Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard
Brian Haberman <brian@innovationslab.net> Wed, 11 May 2016 13:08 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8CB912DABE; Wed, 11 May 2016 06:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCWLry13hLgN; Wed, 11 May 2016 06:08:50 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE33D12DABF; Wed, 11 May 2016 06:08:49 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id BB1098812B; Wed, 11 May 2016 06:08:49 -0700 (PDT)
Received: from clemson.jhuapl.edu (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 44DC0328081A; Wed, 11 May 2016 06:08:49 -0700 (PDT)
Subject: Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard
To: ietf@ietf.org, sidr-chairs@ietf.org, draft-ietf-sidr-rpsl-sig@ietf.org, sidr@ietf.org
References: <20160425184508.30206.46648.idtracker@ietfa.amsl.com> <20160428225451.GE123284@main>
From: Brian Haberman <brian@innovationslab.net>
Message-ID: <57332EDB.9090609@innovationslab.net>
Date: Wed, 11 May 2016 09:08:43 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <20160428225451.GE123284@main>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="dcDBlgVhEs2Fn9bUgVu272K65i81F67Go"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/_TklcyQ7eihJjdAamPXfg0D0-G4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 13:08:57 -0000
Hi Tom, Thanks for the in-depth review and your efforts in creating another implementation of this draft. Responses to your comments are below... On 4/28/16 6:54 PM, Tom Harrison wrote: > Section 5 requires that an EE certificate be used for the signing of > the RPSL object. An EE certificate must contain an SIA extension that > points to an RPKI signed object (RFC 6487 [4.8.8.2]). The draft does > not define a profile for a new type of object, or specify an existing > one that may be used instead. There are a number of ways to deal with > this: for example, by defining a new profile and changing the > signature URL to suit, or by amending RFC 6487 such that object > pointers in EE certificates are optional. I would propose adding some text to this draft (probably as a sub-section in section 2) that says that the SIA defined in RFC 6487 is omitted when a certificate is used to sign RPSL objects. Given the single-use nature of the key-pair (section 3.2, point #1), omitting the SIA is straightforward. > > Section 4 specifies sets of attributes that must be signed. 'org' is > included as one of these attributes for the as-block, inet[6]num, and > route[6] object types. However, 'org' is not defined in either of the > principal RPSL RFCs (2622 and 4012), and there are current > implementations (e.g. APNIC's) that do not support it. I think the > references to 'org' should be omitted. Agreed. I will remove 'org' from the listed objects. > > Section 4 specifies 'signature' as an attribute that must be signed. > 'signature' can appear multiple times in a single object, where e.g. > two different resource holders sign a route[6] object. Given that the > text doesn't explicitly state that only the newest 'signature' must be > signed, it would appear to require that any extant 'signature' > attributes be signed as well. That in turn would prevent previous > signers from re-signing the object independently of the subsequent > signers. I think the text should be changed so that only the new > signature attribute need be signed. Agreed. I will update the text to explicitly refer to the signature currently under construction. > > Section 2.4 requires that "the Internet number resources present in > [RFC3779] extensions of the certificate referred to in the "c" field > of the signature must cover the resources in the primary key of the > object". This means that it's not possible to sign a route[6] object > for a route where one resource holder has the ASN and another the > prefix. In revision 8 (and earlier), the possibility of there being > multiple signatures, each with a certificate covering a subset of the > primary key resources, was explicitly permitted. I think that the > previous text here should be restored. I agree that the original text allowing multiple signatures supports the case where the components of the primary key of the object (i.e., prefix+ASN) come from different resource holders. I will restore that text. > > (The above points were the product of much discussion of this draft > with Tim and Oleg from RIPE, not that I'm speaking for them. We were > able to write interoperable prototype signer/validator > implementations, so the document is in pretty good shape on the > whole.) Thanks! Glad to hear this. Regards, Brian
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Tom Harrison
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Brian Haberman
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Randy Bush
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Brian Haberman
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Sandra Murphy
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Sandra Murphy