Hi Linda, ...snipping... On 06/02/2024 18:11, Linda Dunbar wrote:
[Linda] Thank you very much for the suggestion. This draft operates under the assumption that a secure channel exists between the SD-WAN controller and the SD-WAN edges.
Right The challenge you seem to face though is the lack of any real/deployed BGP transporting protocol that meets the security goals for this draft.
In the context of extending an VPN network to the SD-WAN scenario, this secure channel can leverage the operator's primary management channel designed for VPN control. Consequently, there is no strict requirement for BGP over TLS. As a result, we can remove all references to TLS from the document.
I reckon that'd end up being a quite different proposition, from the secdir-review POV at least, so not sure if that's a good/bad plan - probably best to consult with the relevant WG chairs/ADs before doing that.
In the "Security Considerations", is it beneficial to add a discussion of the security issue of using BGP over TLS?
I don't think it's that much a security issue (if BGP/TLS were a realistic deployment option, you'd be ok), so I think what you'd end up adding might be a discussion of why you need a way to run BGP over some secure transport, and the impact of that not being something that exists today or in the near future. It's hard to see that not turning out to have a fairly severe impact. Cheers, S.
Attachment:
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
