Minutes of the IDR meeting

1) Agenda bashing - nothing added
2) IDR document status attached [power point presentation]
3) BGP MIB v2

       - 2547 MIB work will be added
       - Discussion of the BGP-MIB v2 will go on the list

4) BGP Security

  a) BGP Security analysis [presentation will be sent later]

    BGP Security Protections (draft-murphy-bgp-protect-00.txt)
    BGP Security Vulnerabilities Analysis (draft-murphy-bgp-vuln-00.txt
       [see presentation

       2) see Sandy's presentation for details on individual comments

       Alex: Security analysis draft is outside of the working
             charter. (Routing AD)
       Ran: Security analysis is certainly within the charter for
             a working group.

       IDR working group mailing list will discuss the drafts and
       whether work on this draft is within the IDR charter.
       Alex (Routing AD) will also ask the IESG whether this
       subject is part of our scope.

   b) Securing BGPv4 using IPsec [draft-ward-bgp-ipsec-00.txt]

       a) application/deployment doc and not protocol extension
       b) Could be discussed in is:
               a) Security policy working group
               b) IPS (security policy)
               c) IDR information RFC

       Question:
               1) section 2 - IKE is a "MUST" (an error)
               2) No encryption is not an issue to the security

       Alex Zinin (as Routing AD)states this is out of the charter for the
       working group.  We will need to revise the charter to include
       this draft.  The Routing ADs suggested that we await until
       we have the Routing Security BOF to discuss requirements on the list.

   c) TCP MD5 draft

       Key Requirements for the TCP MD5 Signature Option
       draft-ietf-idr-md5-keys-00.txt

      [No slides from Marcus, notes are rough]

       a) Most credible attack is "key determination" is brute force

           Took the current architecture of processors and software to
           see what reasonable.  The normal keys is a
           12-24 byte key length with "ascii" (most common used).

           Recommendation: key: use HEX structure
                           change keys every 90 days

       b) IP Sec vs TCP MD5

           Experience with public key infrastructures has
           shown that a dynamic key infrastructure is difficult
           to deploy.

           If authentications is the only issue, use TCP MD5. If
           encryption and data security is important, IPSEC is the choice.

       Using IKE for dynamic Key management may be useful.
       Profile for TCP MD5 re-keying for BGP would look different than
       OSPF.

       c) TCP MD5 versus HMAC MD5 - if start today use HMAC MD5.

   4) BGP Integrity Check using IRR

      Concerns with the draft:
       a) Multi-origin AS are a normal situation and good,
           so this portion of the draft should changed
       b) IRR can allow multiple origin per prefix
       c) Caching of the IRR Checks causes a problem
          during start-up

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.