Last Call Review of draft-ietf-grow-blackholing-00
review-ietf-grow-blackholing-00-secdir-lc-hoffman-2016-06-30-00

This draft, "BLACKHOLE BGP Community for Blackholing", describes a new 


optional BGP community with the specific semantics of "please blackhole 


this traffic for me". The idea is to have a single common community 


instead of all the ad hoc communities that ISPs have created for this 


semantic.






The beginning of the security considerations section is daunting in that 


it says, in essence, "BGP has no authentication, so injecting dangerous 


messages is trivial; thus this new dangerous community is not a 


problem". It then goes on to say "and this new community can be used as 


a DoS by your downstream peers because they can tell you lies, but you 


were already susceptible to those lies". And then "and this can be used 


for CPU exhaustion against you if you're not careful" without saying how 


to be careful.






There are currently two active threads on ietf@ about security 


implications of this draft. There are questions about whether this draft 


lacks enough specificity to prevent CPU exhaustion attacks even from 


well-meaning peers, whether it should be standards track given that it 


is underspecified, whether it should suggest that IXPs should implement 


it, and other questions seem to be coming up.






I think that this document *might* be OK as an Informational RFC if 


there is more discussion about how to prevent a CPU exhaustion attack 


for recipients and more MUSTs instead of SHOULDs for what other 


communities need to be applied to these messages.




--Paul Hoffman