On Thu, Dec 14, 2017 at 06:03:42PM +0000, [email protected] wrote:
> > From: Smith, Donald [mailto:[email protected]]
> > Sent: Thursday, December 14, 2017 6:13 PM
> >
> > I don't see anything around MD5/TCPAO authentication.
>
> This is correct, but this is really not specific to this document and
> the comment would apply to any information sent over BGP session, and
> probably to most of IDR document extending the protocol with
> additional field or usage. If there is a need to discuss this all
> IETF document related to BGP, we can indeed add some text. Would the
> following text be ok with you?
>
> "This document does not change any underlying security issues
> associated with any other BGP Communities mechanism. Unless a
> transport that provides integrity is used for the BGP session, the
> GRACEFUL_SHUTDOWN community may be added or removed by a man in the
> middle. However, the harm would be lower than adding or removing an
> NLRI, or adding a NO_EXPORT or NO_ADVERTISE community. Hence this does
> not constitute a new attack vector. Protection of the TCP session used
> by BGP is discussed in section 5.1 of RFC 7454, security section of
> [RFC4271] and [RFC4272]."
I think the above is mostly good, but can be trimmed a little bit. The
following is on point and covers aspects relevant to GRACEFUL_SHUTDOWN.
"This document does not change any underlying security issues
associated with any other BGP Communities mechanism. Unless a
transport that provides integrity is used for the BGP session, the
GRACEFUL_SHUTDOWN community may be added or removed by a man in the
middle."
Kind regards,
Job
_______________________________________________
GROW mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/grow
