Re: [karp] [kmart] Automated Key Management for Router Updates
"Thomas Hardjono" <ietf@hardjono.net> Wed, 28 October 2009 15:00 UTC
Return-Path: <ietf@hardjono.net>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E73743A682B for <karp@core3.amsl.com>; Wed, 28 Oct 2009 08:00:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-kcInLgNzfD for <karp@core3.amsl.com>; Wed, 28 Oct 2009 08:00:58 -0700 (PDT)
Received: from outbound-mail-130.bluehost.com (outbound-mail-130.bluehost.com [67.222.38.30]) by core3.amsl.com (Postfix) with SMTP id 9C65028C1B7 for <karp@ietf.org>; Wed, 28 Oct 2009 08:00:56 -0700 (PDT)
Received: (qmail 7525 invoked by uid 0); 28 Oct 2009 15:01:11 -0000
Received: from unknown (HELO box251.bluehost.com) (69.89.31.51) by outboundproxy4.bluehost.com with SMTP; 28 Oct 2009 15:01:11 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=hardjono.net; h=Received:From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:Thread-Index:Content-Language:X-Identified-User; b=kYhhzrxT/aIAjLb+1+TBbLl66CEHanUUkNz6FWg6WwJZxja5oaA5JSvBD932bXPlkYTOXFZYMFsyKkIbCNuF1BJ6q0tyxKEwKmMuQw7VGbONh0mKUeIDFVowh8viUyEj;
Received: from dhcp-18-111-94-234.dyn.mit.edu ([18.111.94.234] helo=thomasvnf1ekrv) by box251.bluehost.com with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.69) (envelope-from <ietf@hardjono.net>) id 1N3A1O-0005Mt-Jc; Wed, 28 Oct 2009 09:01:10 -0600
From: Thomas Hardjono <ietf@hardjono.net>
To: 'William Atwood' <bill@cse.concordia.ca>, "'Gregory M. Lebovitz'" <gregory.ietf@gmail.com>
References: <4A6923C1.9080609@cse.concordia.ca> <4ae79caa.9513f30a.454d.1582@mx.google.com> <20091027213539.efls0s3pi00kcw0w@mail.encs.concordia.ca>
In-Reply-To: <20091027213539.efls0s3pi00kcw0w@mail.encs.concordia.ca>
Date: Wed, 28 Oct 2009 11:00:52 -0400
Message-ID: <002101ca57df$790dc6f0$6b2954d0$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpXbvdFMnx5gMPaQiuZHEtbwe8v8AAa48EA
Content-Language: en-us
X-Identified-User: {727:box251.bluehost.com:hardjono:hardjono.net} {sentby:smtp auth 18.111.94.234 authed with ietf+hardjono.net}
Cc: karp@ietf.org
Subject: Re: [karp] [kmart] Automated Key Management for Router Updates
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2009 15:01:00 -0000
Bill, folks, I read through the paper -- interesting use of GDOI. I'm kind of thinking that the KARP problem has multiple faces/phases (similar if not identical to the NIST 800-57 lifecycle): (a) Initialization phase, where all the entities (routers) somehow obtains the relevant keying material. (b) Operational phases, where the routers use or exercise the keys. (c) Maintenance phase, where security maintenance is performed (eg. backup of keys, migration to new router, re-initialization, etc. etc). (d) Decommissioning phase, where routers are taken off the network in a graceful (and secure) way, and their keys logged elsewhere (for legal purposes) and then nuked. Many IT folks in medium to large Enterprises dislike having to install and operate yet another management console (for another part or aspect of their network and IT). So it would a good design goal for the KARP WG to allow the resulting KARP protocol to be "integrate-able" to existing network management consoles (read products) that implement device-management protocols (eg. WS-Man, DMTF DASH/MASH, etc etc). Some of these existing protocols could be used for one or more of the phases above. For key management specifically, perhaps the KARP WG could look at re-using the Oasis KMIP work (Key Management Interoperability Protocol). Something like a router-specific profile could be created. The KMIT spec already support a number of key formats (packing format), as well as transport methods. Thoughts? cheers, /thomas/ > -----Original Message----- > From: karp-bounces@ietf.org [mailto:karp-bounces@ietf.org] On Behalf Of > William Atwood > Sent: Tuesday, October 27, 2009 9:36 PM > To: Gregory M. Lebovitz > Cc: karp@ietf.org > Subject: Re: [karp] [kmart] Automated Key Management for Router Updates > > Gregory, > > Yes, I would love to present it, but unfortunately I will not be at > Hiroshima. It's not in an Internet Draft yet, either. Hopefully, > someone will at least read the paper, and give me comments. I will > send Brian and Joel some notes on draft-ietf-pim-sm-linklocal and the > AKM framework paper, which they can use at their discretion. > > Bill > > Quoting "Gregory M. Lebovitz" <gregory.ietf@gmail.com>: > > > Bill, > > Did you want to present this at the KARP BOF in Hiroshima? It is > > definitely related work in progress. Have you published this as an I-D > > yet? Better speak up now, as the agenda is solidifying quickly. > > > > Gregory. > > > > At 08:00 PM 7/23/2009, Bill Atwood wrote: > >> Dear all, > >> > >> I have written a paper that outlines the requirements for the > >> distributed key management part of the "kmart" roadmap, and proposes > a > >> distributed Key Server solution. It has been accepted for > >> publication/presentation at Emerging 2009 in Malta, October 11--16. > >> > >> A preprint of the paper can be accessed via > >> http://users.encs.concordia.ca/~bill/papers/emerging2009-akm.html > >> > >> I welcome comments from any participant in the kmart mailing list (or > >> anyone else!). > >> > >> Bill Atwood > >> > >> -- > >> > >> Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046 > >> Distinguished Professor Emeritus fax: +1 (514) 848-2830 > >> Department of Computer Science > >> and Software Engineering > >> Concordia University EV 3.185 email: bill@cse.concordia.ca > >> 1455 de Maisonneuve Blvd. West http: > //users.encs.concordia.ca/~bill > >> Montreal, Quebec Canada H3G 1M8 > >> _______________________________________________ > >> kmart mailing list > >> kmart@ietf.org > >> https://www.ietf.org/mailman/listinfo/kmart > > > > -- > Dr. J.W. Atwood, Eng. tel: +1 (514) 848-2424 x3046 > Professor Emeritus fax: +1 (514) 848-2830 > Department of Computer Science > and Software Engineering > Concordia University EV 3.185 email: bill@cse.concordia.ca > 1455 de Maisonneuve Blvd. West http://www.cse.concordia.ca/~bill > Montreal, Quebec Canada H3G 1M8 > > _______________________________________________ > karp mailing list > karp@ietf.org > https://www.ietf.org/mailman/listinfo/karp
- Re: [karp] [kmart] Automated Key Management for R… Gregory M. Lebovitz
- Re: [karp] [kmart] Automated Key Management for R… William Atwood
- Re: [karp] [kmart] Automated Key Management for R… Thomas Hardjono
- Re: [karp] [kmart] Automated Key Management for R… Brian Weis
- Re: [karp] [kmart] Automated Key Management for R… Thomas Hardjono