From 10b3a84015c02a0cfc575652766e1d3c6a97ad2b Mon Sep 17 00:00:00 2001 From: Jenny Ramseyer Date: Thu, 11 Jan 2024 14:39:36 -0500 Subject: [PATCH] Security Considerations section Security Considerations, one typo. Adding a section on Security Considerations. Since we are still in discussions around security considerations for the API, I left this one somewhat ambiguous. This is by no means perfect, but now we have something. Trying to get the draft into a minimal reasonable state before we submit for March. from discussions in: https://github.com/bgp/draft-ietf-peering-api/issues/6 https://github.com/bgp/draft-ietf-peering-api/issues/4 --- draft-ramseyer-grow-peering-api.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/draft-ramseyer-grow-peering-api.md b/draft-ramseyer-grow-peering-api.md index 35007c9..dfa9cab 100644 --- a/draft-ramseyer-grow-peering-api.md +++ b/draft-ramseyer-grow-peering-api.md @@ -54,7 +54,7 @@ By using the Peering API, entities requesting and accepting peering can signific * Reducing in person-hours spent configuring peering * Reducing configuration mistakes by reducing human interaction -* And by peering, reducing network latency through expansion of interconneciton relationships +* And by peering, reducing network latency through expansion of interconnection relationships @@ -71,7 +71,12 @@ All terms used in this document will be defined here: # Security Considerations -PeeringDB OAuth will be the minimum requirement for authorization of API requests. +As peering connections exchange real internet traffic, this API requires a security component to verify that the requestor is allowed to request peering on behalf of that ASN. +In the initial proposal, this API intended to require PeeringDB-based authentication as the standard. +After further discussion, it was proposed to offer different authentication options, to accomodate the security concerns of different parties. +There are several possible extensions to the authentication model, including RPKI-based authentication, and additional OAuth providers. +For RPKI-based authentication, this document refers to RFC9323. +However, this document hopes that, through the RFC process, the Working Group can come to a consensus on a base "authentication standard," to ease adoption for peering partners. # Protocol (Jenny--this is not up-to-date, but I pasted in what we had in the google doc and will revise)