Hi John, Thanks for the reply. TL;DR: I'm all fine. Some discussion inline below. > From: John G. Scudder [mailto:jgs@xxxxxxxxxxx] > Sent: Tuesday, April 17, 2018 9:07 PM > > Hi Bruno, > > Thanks for the further review. Some discussion in line below. > > > On Apr 13, 2018, at 6:12 AM, Bruno Decraene <bruno.decraene@xxxxxxxxxx> wrote: > > > > Reviewer: Bruno Decraene > > Review result: Ready > > > > Hello, > > > > I have been selected as the Routing Directorate reviewer for this draft. The > > Routing Directorate seeks to review all routing or routing-related drafts as > > they pass through IETF last call and IESG review, and sometimes on special > > request. The purpose of the review is to provide assistance to the Routing ADs. > > For more information about the Routing Directorate, please see > > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__trac.tools.ietf.org_area_rtg_trac_wiki_RtgDir&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXe > MK- > ndb3voDTXcWzoCI&r=hLt5iDJpw7ukqICc0hoT7A&m=gDChh7wheTA_cW1uNH2O1ZzaT4Ni4sju > 5OjDqAYKXII&s=CoXU6i3CuhDJ37j7puwilN_1e9W2p0HoSzX-veANZ2w&e= > > > > Although these comments are primarily for the use of the Routing ADs, it would > > be helpful if you could consider them along with any other IETF Last Call > > comments that you receive, and strive to resolve them through discussion or by > > updating the draft. > > > > Document: draft-ietf-idr-bgp-gr-notification-15 > > Reviewer: Bruno Decraene > > Review Date: 2018-04-13 > > IETF LC End Date: 2018-04-24 > > Intended Status: Standards Track > > > > ===== > > Summary: No issues found. This document is ready for publication. > > > > ===== > > Comments: > > > > The document is very clear. I have particularly appreciated the high level > > summary of the document in the introduction section. Thanks to the authors. The > > security consideration section adequately consider the security impacts of this > > specification. I had already reviewed the document twice (WGLC, AD review) > > hence I really needed to push in order to find some comments. In this > > nitpicking context, any comment is really up to the authors. > > > > ===== > > Major Issues: No major issues found. > > > > ===== > > Minor Issues: > > > > I would not call these "minor issue", but it's beyond editorial so do not > > qualify as "Nits". Please find below 2 comments, on the nitpicking far side. > > > > "If the "N" bit has not been exchanged with the peer, then to > > deal with possible consecutive restarts, a route (from the peer) > > previously marked as stale MUST be deleted." > > [...] > > "To put an upper bound on the amount of time a router retains the > > stale routes, an implementation MUST support a (configurable) > > timer, called the "stale timer", that imposes this upper bound." > > > > In order to fully respect the semantic, in case of consecutive restarts (with > > partial route readvertisement), it seems that the stale timer would need to be > > on a per route basis. I don't think that this is the intention of the authors > > (nor that this is desirable). Altough this is a local consideration, hence not > > affecting the peer, the "MUST" make this statement strong. Eventually, a text > > could be added saying that the timer only needs to be on a per session basis. > > e.g., :s/this upper bound/this upper bound on a per session basis. > > I'll give this some thought, thanks. > > > ---- "This > > specification doesn't change the basic security model inherent > > in [RFC4724], with the exception that the protection against repeated > > resets is relaxed. To mitigate the consequent risk that an attacker > > could use repeated session resets to prevent stale routes from ever > > being deleted, we make the stale routes timer mandatory (in practice > > it is already ubiquitous)." > > > > FYI, I'm not completely sure to see why this document change (i.e. negatively > > impacts) the security in case of repeated NOTIFICATION as I would assume that > > if an attacker could sends such NOTIFICATION, it could already advertise the > > routes that it wished were never deleted. > > Well, an attacker might cause a session reset without the ability to insert data into the TCP stream I > guess, e.g. with a RST attack. You are correct that there are other mitigations against such attacks, > of course. You are right. I had missed that. > > Also this risk would be covered via > > an adequate protection against illegitimate messages (e.g. crypto checksum, > > GTSM for EBGP) However I do see an increased risk with regards to Hold Time > > expiration which remains an attack vector even with the use of a crypto > > checksum protection, by simply filtering some BGP packets. Especially in > > deployments when the BGP session crosses a long distance or multiple links and > > nodes (e.g. IBGP, layer 2 network within an IXP cf RFC 8327). May be I would > > propose to raise this point or slightly rephrase on the Hold Time expiration > > side, rater than the NOTIFICATION side. > > If I understand you correctly, your point is that (a) an attacker can cause a holdtime expiration by > filtering BGP traffic and (b) this technique provides some mitigation of that by additionally retaining > the routes for the restart time? I'm a little hesitant to claim this as a real security benefit because for > an attacker to be in position to filter BGP traffic, they presumably would also be in a position to filter > user traffic. Furthermore, if they can do it for the duration of the holdtime they can probably also do > it for the duration of the holdtime plus the restart time. In sync on "a)" Regarding "b)" I actually meant the opposite: as indicated in the security section, draft-ietf-idr-bgp-gr-notification does introduce a new security consideration by adding the possibility to keep BGP routes. Plus "usual" security measures at the TCP/BGP session level does not mitigate. But coming back to the document, the existing "security considerations" looks good to me. Sorry about my comment. (I guess that by "repeated reset" I read "active reset" (notification) and felt that "passive reset" (hold time expiration) was not raised) I also agree with your above text. Yet, there may be other attack vectors. e.g. an attacker could also triggers an hold time expiration remotely by (D)DOSing the (BGP) control plane of the router. There may be local protection but I've also seen some local protection finally dropping legitimate control traffic, in an effort to protect the control plane CPU. But in this regards, I'm clearly experiencing the survivorship bias as I tend to only see the very few problems that have not been catched by implementations. > But security sections are an exercise in speculative thinking. Yes, for the good ones. > > > > ===== > > Nits: > > > > §1.1 > > RFC 2119 has been updated by RFC 8174. > > OLD: > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > > document are to be interpreted as described in RFC 2119 [RFC2119]. > > > > NEW: > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL > > NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", > > "MAY", and "OPTIONAL" in this document are to be interpreted as > > described in BCP 14 [RFC2119] [RFC8174] when, and only when, they > > appear in all capitals, as shown here. > > > > > > + New ref to RFC8174 > > Thanks! > > > ---- > > §2 > > "("N") is defined as the BGP Graceful Notification bit" > > [...] > > "its Graceful NOTIFICATION bit set (value 1)" > > > > Nitpicking, naming is not consistent. > > OK. > > > --- > > " This also implies support for the format for a BGP NOTIFICATION Cease message > > defined in [RFC4486]." > > > > I'm not completely sure to see what this sentence is exactly saying. I feel > > that the sentence would benefit from beeing more specific. e.g. NEW: This also > > implies support for the new "Hard Reset" subcode of the BGP NOTIFICATION Cease > > message, its new behavior and new encoding of the Data field. > > I think the point of that sentence is that RFC 4271 doesn't talk about subcodes for Cease, and now > we are defining a new subcode, so in principle we need support for both 4271 and 4486 (which > does define subcodes). That said, the sentence doesn't really add much and perhaps it's perfectly > obvious, so even deleting it might be fine. I'll think about it. Thanks for the clarification. FWIW, I don't believe that the sentence is needed. I would personally argue that RFC 4271 defines the subcode field, and the subcode 0, for all BGP NOTIFICATIONS, including Cease. https://tools.ietf.org/html/rfc4271#section-4.5 while RFC 4486 simply defines additional subcodes. Thanks, Regards, --Bruno > > > ---- §8 "the > > reference this document and [RFC4724]" > > > > OLD: > > +--------------+------------------+------------+-----------+ > > | Bit Position | Name | Short Name | Reference | > > +--------------+------------------+------------+-----------+ > > | 0 | Forwarding State | F | [RFC4724] | > > | 1-7 | unassigned | | | > > +--------------+------------------+------------+-----------+ > > > > NEW: > > +--------------+------------------+------------+---------------+ > > | Bit Position | Name | Short Name | Reference | > > +--------------+------------------+------------+---------------+ > > | 0 | Forwarding State | F | [RFC4724] | > > | 1-7 | unassigned | | This document | > > +--------------+------------------+------------+---------------+ > > Right, thanks. > > --John _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.