[karp] Comments to draft-chunduri-karp-kmp-router-fingerprints-01.txt
Tero Kivinen <kivinen@iki.fi> Mon, 05 November 2012 15:22 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: karp@ietfa.amsl.com
Delivered-To: karp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5A421F878F for <karp@ietfa.amsl.com>; Mon, 5 Nov 2012 07:22:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8vrq-fQexmZ for <karp@ietfa.amsl.com>; Mon, 5 Nov 2012 07:22:37 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id CCAF821F878A for <karp@ietf.org>; Mon, 5 Nov 2012 07:22:36 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id qA5FMTXj025840 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Nov 2012 17:22:29 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id qA5FMT0Z022538; Mon, 5 Nov 2012 17:22:29 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <20631.55733.385287.235673@fireball.kivinen.iki.fi>
Date: Mon, 05 Nov 2012 17:22:29 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: karp@ietf.org, albert.tian@ericsson.com
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 11 min
X-Total-Time: 10 min
Subject: [karp] Comments to draft-chunduri-karp-kmp-router-fingerprints-01.txt
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 15:22:37 -0000
In section 3.1 the draft says: [RFC4301] supports X.509 certificate or pre-shared secret authentication data types. So, it is necessary (and one more reason) to encode the raw public keys as X.509 certificates before sending the same in CERT payload. RFC4301 PAD does not forbid using other formats of authentication than what is already there in the RFC4301. The RFC4301 lists the X.509 certificate and pre-shared secret as authentication information, but also says (RFC4301 section 4.4.3.2): This document does not mandate support for any other authentication methods, although such methods MAY be employed. I.e. it is completely possible to use just raw public keys, and store the actual fingerprint of public key to the PAD and use that when verifying the other ends authentication credentials. I would actually assume all implementations supporting raw public keys does something like that already. I.e. the pad contains that other peer should authenticate himself using the public key that has hash of xxxx, and when the peer connects and identifies itself through ID payload and sends raw public key inside the certificate payload, the implementation will calculate hash of that public key and verify that it matches the one stored on the PAD. If they match, then peer is authenticated. BTW, to revoke the compromized key you simply need to remove the hash from the PAD, which do require you to update the PAD of all possible routers where this one router was talking to. Quite often those configurations are already pushed to routers by some kind of managament tool, so it is completly possibly to do this kind of things quite easily. -- kivinen@iki.fi
- [karp] Comments to draft-chunduri-karp-kmp-router… Tero Kivinen
- Re: [karp] Comments to draft-chunduri-karp-kmp-ro… Uma Chunduri