Minutes of the IDR meeting 1) Agenda bashing - nothing added 2) IDR document status attached [power point presentation] 3) BGP MIB v2 - 2547 MIB work will be added - Discussion of the BGP-MIB v2 will go on the list 4) BGP Security a) BGP Security analysis [presentation will be sent later] BGP Security Protections (draft-murphy-bgp-protect-00.txt) BGP Security Vulnerabilities Analysis (draft-murphy-bgp-vuln-00.txt [see presentation 2) see Sandy's presentation for details on individual comments Alex: Security analysis draft is outside of the working charter. (Routing AD) Ran: Security analysis is certainly within the charter for a working group. IDR working group mailing list will discuss the drafts and whether work on this draft is within the IDR charter. Alex (Routing AD) will also ask the IESG whether this subject is part of our scope. b) Securing BGPv4 using IPsec [draft-ward-bgp-ipsec-00.txt] a) application/deployment doc and not protocol extension b) Could be discussed in is: a) Security policy working group b) IPS (security policy) c) IDR information RFC Question: 1) section 2 - IKE is a "MUST" (an error) 2) No encryption is not an issue to the security Alex Zinin (as Routing AD)states this is out of the charter for the working group. We will need to revise the charter to include this draft. The Routing ADs suggested that we await until we have the Routing Security BOF to discuss requirements on the list. c) TCP MD5 draft Key Requirements for the TCP MD5 Signature Option draft-ietf-idr-md5-keys-00.txt [No slides from Marcus, notes are rough] a) Most credible attack is "key determination" is brute force Took the current architecture of processors and software to see what reasonable. The normal keys is a 12-24 byte key length with "ascii" (most common used). Recommendation: key: use HEX structure change keys every 90 days b) IP Sec vs TCP MD5 Experience with public key infrastructures has shown that a dynamic key infrastructure is difficult to deploy. If authentications is the only issue, use TCP MD5. If encryption and data security is important, IPSEC is the choice. Using IKE for dynamic Key management may be useful. Profile for TCP MD5 re-keying for BGP would look different than OSPF. c) TCP MD5 versus HMAC MD5 - if start today use HMAC MD5. 4) BGP Integrity Check using IRR Concerns with the draft: a) Multi-origin AS are a normal situation and good, so this portion of the draft should changed b) IRR can allow multiple origin per prefix c) Caching of the IRR Checks causes a problem during start-up