Hi Ben, > -----Original Message----- > From: Benjamin Kaduk [mailto:[email protected]] > Sent: Saturday, January 22, 2022 7:54 PM > To: Templin (US), Fred L <[email protected]> > Cc: Russ Housley <[email protected]>; [email protected]; > [email protected]; [email protected] > Subject: [EXTERNAL] Re: [secdir] Secdir early review of > draft-ietf-rtgwg-atn-bgp-12 > > EXT email: be mindful of links/attachments. > > > > On Wed, Jan 19, 2022 at 04:53:20PM +0000, Templin (US), Fred L wrote: > > > > > -----Original Message----- > > > From: rtgwg [mailto:[email protected]] On Behalf Of Russ Housley via > > > Datatracker > > > Sent: Tuesday, January 18, 2022 2:22 PM > > > To: [email protected] > > > Cc: [email protected]; [email protected] > > > Subject: Secdir early review of draft-ietf-rtgwg-atn-bgp-12 > > > > [...] > > > Section 5 says: "...tunnels packets directly between Proxys ...". > > > Are these IPsec tunnels? I am trying to fully understand when the > > > tunnels require IPsec (or some other security protocol) and when they > > > do not. > > > > This is a good point. We want to establish an environment where security > > tunneling is used to protect only control messages and BGP protocol > > messages while unsecured tunneling is used to convey data plane packets > > when higher-layer security is used end-to-end. Again, more words may > > help clarify. > > Without looking too hard at the specifics of this draft's situation, as a > general statement, knowing that higher-layer security is used end-to-end is > hard to 100% reliably determine, and the cost of getting it wrong can be > very high. As a general design pattern, having multiple layers of crypto > that aim to protect different aspects of the traffic is perfectly fine, and > in some cases actually required in order to get the needed properties. > If the only tunnel available is a secure tunnel, then you don't have to > worry about getting the decision wrong. > > Looking at the specific scenario in ยง5, it is not a direct analogue of the > scenario I describe, but I would caution against being too eager to discard > the certainty of always having a secure tunnel.
The security goal for lower layers is to protect routing information and control plane messages that affect routing. For that, secured tunnels serve the purpose well. In the data plane, it is no different than the way the public Internet works. Secured transactions like online banking are conducted over the public Internet all the time without requiring a secured tunnel at the network layer, since the upper layers set up their own security associations. Requiring a secured tunnel at the network layer even for data plane transactions would interfere with route optimization and really defeat the purpose of what we are trying to accomplish here. Thanks - Fred > -Ben _______________________________________________ rtgwg mailing list [email protected] https://www.ietf.org/mailman/listinfo/rtgwg
