IETF Logo Mail Archive

Re: [karp] I-D Action: draft-ietf-karp-crypto-key-table-04.txt

"Joel M. Halpern" <jmh@joelhalpern.com> Fri, 26 October 2012 00:23 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F140621F8608 for <karp@ietfa.amsl.com>; Thu, 25 Oct 2012 17:23:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.16
X-Spam-Level:
X-Spam-Status: No, score=-102.16 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egHHvfqOjF+r for <karp@ietfa.amsl.com>; Thu, 25 Oct 2012 17:23:21 -0700 (PDT)
Received: from morbo.mail.tigertech.net (morbo.mail.tigertech.net [67.131.251.54]) by ietfa.amsl.com (Postfix) with ESMTP id 8E58321F848A for <karp@ietf.org>; Thu, 25 Oct 2012 17:23:21 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) by morbo.tigertech.net (Postfix) with ESMTP id CD5D1559BFF for <karp@ietf.org>; Thu, 25 Oct 2012 17:23:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id ABB281C08E7; Thu, 25 Oct 2012 17:23:19 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [10.10.10.104] (pool-71-161-51-221.clppva.btas.verizon.net [71.161.51.221]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id D8FC31C0851; Thu, 25 Oct 2012 17:23:18 -0700 (PDT)
Message-ID: <5089D7F0.4030806@joelhalpern.com>
Date: Thu, 25 Oct 2012 20:23:12 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121010 Thunderbird/16.0.1
MIME-Version: 1.0
To: Brian Weis <bew@cisco.com>
References: <20121022225043.25241.45532.idtracker@ietfa.amsl.com> <1B502206DFA0C544B7A6046915200863011C81@EUSAAMB105.ericsson.se> <4C84D429-416F-4A63-9C83-DA16EF243026@vigilsec.com> <1B502206DFA0C544B7A6046915200863011CD1@EUSAAMB105.ericsson.se> <0A63E924-E20D-4C94-89C2-508724EC975A@vigilsec.com> <380B8A70-0910-43B6-980A-8CCAD8731DDC@cisco.com>
In-Reply-To: <380B8A70-0910-43B6-980A-8CCAD8731DDC@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "karp@ietf.org" <karp@ietf.org>
Subject: Re: [karp] I-D Action: draft-ietf-karp-crypto-key-table-04.txt
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2012 00:23:22 -0000

Should we be clearer somewhere that inapplicable fields may be omitted? 
(it is a conceptual table, I think we can allow conceptually optional 
elements.)
Yours,
Joel

On 10/25/2012 7:24 PM, Brian Weis wrote:
> Hi Russ,
>
> On Oct 23, 2012, at 3:32 PM, Russ Housley wrote:
>
>> Uma:
>>
>>>>>>>> I have worked through the use of pairwise keys (used in just one direction or both directions)
>>>>>>>> as well as multicast keys.  The current table supports all of these cases. I do not understand
>>>>>>>> why you want two separate tables.  Clearly, you are thinking about this differently than I am.
>>>>>>>> Can you explain how two tables will make implementation easier?
>>>
>>> [Uma]:  Let's focus on only from the key life time perspective. Some IGPs do require life times in the
>>>        specified format to make key transition easier.  But, I don't see how to fit these 4 parameters
>>>        for pair wise keys. For e.g. for TCP based pair-wise keys, when new master key is negotiated by
>>>        KMP, TCP-AO makes coordinated key transition with the peer. Not at all based on the key table
>>>        time entries specified. In that sense the entries defined today useful and enable protocols
>>>        e.g., group-key RPs, who don't have a defined way of key transition and more over do security
>>>        by themselves (make sense there).
>>>
>>>        Now, I stepped back to think on how to use for pair-wise protocols and not able to connect the
>>>        dots here. Do you see these are operator inputs or KMP negotiated and how one would use these entries?
>>
>> You will note that earlier drafts only had notBefore and notAfter.  The additional one were added because some IGPs need them.
>>
>> I see no way to move forward and address both comments.
>
> The draft appears to be silent as to whether fields in the key table are required, but my belief is that not all fields are required to be used for all keys. As such, if a KMP for TCP-AO adds a row to the key table, and some fields in that row are not required, then it simply does not need to specify their use. Is that not correct?
>
> Thanks,
> Brian
>
>> Russ
>> _______________________________________________
>> karp mailing list
>> karp@ietf.org
>> https://www.ietf.org/mailman/listinfo/karp
>
>

v2.23.0 | Report a Bug | By Email