[sidr] Fwd: Last Call: <draft-ietf-opsec-bgp-security-05.txt> (BGP operations and security) to Best Current Practice
Sandra Murphy <sandy@tislabs.com> Mon, 08 September 2014 23:15 UTC
Return-Path: <sandy@tislabs.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B181E1A0343 for <sidr@ietfa.amsl.com>; Mon, 8 Sep 2014 16:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.553
X-Spam-Level:
X-Spam-Status: No, score=-3.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p7XgK86HbTCo for <sidr@ietfa.amsl.com>; Mon, 8 Sep 2014 16:15:33 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A87391A0292 for <sidr@ietf.org>; Mon, 8 Sep 2014 16:15:33 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id E3EE128B0017 for <sidr@ietf.org>; Mon, 8 Sep 2014 19:15:32 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id DE2BC1F8032; Mon, 8 Sep 2014 19:15:32 -0400 (EDT)
From: Sandra Murphy <sandy@tislabs.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_503525C3-DBAC-493D-B912-9DDBEAAA59C8"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Message-Id: <23C5CDEF-800E-4C27-98A1-CADB4E9ABB27@tislabs.com>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Date: Mon, 08 Sep 2014 19:15:32 -0400
References: <C0D0EE70-B7AF-43EB-89B8-3AD440EF9183@juniper.net>
To: sidr wg list <sidr@ietf.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Eik3oMmTZK5jRLvMzDQ23Z3sVqk
Cc: Sandra Murphy <sandy@tislabs.com>
Subject: [sidr] Fwd: Last Call: <draft-ietf-opsec-bgp-security-05.txt> (BGP operations and security) to Best Current Practice
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 23:15:35 -0000
Speaking as regular ol' member: The opsec bgp security draft is in IETF last call. John Scudder made an interesting observation, which looks of interest to this group. --Sandy, regulär ol' member Begin forwarded message: > From: "John G. Scudder" <jgs@juniper.net> > Subject: Re: Last Call: <draft-ietf-opsec-bgp-security-05.txt> (BGP operations and security) to Best Current Practice > Date: September 8, 2014 5:05:53 PM EDT > To: "<draft-ietf-opsec-bgp-security@tools.ietf.org>" <draft-ietf-opsec-bgp-security@tools.ietf.org> > Cc: opsec@ietf.org, ietf <ietf@ietf.org> > > On Sep 8, 2014, at 11:42 AM, The IESG <iesg-secretary@ietf.org> wrote: > >> >> The IESG has received a request from the Operational Security >> Capabilities for IP Network Infrastructure WG (opsec) to consider the >> following document: >> - 'BGP operations and security' >> <draft-ietf-opsec-bgp-security-05.txt> as Best Current Practice >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final comments on this action. Please send substantive comments to the >> ietf@ietf.org mailing lists by 2014-09-22. > ... > > I happened to notice, in S. 6.1.2.4 (SIDR): > > o If an ROA is not found then the prefix SHOULD be accepted but > corresponding route SHOULD be given a low preference. > > The draft isn't precise about what's meant by "ROA is not found", but probably it's the same as NotFound in RFC 7115 and 6811. Assuming that's right, I'm curious what the rationale is for giving not-found routes a low preference? By definition, they don't compete with a route that is in any other state -- NotFound basically means there is no ROA that has anything to say about this prefix at all, so all routes for this prefix will be NotFound. > > The net result is according to the draft's recommendation all routes for the prefix in question will be "accepted but ... given a low preference". The recommendation ends up being mostly harmless, but also not useful. > > (I say only *mostly* harmless since I guess some operator could be confused into thinking they're more secure than they actually are.) > > Sorry for the late comment. > > Regards, > > --John > > P.S.: This shouldn't be construed as a full review of the document, which I haven't done.
- [sidr] Fwd: Last Call: <draft-ietf-opsec-bgp-secu… Sandra Murphy
- Re: [sidr] Fwd: Last Call: <draft-ietf-opsec-bgp-… Randy Bush