BGP Session Security Requirements draft-behringer-bgp-session-sec-req-01.txt

1. BGP Session Security Requirements draft-behringer-bgp-session-sec-req-01.txt 69th IETF, 24 July 2007  Michael Behringer draft-behringer-bgp-session-sec-req-01.txt

2. History • Mail from Russ White, 6 Jan 2007, “Charter” • “P-2-P security requirements for BGP: This was to provide some cover and thinking on the various TCP auth mechanisms to replace MD5 that are currently being considered. We need, I believe, a volunteer to author/edit this, and get it moving.” • Draft -00 submitted 23 Feb 2007 • But: RPsec didn’t meet in Prague  • Draft -01 submitted 1 May 2007 • Incorporating most feedback received so far, but not all (sorry – working on it). draft-behringer-bgp-session-sec-req-01.txt

3. Scope • Describe BGP peer related security requirements • (Traditional feature: MD5 Auth) • Very generic • Forget current features • What are the fundamental requirements? draft-behringer-bgp-session-sec-req-01.txt

4. Identified Requirements 3.1. BGP Speaker Identity 3.2. Peer Authentication 3.3. Integrity 3.4. Confidentiality 3.5. Anti-Replay 3.6. Availability and Restricting IP Reachability 3.7. Key Management and Operational Considerations 3.8. Logging and Alerting draft-behringer-bgp-session-sec-req-01.txt

5. Req 1: BGP Speaker Identity • Currently: IP address(es) • Requirements: • may have several IDs per BGP speaker • unique for context: • eBGP: Unique per peer • iBGP: Unique within the AS • May be other than IP address, eg: • HIP ID • 4 byte integer (draft-ietf-idr-bgp-identifier-08) • key pair draft-behringer-bgp-session-sec-req-01.txt

6. Req 2: Peer Authentication • Currently: RFC 2385 (MD5) • Requirements: • SHOULD be supported • SHOULD be light weight • Various possibilities: • draft-bonica-tcp-auth • SSL • IPsec • SSH • … how to define this? draft-behringer-bgp-session-sec-req-01.txt

7. Req 3: Integrity • Currently: RFC 2385 (MD5) • Requirements: • MUST support integrity mechanism • SHOULD support various algorithms • To Do: • Need to spell out more precisely how integrity is achieved (protocol mechanisms) should this be a MUST? draft-behringer-bgp-session-sec-req-01.txt

8. Req 4: Confidentiality • Currently: Not supported as part of BGP; may be added separately (eg IPsec) • Requirements: • MAY support crypto • *if* crypto is supported, then it SHOULD support several algorithms should this be a MUST? draft-behringer-bgp-session-sec-req-01.txt

9. Req 5: Anti-Replay • Currently: Implicitly by RFC 2385 (MD5) • Requirement: • MUST support anti-replay draft-behringer-bgp-session-sec-req-01.txt

10. Req 6: Availability and Restricting IP Reachability • Currently: Implementation specific • Requirements: • Filter as precisely as possible, to avoid BGP packets from non-peers. • ACLs on L2/3/4 • Efficient packet dropping • GTSM • Fragments SHOULD be dropped need to add: “must be before crypto” only on single hop, or also multi-hop peerings? draft-behringer-bgp-session-sec-req-01.txt

11. Req 7: Key Management and Operational Considerations • Currently: Statically defined pre-shared keys • Requirements: • automated key negotiation, based on BGP speaker ID (SHOULD) • Maybe: Key lists with lifetimes • SHOULD be easy to configure • SHOULD not require regular changes(like static keys) However, what does this mean? draft-behringer-bgp-session-sec-req-01.txt

12. Req 8: Logging and Alerting • Currently: Syslog, SNMP traps • Requirements: • MUST produce alerts • General logging considerations apply: • message summarisation • rate limiting • SHOULD use secure syslog for this purpuse draft-behringer-bgp-session-sec-req-01.txt

13. Questions • Does the document add value? • What is missing / wrong / to be improved? • WG doc? draft-behringer-bgp-session-sec-req-01.txt