Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
Stewart Bryant <stbryant@cisco.com> Tue, 29 October 2013 17:04 UTC
Return-Path: <stbryant@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D564F21F9DCF for <sidr@ietfa.amsl.com>; Tue, 29 Oct 2013 10:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.514
X-Spam-Level:
X-Spam-Status: No, score=-110.514 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijUWPofelbYV for <sidr@ietfa.amsl.com>; Tue, 29 Oct 2013 10:04:03 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8093911E814D for <sidr@ietf.org>; Tue, 29 Oct 2013 09:58:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=103877; q=dns/txt; s=iport; t=1383065931; x=1384275531; h=message-id:date:from:reply-to:mime-version:to:subject: references:in-reply-to; bh=Z8YyUh3mZBArnHJbhz1HuKppoSUT+1oVjxmwMGoYldg=; b=gwOWLpHeIWOrj3f20UxKi+bZ04Jyn9oaS81TRtsajKT9AT/umblmDRpA hJeWJb3ZYRpM6eVke/P5jl5BVMowksxxK0YfazZElPOnK2GLL5CiP9C7U 9u7ge8GqmxHtEyI4U0fefO0dxXqFEtBY5SZhsIZ6g/DkNakYx2y+vy4ii g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjoFAKnob1KQ/khM/2dsb2JhbABPCoJDRDiJRLV6S4ErFnSCJQEBAQQBAQEqQQoRCxgJFgEBDQkDAgECARUwBgEMBgIBAReHbA26G419B4FKhCwDlCqDYJIIgyY
X-IronPort-AV: E=Sophos; i="4.93,594,1378857600"; d="scan'208,217"; a="161165731"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 29 Oct 2013 16:58:33 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r9TGwRs8012728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Oct 2013 16:58:29 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id r9TGwQ2N017303; Tue, 29 Oct 2013 16:58:26 GMT
Message-ID: <526FE932.9010707@cisco.com>
Date: Tue, 29 Oct 2013 16:58:26 +0000
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, "George, Wes" <wesley.george@twcable.com>, sidr <sidr@ietf.org>
References: <20131008204114.28645.53351.idtracker@ietfa.amsl.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7556E1@PRVPEXVS15.corp.twcable.com> <52557287.8010205@bbn.com> <2671C6CDFBB59E47B64C10B3E0BD5923043C7FED59@PRVPEXVS15.corp.twcable.com> <5256C8C2.60902@bbn.com>
In-Reply-To: <5256C8C2.60902@bbn.com>
Content-Type: multipart/alternative; boundary="------------040507060309020706030702"
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats-07.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2013 17:04:16 -0000
Wes I am happy to talk to you about this at IETF, but I think the doc addresses the problem that SIDR was chartered to address. I acknowledge that there are wider threats, that need to be addressed, but as Steve says this I-D should not be a hostage to us putting in place solutions to those problems. - Stewart On 10/10/2013 16:33, Stephen Kent wrote: > Wes, > > I had to extract you reply and paste it into Word to read, because the > lines you wrote > were not properly wrapped by my e-mail reader. As a result, my reply > adopts a slightly different > format. > > OK, we agree that LTAM is out of scope for now. > > Your later comments are included below, along with my responses.: > > */[WEG] /*I think I was unclear in the way that I raised the concern, > and your response (below) helped me see that, so I'll try to clarify. > I don't care whether it's a charter/scope issue, and I'm not asking > for the summary for that reason. I care about it from the perspective > of its relative risk as a threat, and I made reference to the > scope/WG/charter/design discussion because I thought that would inform > the discussion of the level of risk (i.e. we decided that the risk was > not high enough to justify changes to the design to secure additional > attributes). > > > I better understand your comment. Your concern appears to be that a > reader of this doc will assume that we decided to not consider the > security of other path attributes because they are less important than > AS_Path. However, by stating that securing these other attributes is > deemed out of scope, based on the charter, I think we make it clear > that we have _not_ made a value judgement about the relative > importance of them. > > > */[WEG] /*I've seen the addition. It's not adequate to address my > concern, because the text in section 5 was not changed at all to > remove the reference to charter and "changes to this document at a > later time" for both route leaks and secondary attributes. > > > I don't see why you believe that references to the charter, augmented > by the salient text from the charter, are not appropriate here; that's > the reason these topics are not addressed. I also think > the note about updating the threat doc, if and when the charter is > changed to include these concerns, > is appropriate. It tells the reader that these topics may be addressed > in the future. > > > */[WEG]/*I'm no connoisseur of threat analyses, so I don't have a > large basis of comparison, but I do think that a threats document > should not identify a residual threat and then hand-wave it away as > "out of scope" instead of explaining the relative risk that it might > be exploited. It might even perhaps draw the conclusion that the risk > is negligible, but based on your explanation, WG charter and scope > shouldn't figure into the discussion.Worse yet, as this section is > currently written, it's circular logic: pathsec doesn't protect > non-AS_Path attributes, so there's a risk of those attributes being > manipulated without pathsec detecting it, but that's ok because > pathsec isn't required to protect against those things. Why isn't > pathsec required to protect against those things? Because the charter > says it isn't. Why does the charter say that? Because...reasons? > > > We fundamentally disagree on this point. A threat doc is always > constrained by some set of contextual > assumptions. Stating that we are aware of some concerns that are not > addressed, and that they may be > addressed in the future is a reasonable way to convey to the reader > what some of the contextual > constraints are. Your characterization of the discussion as "circular > reasoning" is faulty. What > the text says is that path security is the focus of the WG, and thus > is a constraint adopted by > this threat analysis, period. > > From a threat analysis perspective, either the ability to manipulate > unprotected attributes is a threat (a capability for an adversary to > carry out an attack) to BGP Path security, or it's not. I believe the > fact that you/the WG included it in the discussion means that you/the > WG believe that it's a threat. I could infer based on the fact that > SIDR chose not to design protections against that exploit that it's a > real threat but very low risk, or extremely difficult to exploit, or > whatever, but the document doesn't currently say anything about the > relative level of risk for the threat being identified. You're right > in that the design/requirements decisions that SIDR WG made about > whether to address that threat are mostly irrelevant, but the fact > that you discuss it in terms of design scope makes that confusing if > one is to evaluate this text as purely a threats analysis. It goes > back to a recurring issue that has happened with the order of these > documents, where we're writing a threats doc and a requirements doc > based on an existing design rather than the other around, and are > tailoring these documents based on the current design to the exclusion > of things deemed out of scope instead of documenting everything and > then deciding some of the specific scope items in the > requirements/design phase. > > > As noted above, every threat analysis takes place in a context, else > it could never be complete. We have a > context defined by the WG charter, and I have chosen to use that > context to constrain what the analysis covers. We cannot "document > everything" any more than a scientist can "gather all the data and > they form a hypothesis." Your criticisms about the order of doc > preparation suggest a deeper discontent with the > WG process. I suggest you talk with the WG chairs and the cognizant AD > about that, rather than taking > it out in this doc. > > Steve > > p.s. in the later parts of your comments you repeatedly use the term > "threat" when you mean "attack" or maybe "vulnerability" or ... > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr -- For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- [sidr] I-D Action: draft-ietf-sidr-bgpsec-threats… internet-drafts
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stephen Kent
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Andrei Robachevsky
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… Stewart Bryant
- Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-thr… George, Wes