[karp] Some comments to the draft-ietf-karp-crypto-key-table-04.txt
Tero Kivinen <kivinen@iki.fi> Mon, 05 November 2012 14:23 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBA1721F8477 for <karp@ietfa.amsl.com>; Mon, 5 Nov 2012 06:23:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYiZlNxpiBGV for <karp@ietfa.amsl.com>; Mon, 5 Nov 2012 06:23:37 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id E50CB21F8458 for <karp@ietf.org>; Mon, 5 Nov 2012 06:23:35 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qA5ENMDG003268 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Nov 2012 16:23:22 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qA5ENMTu021233; Mon, 5 Nov 2012 16:23:22 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20631.52185.732239.262861@fireball.kivinen.iki.fi>
Date: Mon, 05 Nov 2012 16:23:21 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: karp@ietf.org, draft-ietf-karp-crypto-key-table@tools.ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 10 min
X-Total-Time: 12 min
Subject: [karp] Some comments to the draft-ietf-karp-crypto-key-table-04.txt
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 14:23:39 -0000
In section 2: RcvNotAfter The RcvNotAfter field specifies the latest date and time at which this key should be considered for use when processing received traffic. The format of this field is identical to the format of NotBefore. ^^^^^^^^^ That NotBefore should be RcvNotBefore. -- In section 6 it says: When installing a series of keys to be used one after another (sometimes called a key chain), operators should configure the SendNotBefore field of the key to be several days after the RcvNotBefore field of the key to address the clock skew issue and guarantee there is some overlap. If some routers have clock skew that is in order of DAYS and we need to have keys overlapping for "several days" to fix that, I think there might be something wrong with the router... Clock skew should be less than few minutes. There might be operation reasons to support multiple days of overlap, but on the other hand if those keys are already configured in the keytable beforehand and they are taken in to use automatically from there, I do not think we need days of overlap. If it is assumed that sometimes the adminstrators starts to type keys in to the keytable only when it gets close to be expiring then this might be useful, but I do not think this is something that is supposed to be done with keytable. - In section 8.3 8.3. KeyTable AlgIDs This document requests establishment of a registry called "KeyTable AlgIDs". The remainder of this section describes the registry. All assignments to the KeyTable KDFs registry are made on a First ^^^^^^^^^^^^^ Come First Served basis per Section 4.1 of RFC 5226. The KeyTable KDFs should be KeyTable AlgIDs in this section, the KDFs was 8.2... -- kivinen@iki.fi
- [karp] Some comments to the draft-ietf-karp-crypt… Tero Kivinen