|
| 1 | +--- |
| 2 | +title: "BGP over TLS/TCP" |
| 3 | +abbrev: bgp-tls |
| 4 | +docname: draft-wirtgen-bgp-tls-latest |
| 5 | +category: exp |
| 6 | + |
| 7 | +submissiontype: IETF # also: "independent", "editorial", "IAB", or "IRTF" |
| 8 | +number: |
| 9 | +date: |
| 10 | +consensus: true |
| 11 | +v: 3 |
| 12 | +area: "Routing" |
| 13 | +workgroup: "IDR" |
| 14 | +keyword: |
| 15 | + - tcp |
| 16 | + - tls |
| 17 | + - bgp |
| 18 | + - tcp-ao |
| 19 | + |
| 20 | +venue: |
| 21 | + group: "IDR" |
| 22 | + type: "Working Group" |
| 23 | + |
| 24 | + arch: "https://mailarchive.ietf.org/arch/browse/idr/" |
| 25 | + github: "obonaventure/draft-bgp-tls" |
| 26 | + |
| 27 | +author: |
| 28 | + - |
| 29 | + name: Thomas Wirtgen |
| 30 | + organization: UCLouvain & WELRI |
| 31 | + |
| 32 | + - |
| 33 | + name: Olivier Bonaventure |
| 34 | + organization: UCLouvain & WELRI |
| 35 | + |
| 36 | + |
| 37 | + |
| 38 | + |
| 39 | +normative: |
| 40 | + RFC7301: |
| 41 | + RFC4271: |
| 42 | + RFC4272: |
| 43 | + RFC7301: |
| 44 | + RFC5925: |
| 45 | + RFC2385: |
| 46 | + |
| 47 | + I-D.draft-piraux-tcp-ao-tls: |
| 48 | + # title: Opportunistic TCP-AO with TLS |
| 49 | + # author: |
| 50 | + # - |
| 51 | + # ins: M. Piraux |
| 52 | + # name: Maxime Piraux |
| 53 | + # - |
| 54 | + # ins: O. Bonaventure |
| 55 | + # name: Olivier Bonaventure |
| 56 | + # - |
| 57 | + # ins: T. Wirtgen |
| 58 | + # name: Thomas Wirtgen |
| 59 | + # date: 2023 |
| 60 | + # seriesinfo: Internet draft, draft-bonventure-tcp-ao-tls, work in progress |
| 61 | + |
| 62 | +informative: |
| 63 | + I-D.draft-retana-idr-bgp-quic: |
| 64 | + RFC5082: |
| 65 | + RFC8446: |
| 66 | + RFC9000: |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | +--- abstract |
| 71 | + |
| 72 | +This document specifies the utilization of TCP/TLS to support BGP. |
| 73 | + |
| 74 | +--- middle |
| 75 | + |
| 76 | +# Introduction |
| 77 | + |
| 78 | + |
| 79 | +The Border Gateway Protocol (BGP) {{RFC4271}} relies on the TCP protocol |
| 80 | +to establish BGP sessions between routers. A recent draft |
| 81 | +{{I-D.draft-retana-idr-bgp-quic}} has proposed to replace TCP with |
| 82 | +the QUIC protocol {{RFC9000}}. QUIC brings many features compared to |
| 83 | +TCP including security, the support of multiple streams or datagrams. |
| 84 | + |
| 85 | +From a security viewpoint, an important benefit of QUIC compared to TCP is |
| 86 | +that QUIC by design prevents injection attacks that are possible when |
| 87 | +TCP is used by BGP {{RFC4272}}. Several techniques can be used by BGP routers |
| 88 | +to counter this attacks {{RFC5082}} {{RFC5925}}. TCP-AO {{RFC5925}} |
| 89 | +authenticates the packets exchanged over a BGP session provides similar |
| 90 | +features as QUIC. However, it is notoriously difficult to configure the |
| 91 | +keys used to protect BGP sessions. |
| 92 | + |
| 93 | +The widespread deployment of TLS {{RFC8446}} combined with the possibility of |
| 94 | +deriving TCP-AO keys from the TLS handshake {{I-D.draft-piraux-tcp-ao-tls}} |
| 95 | +creates an interest in using TLS to secure BGP sessions. This document |
| 96 | +describes how BGP can operate over TCP/TLS. |
| 97 | + |
| 98 | + |
| 99 | +# Conventions and Definitions |
| 100 | + |
| 101 | +{::boilerplate bcp14-tagged} |
| 102 | + |
| 103 | + |
| 104 | + |
| 105 | +This document uses network byte order (that is, big endian) values. |
| 106 | +Fields are placed starting from the high-order bits of each byte. |
| 107 | + |
| 108 | +# Summary of operation |
| 109 | + |
| 110 | +A BGP over TLS/TCP session is established in two phases: |
| 111 | + |
| 112 | + - establish a transport layer connection using TCP |
| 113 | + - establish a TLS session over the TCP connection |
| 114 | + |
| 115 | +The TCP connection SHOULD be established on port TBD1. |
| 116 | + |
| 117 | +During the establishment of the TLS session, the router that initiates the |
| 118 | +connection MUST use the "botls" token in the Application Layer Protocol |
| 119 | +Negotiation (ALPN) extension {{RFC7301}}. The support for other ALPN MUST |
| 120 | +NOT be proposed during the TLS handshake. |
| 121 | + |
| 122 | +Once the TLS handshake is established and finished, the BGP session is |
| 123 | +initiated as defined in {{RFC4271}} and the protocol operates in the |
| 124 | +same way as a classic BGP over TCP session. The difference is that the |
| 125 | +BGP session is now encrypted and authenticated using the TLS layer. |
| 126 | +As in {{I-D.draft-retana-idr-bgp-quic}}, the TLS authentication parameters used for this connection |
| 127 | +are out of the scope of this draft. |
| 128 | + |
| 129 | + |
| 130 | +# Security Considerations |
| 131 | + |
| 132 | +This document improves the security of BGP sessions since the information exchanged over the |
| 133 | +session is now protected by using TLS. |
| 134 | + |
| 135 | +If TLS encounters a payload injection attack, it will generate an alert that immediately |
| 136 | +closes the TLS session. The BGP router SHOULD then attempt to reestablish the session. |
| 137 | +However, this will cause traffic to be interrupted during the connection re-establishement. |
| 138 | + |
| 139 | + |
| 140 | +If both BGP peer supports TCP-AO, the TLS stack is protected against payload injection and |
| 141 | +this attack can be avoided. When enabled, TCP-AO counters TCP injection |
| 142 | +attacks listed in {{RFC5082}}. |
| 143 | + |
| 144 | +Furthermore, if the BGP router supports TCP-AO, we recommend an opportunistic |
| 145 | +TCP-AO approach as suggested in {{I-D.draft-piraux-tcp-ao-tls}}. The |
| 146 | +router will attempt to connect using TCP-AO with a default key. When the TLS |
| 147 | +handshake is finished, the routers will derive a new TCP-AO key using the TLS key. |
| 148 | + |
| 149 | +TCP-MD5 {{RFC2385}} MAY be used to protect the TLS session if TCP-AO is not available on the |
| 150 | +BGP router. |
| 151 | + |
| 152 | + |
| 153 | +# IANA Considerations |
| 154 | + |
| 155 | +IANA is requested to assign a TCP port (TBD1) from the "Service Name and Transport |
| 156 | +Protocol Port Number Registry" as follows: |
| 157 | + |
| 158 | +- Service Name: botls |
| 159 | +- Port Number: TBD1 |
| 160 | +- Transport Protocol: TCP |
| 161 | +- Description: BGP over TLS/TCP |
| 162 | +- Assignee: IETF |
| 163 | +- Contact: IDR WG |
| 164 | +- Registration Data: TBD |
| 165 | +- Reference: this document |
| 166 | +- Unauthorized Use Reported: [email protected] |
| 167 | + |
| 168 | + |
| 169 | +It is suggested to use the same port as the one selected for BGP over QUIC |
| 170 | +{{I-D.draft-retana-idr-bgp-quic}}. |
| 171 | + |
| 172 | +# Acknowledgments |
| 173 | +{:numbered="false"} |
| 174 | + |
| 175 | +The authors thank |
| 176 | +Dimitri Safonov for the TCP-AO implementation in Linux. |
| 177 | + |
| 178 | +# Change log |
| 179 | +{:numbered="false"} |
| 180 | + |
| 181 | + |
| 182 | + |
0 commit comments