Stephen, Thank you very much for the comments. Please see the resolution below.
Linda -----Original Message----- From: Stephen Farrell via Datatracker <[email protected]> Sent: Friday, February 2, 2024 8:03 AM To: [email protected] Cc: [email protected]; [email protected]; [email protected] Subject: Secdir last call review of draft-ietf-bess-bgp-sdwan-usage-19 Reviewer: Stephen Farrell Review result: Has Issues I looked at the diff from -15 to -19. I think the main security issue of depending on BGP over TLS remains - that seems almost fictional (is it?), whereas the shepherd write-up says: "...this draft is simply describing the usage of existing technologies standardised within bess to SD-WAN." I see Roman's existing discuss already covers this. I note that https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-wirtgen-bgp-tls%2F&data=05%7C02%7Clinda.dunbar%40futurewei.com%7C865a98f23bb64f96819f08dc23f79b99%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C638424793593072100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=WGKAHNvuivJbVIe6HvAU4Eeju741Dw9x70yVlpIpwH4%3D&reserved=0 was posted since I did the review of -15 of this draft, but that seems to be a fairly brief -00 individual submission. Presumably that work would have to have progressed significantly before this draft could reflect reality. As this draft is aiming to become an informational RFC, I guess one could rewrite the sections mentioning TLS to say that BGP/TLS is needed for this to be secure, is not available today, but is something that is being developed (e.g. referring to draft-wirtgen-bgp-tls). However, doing that before adoption of a work item for BGP/TLS by some routing WG might well be considered premature and overly optimistic? [Linda] Thank you very much for the suggestion. This draft operates under the assumption that a secure channel exists between the SD-WAN controller and the SD-WAN edges. In the context of extending an VPN network to the SD-WAN scenario, this secure channel can leverage the operator's primary management channel designed for VPN control. Consequently, there is no strict requirement for BGP over TLS. As a result, we can remove all references to TLS from the document. In the "Security Considerations", is it beneficial to add a discussion of the security issue of using BGP over TLS? Linda
_______________________________________________ BESS mailing list [email protected] https://www.ietf.org/mailman/listinfo/bess
