Moin, > When comparing this version with original version 00 - quite a lot of > text > got removed and wonder what's left to "action on" ?! > > Unless, reading this draft also means going in the WG archive and > read > everything from v00 up to here that leaded to 4 pages only? > > Comparing ver00 to last version - what happened ?! > https://author-tools.ietf.org/iddiff?url1=draft-ietf-grow-bgpopsecupd-00&url2=draft-ietf-grow-bgpopsecupd-08&difftype=--html >
See slide three from today's presentation. Split out individual eggs from the current draft basket: ✓ Keep the core of the document that focuses on timeless truth about BGP security (purpose/goals/high-level), which can replace BCP194 as a BCP ✓ An informational document listing ‘the basket of eggs’ that is there in terms of what can be done to secure BGP ✓ An informational document reporting terminology ‘as used in drafts around the time of writing’ The removed text got moved into draft-ietf-grow-routing-ops-sec-inform. > *Questions*: > 1- For session protection, there are No mention of MD5 (RFC 2385), > TCP‑AO > (RFC 5925), BGP TTL Security Mechanism (RFC 5082/GTSM) or IPsec/TLS > for > multi‑hop. > --> Operators still rely on these to defeat spoofing and reset > attacks. Yes, because the technology specifics were moved to draft-ietf-grow- routing-ops-sec-inform. > 2- No advice on route‑flap damping, RTBH/F‑RTBH, flowspec, or > telemetry > hooks. > --> Security without observability feels incomplete. Those are partially discussed in draft-ietf-grow-routing-ops-sec- inform, and partially things that should be added in the next revision. > *Just a suggestion here:* > Add bullets: “Use TCP‑AO (RFC 5925) or at least TCP‑MD5 (RFC 2385) > where > supported”; “For single‑hop EBGP sessions deploy GTSM (RFC 5082)”; > “Protect > multi‑hop sessions with IPSec or TLS + BGP‑over‑TCP/QUIC when > feasible.” > --> Restores actionable guidance dropped from RFC 7454 while keeping > it > technology‑agnostic could help ? The above text is not technology agnostic, though. It would, for example, mean removing the reference to TCP-MD5, should that become explicitly deprecated in another document. With best regards, Tobias _______________________________________________ GROW mailing list -- [email protected] To unsubscribe send an email to [email protected]
