1 / 13

BGP Session Security Requirements draft-behringer-bgp-session-sec-req-01.txt

This draft outlines pivotal security requirements for BGP sessions, delving into topics like speaker identity, peer authentication, integrity, confidentiality, anti-replay, availability, key management, logging, and alerting. It discusses the evolution of security mechanisms from MD5 to potential replacements. The document calls for improved clarity on achieving integrity, the potential addition of confidentiality measures, and the necessity of anti-replay support. It also addresses availability concerns, emphasizing precise filtering to ensure BGP packet security. The importance of automated key negotiation and efficient logging for alert generation is stressed. This comprehensive analysis aims to enhance BGP session security across various network scenarios.

smarsha
Download Presentation

BGP Session Security Requirements draft-behringer-bgp-session-sec-req-01.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BGP Session Security Requirements draft-behringer-bgp-session-sec-req-01.txt 69th IETF, 24 July 2007  Michael Behringer draft-behringer-bgp-session-sec-req-01.txt

  2. History • Mail from Russ White, 6 Jan 2007, “Charter” • “P-2-P security requirements for BGP: This was to provide some cover and thinking on the various TCP auth mechanisms to replace MD5 that are currently being considered. We need, I believe, a volunteer to author/edit this, and get it moving.” • Draft -00 submitted 23 Feb 2007 • But: RPsec didn’t meet in Prague  • Draft -01 submitted 1 May 2007 • Incorporating most feedback received so far, but not all (sorry – working on it). draft-behringer-bgp-session-sec-req-01.txt

  3. Scope • Describe BGP peer related security requirements • (Traditional feature: MD5 Auth) • Very generic • Forget current features • What are the fundamental requirements? draft-behringer-bgp-session-sec-req-01.txt

  4. Identified Requirements 3.1. BGP Speaker Identity 3.2. Peer Authentication 3.3. Integrity 3.4. Confidentiality 3.5. Anti-Replay 3.6. Availability and Restricting IP Reachability 3.7. Key Management and Operational Considerations 3.8. Logging and Alerting draft-behringer-bgp-session-sec-req-01.txt

  5. Req 1: BGP Speaker Identity • Currently: IP address(es) • Requirements: • may have several IDs per BGP speaker • unique for context: • eBGP: Unique per peer • iBGP: Unique within the AS • May be other than IP address, eg: • HIP ID • 4 byte integer (draft-ietf-idr-bgp-identifier-08) • key pair draft-behringer-bgp-session-sec-req-01.txt

  6. Req 2: Peer Authentication • Currently: RFC 2385 (MD5) • Requirements: • SHOULD be supported • SHOULD be light weight • Various possibilities: • draft-bonica-tcp-auth • SSL • IPsec • SSH • … how to define this? draft-behringer-bgp-session-sec-req-01.txt

  7. Req 3: Integrity • Currently: RFC 2385 (MD5) • Requirements: • MUST support integrity mechanism • SHOULD support various algorithms • To Do: • Need to spell out more precisely how integrity is achieved (protocol mechanisms) should this be a MUST? draft-behringer-bgp-session-sec-req-01.txt

  8. Req 4: Confidentiality • Currently: Not supported as part of BGP; may be added separately (eg IPsec) • Requirements: • MAY support crypto • *if* crypto is supported, then it SHOULD support several algorithms should this be a MUST? draft-behringer-bgp-session-sec-req-01.txt

  9. Req 5: Anti-Replay • Currently: Implicitly by RFC 2385 (MD5) • Requirement: • MUST support anti-replay draft-behringer-bgp-session-sec-req-01.txt

  10. Req 6: Availability and Restricting IP Reachability • Currently: Implementation specific • Requirements: • Filter as precisely as possible, to avoid BGP packets from non-peers. • ACLs on L2/3/4 • Efficient packet dropping • GTSM • Fragments SHOULD be dropped need to add: “must be before crypto” only on single hop, or also multi-hop peerings? draft-behringer-bgp-session-sec-req-01.txt

  11. Req 7: Key Management and Operational Considerations • Currently: Statically defined pre-shared keys • Requirements: • automated key negotiation, based on BGP speaker ID (SHOULD) • Maybe: Key lists with lifetimes • SHOULD be easy to configure • SHOULD not require regular changes(like static keys) However, what does this mean? draft-behringer-bgp-session-sec-req-01.txt

  12. Req 8: Logging and Alerting • Currently: Syslog, SNMP traps • Requirements: • MUST produce alerts • General logging considerations apply: • message summarisation • rate limiting • SHOULD use secure syslog for this purpuse draft-behringer-bgp-session-sec-req-01.txt

  13. Questions • Does the document add value? • What is missing / wrong / to be improved? • WG doc? draft-behringer-bgp-session-sec-req-01.txt

More Related