFFdHRh?= =?utf-8?B?SGVRQythK1lRZEg0N3VnSTBObjg1dVMzR3dHMVp4Y2s3THdKMzJGQXNmbVhK?= =?utf-8?B?aFdVbVQ0QUlQN1VPbWVURk5RVDI2TU9LK3EvR3N5Tjk0cVgwYmUwZjZyQklV?= =?utf-8?B?Mlorcjl5cnNMc1hCc05nU3ZveEFVamVZMTN5ZTBiTmV1anYrRDJjY3JCZGZ4?= =?utf-8?Q?Sl0FB60Z4+AIQ17W70=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB3194503DF53A14C12FC749E4CD5B9DM6PR11MB3194namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB3194.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6fb80b48-351e-4a65-280c-08d90e1f4577
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2021 10:36:12.0388 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: c0ReMNuARkcREXkG+VMZpcZHlVkZvsA5xNDdUvw76yXe6mKaCSblmjpR/s4tlyaU97UgP/wLRn0hStVzI6yxKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3594
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.21, xbe-aln-006.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/qBaRoRGiibw-uuWd37vX8kmSqQ8>
Subject: Re: [secdir] Secdir review of draft-ietf-idr-bgp-flowspec-oid-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 10:36:22 -0000

Thanks for your comments, Magnus

Inline..

From: Magnus Nyström <magnusn@gmail.com>
Sent: Monday, May 3, 2021 6:44 AM
To: secdir@ietf.org; draft-ietf-idr-bgp-flowspec-oid@ietf.org
Subject: Secdir review of draft-ietf-idr-bgp-flowspec-oid-13

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document describes "a modification to the validation procedure defined for the dissemination
of BGP Flow Specifications." More specifically. the memo describes a mechanism which relaxes  the existing validation rule that requires Flow Specifications to be originating from the originator of the best-match unicast route, and now allows such specifications to be originated within the same AS as the validator. As a result. the Security Considerations section does call out: "The original AS_PATH validation rule ([RFC4271] section 6.3<https://tools.ietf.org/html/rfc4271#section-6.3>) becomes  hereby optional (section 4.2<https://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-13#section-4.2>)2>). If that original rule is actually not enforced it may introduce some security risks. A peer (or a client of a route server peer) in AS X could advertise a rogue Flow Specification route...." and "If t[the originator of a rule] is known for a fact not to be a route server, that optional rule SHOULD be enforced for Flow Specification routes."

It is not clear to me how a validator would now "for a fact" that a peer isn't a route server, and thus that it would have to enforce the now-optional path validation rule. It seems some clarity on this would be good such that implementations have less of a risk of accepting flow specifications from unauthorized parties, even if they are on the same AS.

[JUAN]: This paragraph was not intended to pressure the operator to know if the peer was a route server, it was just a ‘if’. Note it’s the same case for RFC4271 :

If the UPDATE message is received from an external peer, the local
   system MAY check whether the leftmost (with respect to the position
   of octets in the protocol message) AS in the AS_PATH attribute is
   equal to the autonomous system number of the peer that sent the
   message.


Note that the same challenge of identifying route servers applies for other address-families.
Note also that the route-server itself may enforce the rule.

What about for clarity:

   The original AS_PATH validation rule ([RFC4271] section 6.3) remains hereby still optional
   (section 4.2) for Flow Specification Address Family (changes introduced in [RFC5575] are cancelled).
   If that original rule is not enforced for Flow Specification it may introduce some new security risks.
   A peer (or a client of a route server peer) in AS X could advertise a rogue Flow
   Specification route whose first AS in AS_PATH was Y (assume Y is the
   first AS in the AS_PATH of the best-match unicast route).  This risk
   is impossible to prevent if the Flow Specification route is received
   from a route server peer.  If that peer is known for a fact not to be
   a route server, that optional rule SHOULD be enforced for Flow
   Specification routes. Note that identifying those peers that are route servers may suppose an
   operational challenge. If the condition of the peer is unknown, the rule SHOULD not be
   enforced.

   A route server itself may be in a good position to enforce the AS_PATH validation rule described
  in the previous paragraph. If a route server knowns it’s not peering with any other route server,
   it can enforce the AS_PATH validation rule across all its peers. If, in addition to that,
   the route server is trusted, the security threat described above disappears.



Anybody feel free to reword the two paragraphs above if it helps them for clarity.



Editorial:

  *   "Let's consider the particular case where the Flow Specification is originated in any location within the same autonomous system than the speaker performing the validation (for example by a centralized BGP route controller), and the best-match unicast route is originated in another autonomous system." - should the word "than" be replaced with "that" here?
[JUAN]: Thanks for pointing that out. A few googling tells me the even better grammatical choice would be ‘same as’ in this case. I’ll be using ‘same as’ unless  you disagree.


  *   In the security considerations section, "becomes hereby optional" could probably be simplified to "becomes optional" or similar, and "actually" could be removed.
[JUAN]:  Hmmm, I thought that it was important to emphasize it becomes optional because of *this* draft redefinition of rules. Don’t you think it’s important? (whatever wording you want to use). Regardless, refer to my new reworded 2 paragraphs above for that section .




Thanks,
-- Magnus