New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Sec-DIR issues (-18 and -19) - For check in -27 #69
Comments
Link to -30 review Comment from Magnus: There is one remaining, probably smaller, issue: The Security Considerations
Also, it isn't clear how BGPsec should be extended - and if it would provide any substantial benefit over the mechanisms described herein
response from Kaliraj:
I think we should change it to ‘existing BGP solutions’. Agree. Response to Magnus from Shepherd (Susan Hares) |
Kaliraj investigationHi Sue, Magnus, It seems there is more to it. Reading the text in sec 6.2.1 of rfc8374, it actually doesn’t answer why It seems to assume that current support is only for SAFI 1: “It was decided that during capability negotiation, the address family The text in 2.2.1 rfc8374 (which discusses Figure 8 in rfc8205), explains why address-family It is possible that when AFI,SAFI were added to the “things to be hashed” in Sec 4.2 Figure 8, Looking at the meta comment in 6.2.1 about non-Internet SAFIs, and my limited understanding, I feel more careful considerations [are] required to extend BGPsec for other SAFIs. We cannot assume that today, it supports all SAFIs for AFI-1 and 2. Stating so in the CT draft would contradict the above rfc8374 text. Same with RPKI-RTR spec. It seems to assume Internet families only today. There is no AFI/SAFI information carried in the PDUs (rfc8210, rfc6810). I also consulted internally with Santosh (copied) who works on RPKI/ROV, and is familiar with BGPsec. Our general feeling is that the BGPsec and ROV protocol mechanisms may need more thought and work if/when applying to non-Internet SAFIs. So we are not very comfortable with specifying it as a “should”. Given the above reasons, I am inclined to put the following text wrt BGPsec in the CT drafts:
Please let me know if I am missing anythihg. And if we should sync up on a zoom call to discuss this. Thanks |
Magnus response to Kaliraj information on BGPsecHi Kaliraj, |
Sue's comment in response to MagnusSue (on 4/25/2024) I am uncomfortable changing the text in draft-ietf-idr-bgp-ct-32. I hope you are OK with this resolution. Based on the research from Kaliraj, I think BGPsec could be extended to include AFI and SAFI in the hash. This change would require new BGPsec code, a revision to BGPsec specification, and a new BGPsec capability. Existing implementations would need a knob to specify the new revision for BGPsec. |
Magnus's response to my Shepherd's statement Sue, my comments are just that, suggestions. Personally I feel that for new functionality, it should be made clear to implementers if existing (and possibly simultaneously introduced) security measures are sufficient to accomplish a secure implementation of the new functionality. A "could" does not, to me, provide that guidance and that's why I, again, personally don't findl the current writing satisfactory, but ultimately Iit is your call. |
Shepherd's note: I've asked the ADs to look at security issues first. |
SEC-DIR Early Review: (on -18)
https://datatracker.ietf.org/doc/review-ietf-idr-bgp-ct-18-secdir-early-nystrom-2023-12-23/
SEC-DIR Early Review: (on -19)
https://mailarchive.ietf.org/arch/msg/secdir/kFzE5B7LSCmtHH1kyoxuC8dF178/
Points recorded in Shepherd's report
1) Why does the definition of "new AFI/SAFI to pass routes" not change any underlying security characteristics?
This should be explained better.
2) Where is it stated in the document - "Mechanisms described in this document follow a "Walled Garden" approach?
This should be explained better.
3) It is stated that BGP origin validation "could" be used to "increase assurance" that information has not been falsified.
Firstly, "could" does not say much to an implementer. Is this intended to be "SHOULD"?
What's the risk of not using origin validation?
And conversely, what assurance is given if BGP origin validation is not used (the "increased assurance" part).
4) It is stated that:
"In order to mitigate the risk of the diversion of traffic from its
intended destination, [the] existing BGPsec solution could be extended, and
supported for this SAFI."
What does "could" mean here?
5) It is also stated that "as long as filtering [and other measures] are
applied diligently, "risk of [traffic diversion] is eliminated".
Is this really the case? That it is entirely eliminated?
6) Not being an expert in this area, I just want to call out the
following items that I ask the authors to ensure that they are covered:
1. Is there anything in here which increases the risk of dDoS attacks?
2. Do the mechanisms and constructs in this document introduce any
new risks related to unintended information disclosure?
3. Do the mechanisms and constructs in this document introduce any
new risks due to spoofing of endpoint identities etc.?
4. Do the mechanisms and constructs in this document introduce any
new risks due to modification of information exchanged, e.g., between AS
endpoints?
The text was updated successfully, but these errors were encountered: