Early Review of draft-ietf-idr-bgp-ct-18
review-ietf-idr-bgp-ct-18-secdir-early-nystrom-2023-12-23-00
review-ietf-idr-bgp-ct-18-secdir-early-nystrom-2023-12-23-00
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other comments.
This document presents BGP constructs that may be used to implement certain
types of network segmentation.
1. The Security Considerations section start off by stating:
This document defines a new BGP SAFI for AFIs 1 and 2 and therefore
does not change the underlying security issues inherent in the
existing BGP protocol
It isn't clear to this reader why the definition and introduction of a
new element "therefore" doesn't change any underlying security
characteristics. This should be explained better.
2. The Security Considerations section also states:
Mechanisms described in this document follow a "Walled Garden"
approach
Perhaps this is due to me not being an expert in this area and therefore
missing it, but where in the document is it expressed that these mechanisms
only apply to Walled Garden situations?
3. It is stated that BGP origin validation "could" be used to "increase
assurance" that information has not been falsified. Firstly, "could" does
not say much to an implementer. Is this intended to be "SHOULD"? What's the
risk of not using origin validation? And conversely, what assurance is
given if BGP origin validation is not used (the "increased assurance" part).
4. It is stated:
In order to mitigate the risk of the diversion of traffic from its
intended destination, existing BGPsec solution could be extended and
supported for this SAFI
Again,"could" is not part of RFC 2119, so not sure what is intended here.
5. It is also stated that "as long as filtering [and other measures] are
applied diligently, "risk of [traffic diversion] is eliminated" - is this
really the case? That it is entirely eliminated?
6. Not being an expert in this area, I just want to call out the
following items that I ask the authors to ensure that they are covered:
1. Is there anything in here which increases the risk of dDoS attacks?
2. Do the mechanisms and constructs in this document introduce any
new risks related to unintended information disclosure?
3. Do the mechanisms and constructs in this document introduce any
new risks due to spoofing of endpoint identities etc.?
4. Do the mechanisms and constructs in this document introduce any
new risks due to modification of information exchanged, e.g., between AS
endpoints?
Editorial: Generally the document is in need of language clean-up, it uses
needless commas, etc. Three examples below just from the abstract:
- The first sentence is very long and hard to follow. I suggest changing
to:
This document specifies a mechanism referred to as "Intent Driven
Service Mapping." The mechanism uses BGP to express intent-based association
of overlay routes with underlay routes that have specific Traffic
Engineering (TE) characteristics satisfying a certain Service
Level Agreement (SLA)."
- .Likewise, I suggest changing the next sentence to (since a document
in itself doesn't achieve anything):
This is achieved by ...
- I also suggest starting the second paragraph
Additionally, this document specifies ...
Thanks,
--
-- Magnus