Re: [karp] Comments to draft-chunduri-karp-kmp-router-fingerprints-01.txt
Uma Chunduri <uma.chunduri@ericsson.com> Mon, 05 November 2012 17:39 UTC
Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3067821F886E for <karp@ietfa.amsl.com>; Mon, 5 Nov 2012 09:39:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BRZLTu4alBN for <karp@ietfa.amsl.com>; Mon, 5 Nov 2012 09:39:46 -0800 (PST)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id 955CE21F8702 for <karp@ietf.org>; Mon, 5 Nov 2012 09:39:46 -0800 (PST)
Received: from eusaamw0707.eamcs.ericsson.se ([147.117.20.32]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id qA5HiYhL015279; Mon, 5 Nov 2012 11:44:37 -0600
Received: from EUSAAHC002.ericsson.se (147.117.188.78) by eusaamw0707.eamcs.ericsson.se (147.117.20.32) with Microsoft SMTP Server (TLS) id 8.3.279.1; Mon, 5 Nov 2012 12:39:39 -0500
Received: from EUSAAMB105.ericsson.se ([147.117.188.122]) by EUSAAHC002.ericsson.se ([147.117.188.78]) with mapi id 14.02.0318.001; Mon, 5 Nov 2012 12:39:39 -0500
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: Tero Kivinen <kivinen@iki.fi>, "karp@ietf.org" <karp@ietf.org>, Albert Tian <albert.tian@ericsson.com>
Thread-Topic: [karp] Comments to draft-chunduri-karp-kmp-router-fingerprints-01.txt
Thread-Index: AQHNu2l1QT6FlA6OVkSrXYlPLSkW0pfbgC7A
Date: Mon, 05 Nov 2012 17:39:39 +0000
Message-ID: <1B502206DFA0C544B7A60469152008630199CF@EUSAAMB105.ericsson.se>
References: <20631.55733.385287.235673@fireball.kivinen.iki.fi>
In-Reply-To: <20631.55733.385287.235673@fireball.kivinen.iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.135]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [karp] Comments to draft-chunduri-karp-kmp-router-fingerprints-01.txt
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 17:39:47 -0000
Hi Tero, Thanks for the comments. Response In-line [Uma]: ==== In section 3.1 the draft says: -- [Snip] This document does not mandate support for any other authentication methods, although such methods MAY be employed. [Uma]: Agree. I missed this part. I.e. it is completely possible to use just raw public keys, and store the actual fingerprint of public key to the PAD and use that when verifying the other ends authentication credentials. I would actually assume all implementations supporting raw public keys does something like that already. I.e. the pad contains that other peer should authenticate himself using the public key that has hash of xxxx, and when the peer connects and identifies itself through ID payload and sends raw public key inside the certificate payload, the implementation will calculate hash of that public key and verify that it matches the one stored on the PAD. If they match, then peer is authenticated. [Uma]: As I indicated in the meeting we will change the text to reflect this. BTW, to revoke the compromized key you simply need to remove the hash from the PAD, which do require you to update the PAD of all possible routers where this one router was talking to. Quite often those configurations are already pushed to routers by some kind of managament tool, so it is completly possibly to do this kind of things quite easily. [Uma]: Absolutely. We thought this and you mentioned this quite correct here. Thank you.
- [karp] Comments to draft-chunduri-karp-kmp-router… Tero Kivinen
- Re: [karp] Comments to draft-chunduri-karp-kmp-ro… Uma Chunduri