Re: [Last-Call] Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen,
 
Thank you very much for the comments.
Please see the resolution below.
 
Linda
 
-----Original Message-----
From: Stephen Farrell via Datatracker <noreply@xxxxxxxx>
Sent: Friday, February 2, 2024 8:03 AM
To: secdir@xxxxxxxx
Cc: bess@xxxxxxxx; draft-ietf-bess-bgp-sdwan-usage.all@xxxxxxxx; last-call@xxxxxxxx
Subject: Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19
 
Reviewer: Stephen Farrell
Review result: Has Issues
 
I looked at the diff from -15 to -19.
 
I think the main security issue of depending on BGP over TLS remains - that seems almost fictional (is it?), whereas the shepherd write-up says: "...this draft is simply describing the usage of existing technologies standardised within bess to SD-WAN." I see Roman's existing discuss already covers this.
 
I note that https://nam11.safelinks.protection.outlook.com/?url=""> was posted since I did the review of -15 of this draft, but that seems to be a fairly brief -00 individual submission. Presumably that work would have to have progressed significantly before this draft could reflect reality.
 
As this draft is aiming to become an informational RFC, I guess one could rewrite the sections mentioning TLS to say that BGP/TLS is needed for this to be secure, is not available today, but is something that is being developed (e.g. referring to draft-wirtgen-bgp-tls). However, doing that before adoption of a work item for BGP/TLS by some routing WG might well be considered premature and overly optimistic?
 
[Linda] Thank you very much for the suggestion. This draft operates under the assumption that a secure channel exists between the SD-WAN controller and the SD-WAN edges. In the context of extending an VPN network to the SD-WAN scenario, this secure channel can leverage the operator's primary management channel designed for VPN control. Consequently, there is no strict requirement for BGP over TLS. As a result, we can remove all references to TLS from the document.
 
In the "Security Considerations", is it beneficial to add a discussion of the security issue of using BGP over TLS?
 
Linda
 
 
 
 
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux