IETF Logo Mail Archive

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs

"Montgomery, Douglas" <dougm@nist.gov> Tue, 13 January 2015 00:10 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 661711ACE30 for <sidr@ietfa.amsl.com>; Mon, 12 Jan 2015 16:10:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26cBB4lKu11B for <sidr@ietfa.amsl.com>; Mon, 12 Jan 2015 16:10:11 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0756.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::756]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70FF91ACE43 for <sidr@ietf.org>; Mon, 12 Jan 2015 16:09:54 -0800 (PST)
Received: from BLUPR09MB0168.namprd09.prod.outlook.com (10.255.216.22) by BLUPR09MB0167.namprd09.prod.outlook.com (10.255.216.21) with Microsoft SMTP Server (TLS) id 15.1.53.17; Tue, 13 Jan 2015 00:09:31 +0000
Received: from BLUPR09MB0168.namprd09.prod.outlook.com ([10.255.216.22]) by BLUPR09MB0168.namprd09.prod.outlook.com ([10.255.216.22]) with mapi id 15.01.0053.000; Tue, 13 Jan 2015 00:09:31 +0000
From: "Montgomery, Douglas" <dougm@nist.gov>
To: Warren Kumari <warren@kumari.net>, "George, Wes" <wesley.george@twcable.com>
Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
Thread-Index: AQHPDm3wV14TZ9Ssb0qMVkKeaWUHZ5qUDCIAgAACKoCCKwlOgIAAAhoA
Date: Tue, 13 Jan 2015 00:09:31 +0000
Message-ID: <D0D9CBCB.30139%dougm@nist.gov>
References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> <CF07E61E.AF86%wesley.george@twcable.com> <CAHw9_iL94_h7xyncvsbpxrmNMdH2jLJV5-ir5tdpnVUVidEwnQ@mail.gmail.com> <D0D9C5D9.30107%dougm@nist.gov>
In-Reply-To: <D0D9C5D9.30107%dougm@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [129.6.140.29]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dougm@nist.gov;
x-dmarcaction-test: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005003);SRVR:BLUPR09MB0167;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BLUPR09MB0167;
x-forefront-prvs: 045584D28C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(24454002)(164054003)(199003)(189002)(41574002)(479174004)(51704005)(377454003)(102836002)(54356999)(87936001)(36756003)(106116001)(106356001)(101416001)(2656002)(2900100001)(2950100001)(77096005)(122556002)(50986999)(76176999)(68736005)(15975445007)(40100003)(64706001)(83506001)(230783001)(93886004)(66066001)(19580395003)(86362001)(19580405001)(99286002)(105586002)(46102003)(97736003)(77156002)(62966003)(92566002)(7059030)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR09MB0167; H:BLUPR09MB0168.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
Content-Type: text/plain; charset="utf-8"
Content-ID: <3118BC03F9A7EA4EA6D78665E7DA5D63@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2015 00:09:31.3299 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR09MB0167
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/a44otiZgP2lv63u3hh-E-GdYsIY>
Cc: "draft-ietf-sidr-bgpsec-reqs@tools.ietf.org" <draft-ietf-sidr-bgpsec-reqs@tools.ietf.org>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 00:10:18 -0000

Terribly sorry about that … ignore the post below.

An odd search / view through my mailbox made me think this was a recent
comment.

I was not trying to resurrect the discussion below.

Sorry about that.

dougm
— 
Doug Montgomery, Mgr Internet & Scalable Systems Research @  NIST/ITL/ANTD





On 1/12/15, 7:02 PM, "Montgomery, Douglas" <dougm@nist.gov> wrote:

>I doubt that using such vague / loose terms as “business relationship
>conformance” helps matters.
>
>Actually 3.22 is a bit loose in the use of the word “intended”.
>
>"3.22  A BGPsec design SHOULD NOT presume to know the intent of the
>         originator of a NLRI, nor that of any AS on the AS Path, other
>         than that they intended to pass it to the next AS in the Path.”
>
>
>I highly suspect that the same misconfigurations that can result in route
>leaks today, could result in BGPsec signed route leaks (I.e., not what was
>intended) tomorrow.
>
>
>One might try the following for 3.22 to both fix the above and address
>Wes’s concerns.
>
>3.22 A BGPsec design SHOULD NOT presume to know the intent of the
>originator of a NLRI, nor that of any AS on the AS Path, other
>than that they announced the NLRI explicitly to the next AS in the Path.
>In particular there is no BGPsec requirement that the PATH for a given
>NLRI 
>is consistent with the set of local routing or filtering policies of the
>sender, 
>receiver or any AS along the PATH."
>
>That might kill two birds … or scare the whole flock from the trees.
>dougm
>— 
>Doug Montgomery, Mgr Internet & Scalable Systems Research @  NIST/ITL/ANTD
>
>
>
>
>
>On 1/24/14, 10:04 AM, "Warren Kumari" <warren@kumari.net> wrote:
>
>>On Fri, Jan 24, 2014 at 9:56 AM, George, Wes <wesley.george@twcable.com>
>>wrote:
>>> I’ve reviewed, it’s mostly ready, minor comments:
>>>
>>> I’m not happy with this text in the intro: “issues of business
>>>    relationship conformance, of which routing 'leaks' are a subset,
>>>    while quite important to operators (as are many other things), are
>>>    not security issues per se, and are outside the scope of this
>>>    document.”
>>>
>>
>>Would simply:
>>"issues of business relationship conformance (of which routing 'leaks'
>>are a subset), while important to operators, are outside the scope of
>>this document.”
>>
>>cover things well enough?
>>
>>> Let me be clear up front, my issue is *not* that these are declared out
>>>of
>>> scope, since my comments on the threats document seemed to be
>>>interpreted
>>> otherwise.
>>>
>>> My issue with this text is the reason it provides as to why they’re
>>> considered out of scope. I don’t think that it’s entirely accurate to
>>> assert that route leaks are not security issues. While not all route
>>>leaks
>>> are security issues, some are. It would be more accurate to reflect the
>>> discussion that led us to the conclusion that we can’t secure them
>>>because
>>> we don’t know what “them” is yet, and are awaiting GROW to define them
>>>in
>>> such a way so that we can evaluate if it’s even possible to secure them
>>>in
>>> this framework. That may be a longer discussion that doesn’t belong in
>>>the
>>> intro, I don’t know.
>>>
>>
>>I suspect it is. It somewhat seems like a non-terminating discussion....
>>
>>W
>>> Also I think the parenthetical “as are many other things" is
>>>unnecessary
>>> and clunky.
>>>
>>>
>>> Thanks,
>>>
>>> Wes
>>>
>>>
>>> On 1/10/14, 8:38 PM, "Chris Morrow" <morrowc@ops-netman.net> wrote:
>>>
>>>>
>>>>Working Group Folken,
>>>>Today starts a WGLC for the subject draft:
>>>>  <http://trac.tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs>
>>>>
>>>>Abstract:
>>>>   This document describes requirements for a BGP security protocol
>>>>   design to provide cryptographic assurance that the origin AS had the
>>>>   right to announce the prefix and to provide assurance of the AS Path
>>>>   of the announcement.
>>>>
>>>>Please have a read-through and send comments at the authors +
>>>>sidr@ietf.org mailing list.
>>>>
>>>>This WGLC completes in 1,209,600 seconds, or 20,160 minutes.
>>>>
>>>>Thanks!
>>>>
>>>>-chris
>>>>co-chair
>>>>
>>>>
>>>>_______________________________________________
>>>>sidr mailing list
>>>>sidr@ietf.org
>>>>https://www.ietf.org/mailman/listinfo/sidr
>>>
>>>
>>> This E-mail and any of its attachments may contain Time Warner Cable
>>>proprietary information, which is privileged, confidential, or subject
>>>to copyright belonging to Time Warner Cable. This E-mail is intended
>>>solely for the use of the individual or entity to which it is addressed.
>>>If you are not the intended recipient of this E-mail, you are hereby
>>>notified that any dissemination, distribution, copying, or action taken
>>>in relation to the contents of and attachments to this E-mail is
>>>strictly prohibited and may be unlawful. If you have received this
>>>E-mail in error, please notify the sender immediately and permanently
>>>delete the original and any copy of this E-mail and any printout.
>>> _______________________________________________
>>> sidr mailing list
>>> sidr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>>_______________________________________________
>>sidr mailing list
>>sidr@ietf.org
>>https://www.ietf.org/mailman/listinfo/sidr
>

v2.29.0 | Report a Bug | By Email | System Status