IETF Logo Mail Archive

[sidr] Gen-ART review of draft-ietf-sidr-bgpsec-threats-06

"Black, David" <david.black@emc.com> Tue, 24 September 2013 00:25 UTC

Return-Path: <david.black@emc.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FBA21F90AC; Mon, 23 Sep 2013 17:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4MWu-7lNaYkL; Mon, 23 Sep 2013 17:25:25 -0700 (PDT)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 36EB811E80FA; Mon, 23 Sep 2013 17:25:24 -0700 (PDT)
Received: from maildlpprd05.lss.emc.com (maildlpprd05.lss.emc.com [10.253.24.37]) by mailuogwprd04.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id r8O0PI6W000928 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Sep 2013 20:25:20 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd04.lss.emc.com r8O0PI6W000928
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1379982320; bh=OiAhaeU72NmjliP/IuyfucKu194=; h=From:To:CC:Date:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=bVDriBQ1CJkq/4IjDl4YHaYV5SnbvH/wfIpRJEjIYf8+RdpknGTtlGwa6Zmmoxsxd fLMl7E35GFmtDwfgX8Z8WtJWFAFS/pUMf/3OeNFeH0n6g9DSkNaewXi8wynXgDQHgP 06/45iTutuKMkvF8cnvFHpbs+c2tIpPreaI4Sjqs=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd04.lss.emc.com r8O0PI6W000928
Received: from mailusrhubprd03.lss.emc.com (mailusrhubprd03.lss.emc.com [10.253.24.21]) by maildlpprd05.lss.emc.com (RSA Interceptor); Mon, 23 Sep 2013 17:25:04 -0700
Received: from mxhub25.corp.emc.com (mxhub25.corp.emc.com [10.254.110.181]) by mailusrhubprd03.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id r8O0P3dS020919 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 23 Sep 2013 20:25:03 -0400
Received: from mx15a.corp.emc.com ([169.254.1.46]) by mxhub25.corp.emc.com ([10.254.110.181]) with mapi; Mon, 23 Sep 2013 20:25:03 -0400
From: "Black, David" <david.black@emc.com>
To: "kent@bbn.com" <kent@bbn.com>, "achi@cs.unc.edu" <achi@cs.unc.edu>, "General Area Review Team (gen-art@ietf.org)" <gen-art@ietf.org>
Date: Mon, 23 Sep 2013 20:25:02 -0400
Thread-Topic: Gen-ART review of draft-ietf-sidr-bgpsec-threats-06
Thread-Index: Ac64vH6VzaO+WomZQWGShOqAdRnxDw==
Message-ID: <8D3D17ACE214DC429325B2B98F3AE712025DBB6FDA@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd03.lss.emc.com
X-EMM-GWVC: 1
X-RSA-Classifications: public
X-EMM-McAfeeVC: 1
Cc: "Black, David" <david.black@emc.com>, "sidr@ietf.org" <sidr@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: [sidr] Gen-ART review of draft-ietf-sidr-bgpsec-threats-06
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 00:25:29 -0000

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
< http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please wait for direction from your document shepherd
or AD before posting a new version of the draft.

Document: draft-ietf-sidr-bgpsec-threats-06
Reviewer: David L. Black
Review Date: September 23, 2012
IETF LC End Date: September 23, 2012

Summary:  This draft is on the right track, but has open issues
described in the review.

This draft describes the threat model for BGP Path Security.  The
draft generally reads well, but does contain quite a bit of serious
security analysis of an important routing protocol and hence requires
both security and routing expertise to fully understand.

Major issue:

This draft contains more than just a threat model.  It also contains
a high level security analysis of the security architecture/approach
that applies the RPKI to secure use of BGP.  That analysis appears to
be good, but it's somehow disconnected from the rest of the sidr WG's
work, by what I hope is simply a terminology problem:
	- This draft refers to the security architecture/approach for
		BGP as PATHSEC.
	- Many of the other sidr WG draft refer to that security as
		BGPsec
In effect, the PATHSEC security architecture/approach appears to be
implicit in this draft.

Something's missing - if those two terms were meant to be the same,
BGPsec should probably be used in this draft, otherwise, the relationship
should be described.  I've tagged this as a major issue, as it makes
text like the following in Section 4.2 rather unclear:

      Stale Path Announcement: If PATHSEC-secured announcements can
      expire, such an announcement may be propagated with PATHSEC data
      that is "expired".  This behavior would violate the PATHSEC goals
      and is considered a type of replay attack.

What is "PATHSEC data"?  What are "the PATHSEC goals"?  The statement
in the abstract that " We use the term PATHSEC to refer to any BGP
path security technology that makes use of the RPKI" doesn't seem to
answer these questions.

Minor Issue:

Section 4.4 seems somewhat loose on caching by RPs, considering the
importance of that caching in countering a number of the attacks described
in that section - in multiple cases, RP detection of an attack relies
upon the RP noticing that something has changed at the publication point
wrt the RP's cached copy in a fashion that should not have happened.

Statements such as "the RPKI calls for RPs to cache" and "RPs are
expected to make use of local caches" strike me as a weak foundation
for the level of security dependence on that caching.  A pointer to a
SHOULD or MUST requirement for caching by RPKI RPs in another document
would alleviate this concern; surely that language exists somewhere.

Nits/editorial comments:

Also in Section 4.4:

   (The RP would be very unhappy if
   there is no CRL for the CA instance anyway.)

Please rewrite to describe how the RP reacts to failure to find a CRL
- the RP surely does something in addition to becoming "very unhappy" ;-).
Some of that may already be in the sentence immediately following the
"very unhappy" text.

idnits 2.12.17 complains about a missing reference:

  == Missing Reference: 'TCPMD5' is mentioned on line 114, but not defined

That citation is embedded in a quote from RFC 4272, nonetheless, [TCPMD5]
should be informatively referenced here - it was RFC 2385, which has been
obsoleted by RFC 5925, which is referenced here.  The fact that RFC 2385
is obsolete will generate a different idnits warning, which is ok to ignore.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
david.black@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

v2.23.0 | Report a Bug | By Email