IETF Logo Mail Archive

Re: [CGA-EXT] about draft-krishnan-cgaext-send-cert-eku-03.txt

"Ana Kukec" <anchie@fer.hr> Sat, 14 March 2009 19:03 UTC

Return-Path: <anchie@fer.hr>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B9203A6B93 for <cga-ext@core3.amsl.com>; Sat, 14 Mar 2009 12:03:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F94hG6H0YaI for <cga-ext@core3.amsl.com>; Sat, 14 Mar 2009 12:03:33 -0700 (PDT)
Received: from labs4.cc.fer.hr (labs4.cc.fer.hr [161.53.72.24]) by core3.amsl.com (Postfix) with ESMTP id 392DC3A67D9 for <cga-ext@ietf.org>; Sat, 14 Mar 2009 12:03:33 -0700 (PDT)
Received: from sluga.fer.hr (sluga.cc.fer.hr [161.53.72.14]) by labs4.cc.fer.hr (8.14.2/8.14.2) with ESMTP id n2EJ4WRf029023 for <cga-ext@ietf.org>; Sat, 14 Mar 2009 20:04:33 +0100 (CET)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Received: from ana-kukecs-macbook.local ([89.164.54.68]) by sluga.fer.hr with Microsoft SMTPSVC(6.0.3790.3959); Sat, 14 Mar 2009 20:04:06 +0100
Message-ID: <SLUGAkwu1BtWdWhkeLZ00000a3d@sluga.fer.hr>
Date: Sat, 14 Mar 2009 20:04:05 +0100
From: Ana Kukec <anchie@fer.hr>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
References: <49BBC170.4010008@it.uc3m.es>
In-Reply-To: <49BBC170.4010008@it.uc3m.es>
Content-Type: text/plain; format="flowed"; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Mar 2009 19:04:06.0434 (UTC) FILETIME=[A5DBD020:01C9A4D7]
X-Scanned-By: MIMEDefang 2.64 on 161.53.72.24
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] about draft-krishnan-cgaext-send-cert-eku-03.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2009 19:03:34 -0000

Hi Marcelo,

Tnx for the comments, please see my comments below..


marcelo bagnulo braun wrote:
>
> 2.  Introduction
>
>   Secure Neighbor Discovery [RFC3971] Utilizes X.509v3 certificates for
>   performing router authorization.  It uses the X.509 extension for IP
>   addresses to verify whether the router is authorized to advertise the
>   mentioned IP addresses.
>
> s/addresses/prefixes
>
>   The SEND specification does not describe the set of extensions that
>   need to be supported
>
> This is strictly true, right? I mean section 6.3.1.  Router 
> Authorization Certificate Profile of the send spec does define the 
> cert profile.
>

The send spec describes just the X.509 IP address extension in the 
section 6.3.1 RAC profile, and indirectly the Subject name and the 
subjectAltName extension in the section 6.4.3 TA option.

>
> then it reads
>
> 5.  Backward Compatibility
>
>   The disadvantages of this model are related to the fact that the SEND
>   specification was developed before the standardization of the RPKI.
>   Hence, SEND is not completely compliant with the RPKI specifications
>   since it defines its own IP prefix validation routine and it is not
>   suitable for the use with CRLs, while the RPKI suports only CRLs.
>   This means that SEND implementations supporting this profile will not
>   be able to interoperate with legacy SEND implementations.
>
> I don't fully understnad the implications of this
> I mean, what needs to be changed in a current send implementation to 
> be compatible with this new format?
> I mean, the optimal would be that current send implementations accept 
> RPKI certs but skip the new extensions and that new send 
> implementations are able to read the new extensions defined by this 
> document. is this not possible?


The incompliances between the RPKI and SEND are related to the X.509 
extensions profile and their validation. Regarding the acception of the 
RPKI certificate profile into SeND, there are two problematic 
extensions, the EKU extension (as we already discussed) and the 
subjectAltName extension. The send spec requires the usage of the 
subjectAltName extension in order to match its contents with the Trust 
Anchor option of the FQDN type (as described in the section 6.4.5 of the 
send spec). But, since the RPKI is about the authorization and not about 
the authentication, the subject names in RPKI are not intended to be 
descriptive, and thus the RPKI certificate profile, i.e. 
draft-ietf-sidr-res-certs-16 does not use/describe the subjectAltName 
extension at all.

Regarding the validation routines, the rfc3779 extension validation 
routine conflicts with the one described in the send spec. But together 
with the RPKI certificate profile we can accept the rfc3779 extension 
validation routine.

Contrary to the X.509 extensions and the validation routines, the 
revocation is not a conflicting thing, it is just that the SeND lacks 
the text describing how to incorporate the RPKI revocation into SeND. 
With carefully chosen validity intervals for the RPKI certificates on 
the lower tiers, i.e. at the SEND level,  the CRL is not expected to 
grow to large sizes, and it can fit well into the SEND messages.

Regarding the section 4.1. EKU extension, we will describe it more in 
details, in collaboration with the sidr wg.

Ana

v2.23.0 | Report a Bug | By Email