Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
Stephen Kent <kent@bbn.com> Thu, 10 October 2013 15:33 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1332811E819F for <sidr@ietfa.amsl.com>; Thu, 10 Oct 2013 08:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.341
X-Spam-Level:
X-Spam-Status: No, score=-106.341 tagged_above=-999 required=5 tests=[AWL=0.257, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aTAvPxj7xJu for <sidr@ietfa.amsl.com>; Thu, 10 Oct 2013 08:33:25 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id AACF521F9C05 for <sidr@ietf.org>; Thu, 10 Oct 2013 08:33:24 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:52061) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1VUIEs-000Ip6-Tf; Thu, 10 Oct 2013 11:33:23 -0400
Message-ID: <5256C8C2.60902@bbn.com>
Date: Thu, 10 Oct 2013 11:33:22 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "George, Wes" <wesley.george@twcable.com>, sidr <sidr@ietf.org>
References: <20131008204114.28645.53351.idtracker@ietfa.amsl.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7556E1@PRVPEXVS15.corp.twcable.com> <52557287.8010205@bbn.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7FED59@PRVPEXVS15.corp.twcable.com>
In-Reply-To: <2671C6CDFBB59E47B64C10B3E0BD5923043C7FED59@PRVPEXVS15.corp.twcable.com>
Content-Type: multipart/alternative; boundary="------------060807030909050103060802"
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2013 15:33:31 -0000
Wes, I had to extract you reply and paste it into Word to read, because the lines you wrote were not properly wrapped by my e-mail reader. As a result, my reply adopts a slightly different format. OK, we agree that LTAM is out of scope for now. Your later comments are included below, along with my responses.: */[WEG] /*I think I was unclear in the way that I raised the concern, and your response (below) helped me see that, so I'll try to clarify. I don't care whether it's a charter/scope issue, and I'm not asking for the summary for that reason. I care about it from the perspective of its relative risk as a threat, and I made reference to the scope/WG/charter/design discussion because I thought that would inform the discussion of the level of risk (i.e. we decided that the risk was not high enough to justify changes to the design to secure additional attributes). I better understand your comment. Your concern appears to be that a reader of this doc will assume that we decided to not consider the security of other path attributes because they are less important than AS_Path. However, by stating that securing these other attributes is deemed out of scope, based on the charter, I think we make it clear that we have _not_ made a value judgement about the relative importance of them. */[WEG] /*I've seen the addition. It's not adequate to address my concern, because the text in section 5 was not changed at all to remove the reference to charter and "changes to this document at a later time" for both route leaks and secondary attributes. I don't see why you believe that references to the charter, augmented by the salient text from the charter, are not appropriate here; that's the reason these topics are not addressed. I also think the note about updating the threat doc, if and when the charter is changed to include these concerns, is appropriate. It tells the reader that these topics may be addressed in the future. */[WEG]/*I'm no connoisseur of threat analyses, so I don't have a large basis of comparison, but I do think that a threats document should not identify a residual threat and then hand-wave it away as "out of scope" instead of explaining the relative risk that it might be exploited. It might even perhaps draw the conclusion that the risk is negligible, but based on your explanation, WG charter and scope shouldn't figure into the discussion.Worse yet, as this section is currently written, it's circular logic: pathsec doesn't protect non-AS_Path attributes, so there's a risk of those attributes being manipulated without pathsec detecting it, but that's ok because pathsec isn't required to protect against those things. Why isn't pathsec required to protect against those things? Because the charter says it isn't. Why does the charter say that? Because...reasons? We fundamentally disagree on this point. A threat doc is always constrained by some set of contextual assumptions. Stating that we are aware of some concerns that are not addressed, and that they may be addressed in the future is a reasonable way to convey to the reader what some of the contextual constraints are. Your characterization of the discussion as "circular reasoning" is faulty. What the text says is that path security is the focus of the WG, and thus is a constraint adopted by this threat analysis, period. >From a threat analysis perspective, either the ability to manipulate unprotected attributes is a threat (a capability for an adversary to carry out an attack) to BGP Path security, or it's not. I believe the fact that you/the WG included it in the discussion means that you/the WG believe that it's a threat. I could infer based on the fact that SIDR chose not to design protections against that exploit that it's a real threat but very low risk, or extremely difficult to exploit, or whatever, but the document doesn't currently say anything about the relative level of risk for the threat being identified. You're right in that the design/requirements decisions that SIDR WG made about whether to address that threat are mostly irrelevant, but the fact that you discuss it in terms of design scope makes that confusing if one is to evaluate this text as purely a threats analysis. It goes back to a recurring issue that has happened with the order of these documents, where we're writing a threats doc and a requirements doc based on an existing design rather than the other around, and are tailoring these documents based on the current design to the exclusion of things deemed out of scope instead of documenting everything and then deciding some of the specific scope items in the requirements/design phase. As noted above, every threat analysis takes place in a context, else it could never be complete. We have a context defined by the WG charter, and I have chosen to use that context to constrain what the analysis covers. We cannot "document everything" any more than a scientist can "gather all the data and they form a hypothesis." Your criticisms about the order of doc preparation suggest a deeper discontent with the WG process. I suggest you talk with the WG chairs and the cognizant AD about that, rather than taking it out in this doc. Steve p.s. in the later parts of your comments you repeatedly use the term "threat" when you mean "attack" or maybe "vulnerability" or ...
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats… internet-drafts
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Andrei Robachevsky
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stewart Bryant
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes