IETF Logo Mail Archive

Re: [karp] [kmart] Automated Key Management for Router Updates

Brian Weis <bew@cisco.com> Wed, 28 October 2009 18:03 UTC

Return-Path: <bew@cisco.com>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D7A0328C0F0 for <karp@core3.amsl.com>; Wed, 28 Oct 2009 11:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2-T6MvbgusB for <karp@core3.amsl.com>; Wed, 28 Oct 2009 11:03:25 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id C03FC3A6A38 for <karp@ietf.org>; Wed, 28 Oct 2009 11:03:25 -0700 (PDT)
Authentication-Results: sj-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEADQk6EqrR7Ht/2dsb2JhbADCJYkoCY59glWBagQ
X-IronPort-AV: E=Sophos;i="4.44,641,1249257600"; d="scan'208";a="218827134"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-2.cisco.com with ESMTP; 28 Oct 2009 18:03:41 +0000
Received: from dhcp-128-107-163-77.cisco.com (dhcp-128-107-163-77.cisco.com [128.107.163.77]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n9SI3fMH029514; Wed, 28 Oct 2009 18:03:41 GMT
Message-Id: <EA756D56-C446-40F5-8338-3EF0604196D0@cisco.com>
From: Brian Weis <bew@cisco.com>
To: Thomas Hardjono <ietf@hardjono.net>
In-Reply-To: <002101ca57df$790dc6f0$6b2954d0$@net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 28 Oct 2009 11:03:39 -0700
References: <4A6923C1.9080609@cse.concordia.ca> <4ae79caa.9513f30a.454d.1582@mx.google.com> <20091027213539.efls0s3pi00kcw0w@mail.encs.concordia.ca> <002101ca57df$790dc6f0$6b2954d0$@net>
X-Mailer: Apple Mail (2.936)
Cc: karp@ietf.org
Subject: Re: [karp] [kmart] Automated Key Management for Router Updates
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2009 18:03:26 -0000

Hi Thomas,

On Oct 28, 2009, at 8:00 AM, Thomas Hardjono wrote:

> Bill, folks,
>
> I read through the paper -- interesting use of GDOI.
>
> I'm kind of thinking that the KARP problem has multiple faces/phases
> (similar if not identical to the NIST 800-57 lifecycle):
>
> (a) Initialization phase, where all the entities (routers) somehow  
> obtains
> the relevant keying material.
>
> (b) Operational phases, where the routers use or exercise the keys.
>
> (c) Maintenance phase, where security maintenance is performed (eg.  
> backup
> of keys, migration to new router, re-initialization, etc. etc).
>
> (d) Decommissioning phase, where routers are taken off the network  
> in a
> graceful (and secure) way, and their keys logged elsewhere (for legal
> purposes) and then nuked.

That's a good overview of life cycle key management, and it might be a  
good topic for the OPSEC WG.

>
> Many IT folks in medium to large Enterprises dislike having to  
> install and
> operate yet another management console (for another part or aspect  
> of their
> network and IT). So it would a good design goal for the KARP WG to  
> allow the
> resulting KARP protocol to be "integrate-able" to existing network
> management consoles (read products) that implement device-management
> protocols (eg. WS-Man, DMTF DASH/MASH, etc etc).  Some of these  
> existing
> protocols could be used for one or more of the phases above.
>
> For key management specifically, perhaps the KARP WG could look at  
> re-using
> the Oasis KMIP work (Key Management Interoperability Protocol).  
> Something
> like a router-specific profile could be created. The KMIT spec already
> support a number of key formats (packing format), as well as transport
> methods.

Thanks for pointing out this work. A KARP WG (should it be formed)  
could consider the KMIP key when it begins work on automated key  
management. However, specifying the use of (or changes to) protocols  
developed outside of the IETF might be an issue. I'd welcome further  
thoughts on this once a WG is formed and thinking about automated key  
management.

Thanks,
Brian

>
> Thoughts?
>
> cheers,
>
> /thomas/
>
>
>
>
>
>> -----Original Message-----
>> From: karp-bounces@ietf.org [mailto:karp-bounces@ietf.org] On  
>> Behalf Of
>> William Atwood
>> Sent: Tuesday, October 27, 2009 9:36 PM
>> To: Gregory M. Lebovitz
>> Cc: karp@ietf.org
>> Subject: Re: [karp] [kmart] Automated Key Management for Router  
>> Updates
>>
>> Gregory,
>>
>> Yes, I would love to present it, but unfortunately I will not be at
>> Hiroshima.  It's not in an Internet Draft yet, either.  Hopefully,
>> someone will at least read the paper, and give me comments.  I will
>> send Brian and Joel some notes on draft-ietf-pim-sm-linklocal and the
>> AKM framework paper, which they can use at their discretion.
>>
>>   Bill
>>
>> Quoting "Gregory M. Lebovitz" <gregory.ietf@gmail.com>:
>>
>>> Bill,
>>> Did you want to present this at the KARP BOF in Hiroshima? It is
>>> definitely related work in progress. Have you published this as an  
>>> I-D
>>> yet? Better speak up now, as the agenda is solidifying quickly.
>>>
>>> Gregory.
>>>
>>> At 08:00 PM 7/23/2009, Bill Atwood wrote:
>>>> Dear all,
>>>>
>>>> I have written a paper that outlines the requirements for the
>>>> distributed key management part of the "kmart" roadmap, and  
>>>> proposes
>> a
>>>> distributed Key Server solution.  It has been accepted for
>>>> publication/presentation at Emerging 2009 in Malta, October 11--16.
>>>>
>>>> A preprint of the paper can be accessed via
>>>> http://users.encs.concordia.ca/~bill/papers/emerging2009-akm.html
>>>>
>>>> I welcome comments from any participant in the kmart mailing list  
>>>> (or
>>>> anyone else!).
>>>>
>>>> Bill Atwood
>>>>
>>>> --
>>>>
>>>> Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
>>>> Distinguished Professor Emeritus  fax:   +1 (514) 848-2830
>>>> Department of Computer Science
>>>>  and Software Engineering
>>>> Concordia University EV 3.185     email: bill@cse.concordia.ca
>>>> 1455 de Maisonneuve Blvd. West    http:
>> //users.encs.concordia.ca/~bill
>>>> Montreal, Quebec Canada H3G 1M8
>>>> _______________________________________________
>>>> kmart mailing list
>>>> kmart@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/kmart
>>
>>
>>
>> --
>> Dr. J.W. Atwood, Eng.             tel:   +1 (514) 848-2424 x3046
>> Professor Emeritus                fax:   +1 (514) 848-2830
>> Department of Computer Science
>>    and Software Engineering
>> Concordia University EV 3.185     email: bill@cse.concordia.ca
>> 1455 de Maisonneuve Blvd. West    http://www.cse.concordia.ca/~bill
>> Montreal, Quebec Canada H3G 1M8
>>
>> _______________________________________________
>> karp mailing list
>> karp@ietf.org
>> https://www.ietf.org/mailman/listinfo/karp
>
> _______________________________________________
> karp mailing list
> karp@ietf.org
> https://www.ietf.org/mailman/listinfo/karp


-- 
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com

v2.23.0 | Report a Bug | By Email