On December 9, 2025 at 10:40:05 PM, Linda Dunbar wrote: ... > > > “SD-WAN further depends on standard BGP security mechanisms, including > > > the use of secure transport (e.g., TLS or IPsec) for BGP sessions and > > > strict RR policy enforcement. Deployments that bypass protected channels > > > risk exposing SD-WAN edge properties or allowing unauthorized nodes to > > > inject or receive routes. Likewise, incorrect RR policies can result in > > > unintended distribution of client routes or tunnel attributes. These > > > risks arise from deployment choices rather than the mechanisms described > > > in this document, and operators must ensure that secure transport and > > > proper RR configuration are consistently applied.” > > > > I see you have more suggestions later on in §8. In general, including this > > text and what you propose in later, you should point at the existing > > security considerations of the protocols you're using. Many of the risks > > that exist are, as you mention, not specific to this document, but ones > > that exist in BGP already -- again, support that claim by referencing the > > existing security considerations in published RFCs. > > > > One big nit about the text above: "SD-WAN further depends on standard BGP > > security mechanisms, including the use of secure transport (e.g., TLS or > > IPsec) for BGP sessions..." The only standard session-level mechanism is > > TCP-AO, which is not used in this case, so that statement opens the door > > to questions about the existing mechanisms... > > [Linda2] How about changing the paragraph to the following? > > “SD-WAN operation relies on the existing security mechanisms defined for BGP > and IPsec. In particular, protection of BGP sessions may use the TCP > Authentication Option (TCP-AO) as specified in RFC 5925, and the security > considerations of BGP, TCP-AO, and IPsec apply directly. Many of the risks > described here—including route injection, session disruption, or unintended > route distribution—are therefore inherent to those protocols rather than > specific to this SD-WAN usage. Operators must follow the existing security > guidance in the referenced RFCs and ensure correct RR policy configuration > and session protection”
Don't talk about TCP-AO; you don't mention it anywhere else in the document. While it is ok to use it when using TLS/IPSec, you don't need to add more just because it exists, and the combined use is also not specific to this document. Beyond mentioning the "referenced RFCs", be explicit in this section which ones they are. Note, for example, that rfc4271 is not referenced, but the text does mention "the security considerations of BGP". The vulnerabilities are documented in rfc4272...
_______________________________________________ BESS mailing list -- [email protected] To unsubscribe send an email to [email protected]
