Re: [tcpm] [mpls] LDP Security
Joe Touch <touch@strayalpha.com> Mon, 13 November 2017 14:10 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A99C512957A; Mon, 13 Nov 2017 06:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQ4xDlrwZULZ; Mon, 13 Nov 2017 06:10:37 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01D29129A84; Mon, 13 Nov 2017 06:10:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=6OARAuLshl8pGUwz+FH8u3DR3LqRzV0lHKIdRO+gK+Q=; b=XG66sqivw8fapK0IvREdP7ESgS T/v1+2rVNzBxsi8mqnLfJbEGobuAZvv7xzjaPCcgRVhmFnOhqPcMB9/Zh7SDSfDbWn0vGYoB/rlQF qSCRctQG+5S04SG6V2y6jagDrdnW0zl/0/zBNKqNULS39nX0eb3DNpsel/f4nKvMGv5Jbkvo+3Ets eJpXMQLDgIMi/cX3i/LGmQDkCgrHnpC/XObbDNXjTc+W8Xz2Cj1wubWJ4w+P5q7y6guHNyCeWHccB OB/VHiIRc34D+COCaRP8+eg75gYTSEXOS9JtVDrJGP/lEDcoXkGHcjnjwXcn0kTecEmab6o6XSOFA 7Kw96zYQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:64372 helo=[192.168.1.189]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <touch@strayalpha.com>) id 1eEFRS-0003gV-CP; Mon, 13 Nov 2017 09:10:27 -0500
To: Ignas Bagdonas <ibagdona.ietf@gmail.com>, Jeff Tantsura <jefftant.ietf@gmail.com>
Cc: "mpls@ietf.org" <mpls@ietf.org>, Eric Rescorla <ekr@rtfm.com>, "tcpm@ietf.org" <tcpm@ietf.org>, "pals-chairs@tools.ietf.org" <pals-chairs@tools.ietf.org>, "<rtg-ads@ietf.org>" <rtg-ads@ietf.org>, "Scharf, Michael (Nokia - DE/Stuttgart)" <michael.scharf@nokia.com>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "pals@ietf.org" <pals@ietf.org>, "<sec-ads@ietf.org>" <sec-ads@ietf.org>
References: <2da71163-cf29-cba6-df61-d75a2cfc9c43@gmail.com> <7ee4fd77-7d8d-0db2-527e-9cf91d87e634@gmail.com> <CAA=duU3nJsS86udidgkH9jhB9ZD+xaRa2A4MniAVL1BpGE78ZQ@mail.gmail.com> <cf0cb5a4-cc21-97e1-1c26-38974bf9c0be@pi.nu> <51b9e5b4-0a44-1449-a4df-91e4f9df5d6b@pi.nu> <CAA=duU2R9kBMWnRdwPPO49LF1Jc1tyrxvwkyTgaE6SC6jsVruw@mail.gmail.com> <02a50f02-779e-bc39-505c-5a51d066b3f0@pi.nu> <CAA=duU1qV-LiU5pR7VtLLVGtb-8nZHrnUqVyOKpST3-6Dr-Xgw@mail.gmail.com> <ce2c75b6-156d-da80-91d7-b7e6ba2059a0@gmail.com> <CAA=duU1xvV0genbR0CBx2rmpOWUkFmRJX3qrMEp21gTd1HOVww@mail.gmail.com> <f0d553da-0ac4-e794-5cd5-d9cc95063dc6@pi.nu> <15335748-e900-280d-554f-24c55c0f3ba5@gmail.com> <CABcZeBOr5x=98nXeBCT8O-wjk90ga1F3EVk2ktMYoAj9Q8tRkg@mail.gmail.com> <AM5PR0701MB25472EFBB94C1C98EA2606B393540@AM5PR0701MB2547.eurprd07.prod.outlook.com> <4f634e7c-f3b9-f0ab-abc7-80ec1062b52a@strayalpha.com> <697AC959-60C2-401D-9E64-D88E16F35EBB@gmail.com> <1817bcab-e088-b822-bf6d-07e52b9fb998@gmail.com>
From: Joe Touch <touch@strayalpha.com>
Message-ID: <d62ed7e8-0c82-fe52-a109-10fd01797fda@strayalpha.com>
Date: Mon, 13 Nov 2017 06:10:21 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <1817bcab-e088-b822-bf6d-07e52b9fb998@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/tXYFNRyE5k49MHUU0qZFqRf5j44>
X-Mailman-Approved-At: Mon, 13 Nov 2017 13:47:54 -0800
Subject: Re: [tcpm] [mpls] LDP Security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 14:10:39 -0000
On 11/13/2017 1:24 AM, Ignas Bagdonas wrote: > > An operator’s view here. Addressing multiple points in a single > message here. > > Yes, the issue is with adoption. It is not being adopted because the > problem solution does not necessary address the actual problem. > > Taking BGP as an example (and most of this applies to LDP as well) – > we need to differentiate what security means in BGP context. Is it BGP > transport security – the confidentiality of BGP messages exchanged > between the peers (which MD5 or AO can address), or BGP information > security – whether the peer is authorized to advertise a prefix and > with what attributes (to which the presence or absence of MD5 and AO > is orthogonal). > I had thought it was widely understood that there are two components to protecting BGP: - TCP-AO - to protect the TCP connections from attack and authenticate the endpoint pairs - BGPsec - to validate the authenticity of relayed prefix advertisements and ensure its legitimacy Is there a third aspect that isn't included here that you feel is missing? Or do you feel one of these inadequate in performing *the function it is designed for*? Joe
- Re: [tcpm] [mpls] LDP Security Scharf, Michael (Nokia - DE/Stuttgart)
- Re: [tcpm] [mpls] LDP Security Joe Touch
- Re: [tcpm] [mpls] LDP Security Jeff Tantsura
- Re: [tcpm] [mpls] LDP Security Joe Touch
- Re: [tcpm] [mpls] LDP Security Susan Hares
- Re: [tcpm] [mpls] LDP Security Ignas Bagdonas
- Re: [tcpm] [mpls] LDP Security Joe Touch