GROW H. Sharma Internet-Draft Vodafone Intended status: Informational 10 February 2024 Expires: 13 August 2024 TCP-AO Protection for BGP Monitoring Protocol (BMP) draft-hmntsharma-bmp-tcp-ao-02 Abstract This document outlines the utilization of the Transmission Control Protocol - Authentication Option (TCP-AO), as prescribed in RFC5925, for the authentication of Border Gateway Protocol Monitoring Protocol (BMP) sessions, as specified in RFC7854. The intent is to heighten security within the underlying Transmission Control Protocol (TCP) transport layer, ensuring the authentication of BMP sessions established between routers and BMP stations. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/hmntsharma/draft-hmntsharma-bmp-tcp-ao. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 13 August 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Sharma Expires 13 August 2024 [Page 1] Internet-Draft TCP-AO Protection for BGP Monitoring Pro February 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. TCP-AO Protection for BGP Monitoring Protocol (BMP) . . . . . 2 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 5. Informative References . . . . . . . . . . . . . . . . . . . 3 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 3 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction The BGP Monitoring Protocol (BMP), as specified in RFC7854, advocates for the implementation of Internet Protocol Security (IPSec) from RFC4303 to address security issues concerning the BMP session between routers and the BMP station managing BGP route collection. This document underscores the use of Transmission Control Protocol - Authentication Option (TCP-AO) as the authentication mechanism ensuring end-to-end authentication of BMP sessions between the routers and the BMP stations. TCP-AO is also the choice of authentication for TCP-based network protocols such as BGP and LDP. A comprehensive discussion of TCP-AO is provided in RFC5925. 2. TCP-AO Protection for BGP Monitoring Protocol (BMP) The BGP Monitoring Protocol (BMP) outlined in RFC7854 plays a crucial role in network management by allowing routers to share information about their BGP tables, helping operators monitor and troubleshoot their networks effectively. However, the security considerations associated with BMP have become increasingly critical in light of evolving cyber threats. This document proposes that these concerns be addressed by introducing a framework that utilizes the Transmission Control Protocol - Authentication Option (TCP-AO), specified in RFC5925, to safeguard BMP sessions. Extending this security measure to BMP helps mitigate risks associated with unauthorized access, tampering, and other potential security vulnerabilities. By integrating TCP-AO into BMP implementations, network operators can establish a more resilient and trustworthy foundation for BGP monitoring activities. Sharma Expires 13 August 2024 [Page 2] Internet-Draft TCP-AO Protection for BGP Monitoring Pro February 2024 TCP-AO is not intended as a direct substitute for IPSec, nor is it suggested as such in this document. As outlined in section "3.2. Connection Establishment and Termination" of RFC 7854, BMP operates as a unidirectional protocol, meaning no messages are transmitted from the monitoring station to the monitored router. Consequently, BMP lacks an effective means of tracking a session between the router and the station. It relies on the underlying TCP session, supported by TCP keepalives (RFC1122), to maintain session activity. Therefore, it is recommended to authenticate the end-to-end TCP session between the router and the BMP station using TCP-AO. 3. Security Considerations The security of the BMP session gets a boost with TCP-AO, seamlessly implemented over the existing TCP transport, ensuring heightened protection without any additional load. 4. IANA Considerations This document has no IANA actions. 5. Informative References [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, DOI 10.17487/RFC5925, June 2010, . [RFC7854] Scudder, J., Ed., Fernando, R., and S. Stuart, "BGP Monitoring Protocol (BMP)", RFC 7854, DOI 10.17487/RFC7854, June 2016, . Acknowledgments This document is an outcome of the experiences gained through implementing BMP. While TCP-AO safeguards other TCP protocols, BMP lacks the same level of protection within this context. Author's Address Hemant Sharma Vodafone Email: hemant.sharma@vodafone.com Sharma Expires 13 August 2024 [Page 3]