On Dec 5, 2015, at 7:12 AM, Nick Hilliard <[email protected]> wrote: > > The security considerations section in this ID explicitly states that there > are security risks associated with leaking bgp information. If the ietf > believes this, then there should be a recommendation to secure the protocol > with some form of encryption mechanism (not just authentication), and an > encryption mechanism which is likely to be deployed in production. If the > ietf doesn't believe this, then the section should be removed.
The identification of a threat doesn't automatically mean it must be protected against, especially when there are non-trivial costs associated with doing so. It's just like any other cost/benefit tradeoff. Which is greater? The costs associated with threats to confidentiality of BMP data (the security section)? Or the costs associated with the increased difficulty of troubleshooting an encrypted transport (Jeff's most recent message)? (The question is not rhetorical.) I am OK with the WG deciding to resolve the tradeoff more strongly in favor of confidentiality, even at this late date. However, the rationale for doing so shouldn't be "you have to plug every hole in the security considerations or remove the security considerations section". Apart from any of the other problems that would lead to, it creates a perverse incentive for people to overlook threats entirely when writing their security considerations section. --John _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
