IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt

Stewart Bryant <stbryant@cisco.com> Tue, 29 October 2013 17:04 UTC

Return-Path: <stbryant@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D564F21F9DCF for <sidr@ietfa.amsl.com>; Tue, 29 Oct 2013 10:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.514
X-Spam-Level:
X-Spam-Status: No, score=-110.514 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijUWPofelbYV for <sidr@ietfa.amsl.com>; Tue, 29 Oct 2013 10:04:03 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8093911E814D for <sidr@ietf.org>; Tue, 29 Oct 2013 09:58:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=103877; q=dns/txt; s=iport; t=1383065931; x=1384275531; h=message-id:date:from:reply-to:mime-version:to:subject: references:in-reply-to; bh=Z8YyUh3mZBArnHJbhz1HuKppoSUT+1oVjxmwMGoYldg=; b=gwOWLpHeIWOrj3f20UxKi+bZ04Jyn9oaS81TRtsajKT9AT/umblmDRpA hJeWJb3ZYRpM6eVke/P5jl5BVMowksxxK0YfazZElPOnK2GLL5CiP9C7U 9u7ge8GqmxHtEyI4U0fefO0dxXqFEtBY5SZhsIZ6g/DkNakYx2y+vy4ii g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjoFAKnob1KQ/khM/2dsb2JhbABPCoJDRDiJRLV6S4ErFnSCJQEBAQQBAQEqQQoRCxgJFgEBDQkDAgECARUwBgEMBgIBAReHbA26G419B4FKhCwDlCqDYJIIgyY
X-IronPort-AV: E=Sophos; i="4.93,594,1378857600"; d="scan'208,217"; a="161165731"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 29 Oct 2013 16:58:33 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r9TGwRs8012728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Oct 2013 16:58:29 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id r9TGwQ2N017303; Tue, 29 Oct 2013 16:58:26 GMT
Message-ID: <526FE932.9010707@cisco.com>
Date: Tue, 29 Oct 2013 16:58:26 +0000
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, "George, Wes" <wesley.george@twcable.com>, sidr <sidr@ietf.org>
References: <20131008204114.28645.53351.idtracker@ietfa.amsl.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7556E1@PRVPEXVS15.corp.twcable.com> <52557287.8010205@bbn.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7FED59@PRVPEXVS15.corp.twcable.com> <5256C8C2.60902@bbn.com>
In-Reply-To: <5256C8C2.60902@bbn.com>
Content-Type: multipart/alternative; boundary="------------040507060309020706030702"
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2013 17:04:16 -0000

Wes

I am happy to talk to you about this at IETF, but I think the
doc addresses the problem that SIDR was chartered to
address.

I acknowledge that there are wider threats, that need to
be addressed, but as Steve says this I-D should not be
a hostage to us putting in place solutions to those problems.

- Stewart

On 10/10/2013 16:33, Stephen Kent wrote:
> Wes,
>
> I had to extract you reply and paste it into Word to read, because the 
> lines you wrote
> were not properly wrapped by my e-mail reader. As a result, my reply 
> adopts a slightly different
> format.
>
> OK, we agree that LTAM is out of scope for now.
>
> Your later comments are included below, along with my responses.:
>
> */[WEG] /*I think I was unclear in the way that I raised the concern, 
> and your response (below) helped me see that, so I'll try to clarify. 
> I don't care whether it's a charter/scope issue, and I'm not asking 
> for the summary for that reason. I care about it from the perspective 
> of its relative risk as a threat, and I made reference to the 
> scope/WG/charter/design discussion because I thought that would inform 
> the discussion of the level of risk (i.e. we decided that the risk was 
> not high enough to justify changes to the design to secure additional 
> attributes).
>
>
> I better understand your comment. Your concern appears to be that a 
> reader of this doc will assume that we decided to not consider the 
> security of other path attributes because they are less important than 
> AS_Path. However, by stating  that securing these other attributes is 
> deemed out of scope, based on the charter,  I think we  make it clear 
> that we have _not_ made a value judgement about the relative 
> importance of them.
>
>
> */[WEG] /*I've seen the addition. It's not adequate to address my 
> concern, because the text in section 5 was not changed at all to 
> remove the reference to charter and "changes to this document at a 
> later time" for both route leaks and secondary attributes.
>
>
> I don't see why you believe that references to the charter, augmented 
> by the salient text from the charter, are not appropriate here; that's 
> the reason these topics are not addressed.  I also think
> the note about updating the threat doc, if and when the charter is 
> changed to include these concerns,
> is appropriate. It tells the reader that these topics may be addressed 
> in the future.
>
>
> */[WEG]/*I'm no connoisseur of threat analyses, so I don't have a 
> large basis of comparison, but I do think that a threats document 
> should not identify a residual threat and then hand-wave it away as 
> "out of scope" instead of explaining the relative risk that it might 
> be exploited. It might even perhaps draw the conclusion that the risk 
> is negligible, but based on your explanation, WG charter and scope 
> shouldn't figure into the discussion.Worse yet, as this section is 
> currently written, it's circular logic: pathsec doesn't protect 
> non-AS_Path attributes, so there's a risk of those attributes being 
> manipulated without pathsec detecting it, but that's ok because 
> pathsec isn't required to protect against those things. Why isn't 
> pathsec required to protect against those things? Because the charter 
> says it isn't. Why does the charter say that? Because...reasons?
>
>
> We fundamentally disagree on this point. A threat doc is always 
> constrained by some set of contextual
> assumptions. Stating that we are aware of some concerns that are not 
> addressed, and that they may be
> addressed in the future is a reasonable way to convey to the reader 
> what some of the contextual
> constraints are. Your characterization of the discussion as "circular 
> reasoning" is faulty. What
> the text says is that path security is the focus of the WG, and thus 
> is a constraint adopted by
> this threat analysis, period.
>
> From a threat analysis perspective, either the ability to manipulate 
> unprotected attributes is a threat (a capability for an adversary to 
> carry out an attack) to BGP Path security, or it's not. I believe the 
> fact that you/the WG included it in the discussion means that you/the 
> WG believe that it's a threat. I could infer based on the fact that 
> SIDR chose not to design protections against that exploit that it's a 
> real threat but very low risk, or extremely difficult to exploit, or 
> whatever, but the document doesn't currently say anything about the 
> relative level of risk for the threat being identified. You're right 
> in that the design/requirements decisions that SIDR WG made about 
> whether to address that threat are mostly irrelevant, but the fact 
> that you discuss it in terms of design scope makes that confusing if 
> one is to evaluate this text as purely a threats analysis. It goes 
> back to a recurring issue that has happened with the order of these 
> documents, where we're writing a threats doc and a requirements doc 
> based on an existing design rather than the other around, and are 
> tailoring these documents based on the current design to the exclusion 
> of things deemed out of scope instead of documenting everything and 
> then deciding some of the specific scope items in the 
> requirements/design phase.
>
>
> As noted above, every threat analysis takes place in a context, else 
> it could never be complete. We have a
> context defined by the WG charter, and I have chosen to use that 
> context to constrain what the analysis covers. We cannot "document 
> everything" any more than a scientist can "gather all the data and 
> they form a hypothesis." Your criticisms about the order of doc 
> preparation suggest a deeper discontent with the
> WG process. I suggest you talk with the WG chairs and the cognizant AD 
> about that, rather than taking
> it out in this doc.
>
> Steve
>
> p.s. in the later parts of your comments you repeatedly use the term 
> "threat" when you mean "attack" or maybe "vulnerability" or ...
>
>
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


-- 
For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html

v2.23.0 | Report a Bug | By Email