Re: [karp] secdir review of draft-ietf-karp-ops-model-07

Brian Weis <bew@cisco.com> Wed, 14 August 2013 17:28 UTC

Return-Path: <bew@cisco.com>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F1E21F9A78 for <karp@ietfa.amsl.com>; Wed, 14 Aug 2013 10:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GuFex8h9cJXP for <karp@ietfa.amsl.com>; Wed, 14 Aug 2013 10:28:35 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0767521F9BA0 for <karp@ietf.org>; Wed, 14 Aug 2013 10:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1724; q=dns/txt; s=iport; t=1376501315; x=1377710915; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=RmHpF//EjcAn81gOzmrvnR6hiPpUD42bIt7DrO+9NuU=; b=ak6+riMbYYlvw85xlOay9xCHridV573ZHxLAuVLj0P/nr/qH7Z7DK7Gz 6Z7yrf3KAyLJIeMqFYK8buauc5KR+V6nyTqQptByYp2YrBIoAGAezCrv2 ZcEBuZ0F78TX3B65yR/72IxTNdavXq0SWpPrjMD5HzGwlLlGFpC3vNp1I w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiQFALW9C1KrRDoG/2dsb2JhbABSCQ6CeKwak1CBJBZ0giUBAQQ6OAcQC0YhNgYTh34DDrAcDYhejVWBNYETMweDG3cDiS2MToFpjCuFJ4JdXhw
X-IronPort-AV: E=Sophos;i="4.89,878,1367971200"; d="scan'208";a="86597329"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-3.cisco.com with ESMTP; 14 Aug 2013 17:28:30 +0000
Received: from stealth-10-32-244-212.cisco.com (stealth-10-32-244-212.cisco.com [10.32.244.212]) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r7EHSSSg008235; Wed, 14 Aug 2013 17:28:28 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Brian Weis <bew@cisco.com>
In-Reply-To: <tsla9kkfghc.fsf@mit.edu>
Date: Wed, 14 Aug 2013 10:28:32 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <01BFCE05-25D6-4DFD-B6DD-C424266AD1B8@cisco.com>
References: <CAFOuuo5cnWn8C6d+_ihA06Pc+gTP6jLgvuMXvJwrAwci12Pv-A@mail.gmail.com> <tsla9kkfghc.fsf@mit.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
X-Mailer: Apple Mail (2.1503)
Cc: Radia Perlman <radiaperlman@gmail.com>, karp@ietf.org
Subject: Re: [karp] secdir review of draft-ietf-karp-ops-model-07
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 17:28:40 -0000

On Aug 14, 2013, at 8:18 AM, Sam Hartman <hartmans-ietf@mit.edu> wrote:

>>>>>> "Radia" == Radia Perlman <radiaperlman@gmail.com> writes:
> 
>    Radia>    I think the document would be much improved with an
>    Radia> introduction about what is different for "routing protocol
>    Radia> security" rather than, say, an endnode authenticating to an
>    Radia> access point, or nodes forming a peer relationship in an
>    Radia> overlay network.  So, for instance, "normal security issues"
>    Radia> (i.e., outside the scope of KARP) might assume the network is
>    Radia> up, so that it's possible to get CRLs, or be available to be
>    Radia> managed, whereas perhaps KARP is targetting cases which
>    Radia> depend on less infrastructure.  It would be nice if this
>    Radia> document were to have an introduction that talks about things
>    Radia> like that.
> 
> I think that one of the previous KARP documents  (the overview or design
> guide) includes  a good review of that material.  I know I've seen a
> good write up of this in the KARP context before.
> KARP folks can you help jog my memory so I can add a reference?

This is a valuable point. But I can't find that good write-up in an RFC or I-D. Actually, Section 4.4 (The role of Central Servers) of this document has the best description conveying the point that minimal infrastructure is desirable. 

The best I find is RFC 6862, Section 1.1 Terminology, under Identity Authentication: "Certificates can be used in ways that require no additional supporting systems external to the routers themselves." That does not fully convey the thought that but could be referenced.

Brian