Re: [Last-Call] Secdir telechat review of draft-ietf-bess-bgp-sdwan-usage-20

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hiya,

On 15/02/2024 17:54, Linda Dunbar wrote:

Stephen,

BGP/TLS has been deployed  (see the attached email from Robert Razuk on using BGP over TLS in  Sproute's SDWAN solution for years) even though there is only a 00 draft for BGP over TLS in IETF.


That's good news. Be even better if it could be done in an
interoperable fashion, and/or had been written up so that
others could benefit from whatever experience has been
accumulated.


The document states that analysis of BGP over TLS is beyond the scope.


Well, it seems to both say that and to depend on BGP/TLS
for security.


Is the following sentence better?
       While beyond the scope of this document, conducting a comprehensive analysis might be needed to ensure the security of BGP over TLS [BGP-OVER-TLS]



Seems the same to me, i.e. saying BGP/TLS is "not our job" but also
"needed for security" so I don't think that wording does the job.

That said, you're probably better off discussing this with some AD
if they ballot DISCUSS - while you and I could end up with some words
we like, you'd only risk having to re-do that to get something an AD
liked even better;-) So given this is on a telechat soon, I'd say
better you want for the ballots there to see what's needed.

Cheers,
S.



Thank you,
Linda
-----Original Message-----
From: Stephen Farrell via Datatracker <noreply@xxxxxxxx>
Sent: Thursday, February 15, 2024 10:30 AM
To: secdir@xxxxxxxx
Cc: bess@xxxxxxxx; draft-ietf-bess-bgp-sdwan-usage.all@xxxxxxxx; last-call@xxxxxxxx
Subject: Secdir telechat review of draft-ietf-bess-bgp-sdwan-usage-20

Reviewer: Stephen Farrell
Review result: Has Issues

Draft-20 seems to dial-back the call for BGP/TLS, but OTOH adds text in the security considerations saying that BGP/TLS "is imperative." I'm not sure of the security pitfalls that might arise if one followed the guidance here whilst BGP/TLS is still just a non-wg -00 draft (and hence aspirational), but it seems to me like a possibly dangerous implement.

Attachment: OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux