IETF Logo Mail Archive

Re: [OPSAWG] [Last-Call] [secdir] Secdir last call review of draft-ietf-opsawg-finding-geofeeds-06

Kyle Rose <krose@krose.org> Wed, 05 May 2021 14:51 UTC

Return-Path: <krose@krose.org>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFCF83A103C for <opsawg@ietfa.amsl.com>; Wed, 5 May 2021 07:51:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsQFkd3pFAK0 for <opsawg@ietfa.amsl.com>; Wed, 5 May 2021 07:51:08 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D3853A104C for <opsawg@ietf.org>; Wed, 5 May 2021 07:51:08 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id y2so2964478ybq.13 for <opsawg@ietf.org>; Wed, 05 May 2021 07:51:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dO5xLjVnXlwK/Imj7zDgebqyz8RkkotEQKP/M9PQNwo=; b=hY6zUCLBXUZwDlsts54QOBXUG8yeHjevJi3mIghRfREf+/HbvCGL+LNfj1AbcJAZMH bn97daVsBWutihvRXHE4E/mf4i+4vtQVimboupLcTy5rl4Nwqz+7dLIYq/I/QcyQZaTD vgeeaKo9P0Xz2y9kgQBPLLSzSWEVj0lm5BPQ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dO5xLjVnXlwK/Imj7zDgebqyz8RkkotEQKP/M9PQNwo=; b=SCj2pZaOSbM4Yvx37B1j5qoleY6nAV2dfOGHkz7bmpPQR236kIWPWCVvIWmeM8dUlY Z7tnaUHAmltikOTYbjganqVW8XwxVOTDQsgVDSBMg+tPJWnt2wq7BV883OzaP0O8jRGq vSa33KlA4rYkcY4f85e0gtbv4lmaFFAn+LhTvJ3xSFachgmaFg1VSxDXjhF89fhp3ANi JPhER7jqdcX4aznW7xLjqkpVDKytLSuIJC3Kua/MFtm8yQutJYBR/5M3qptxHekcvzw6 0CwzrwIGByT+GCdMj8zcnTHcxckVmEPyLUZWT9yUw29f/KhEATgGQzD28r5Ltocb2vE1 KgJg==
X-Gm-Message-State: AOAM5318eNL/t5zCPgT75auklGKR+0UEIdUKg+MW69fmFtb0tmZmUDM6 uHhKp1c0zvxU9Srj5F18YuQ8iEa74JekvfqI3ewPAA==
X-Google-Smtp-Source: ABdhPJyGYbEdcDuZiXimv5sgSj9aRSd1KtWJnHSwzHg06dX2exVuZ2QiGKbX7s3CBrHZkL4qkPy9mSe69hNNVgMsfU8=
X-Received: by 2002:a25:af06:: with SMTP id a6mr31118788ybh.364.1620226266827; Wed, 05 May 2021 07:51:06 -0700 (PDT)
MIME-Version: 1.0
References: <161969840202.30267.8231145700644479792@ietfa.amsl.com> <m21rasx3tc.wl-randy@psg.com> <CAJU8_nW2aA1SFjeAwzK+CYHPyQqJHLKYu3J9H91NpYfqhTYBWA@mail.gmail.com> <809A05C9-8ABD-4D63-970D-D3F8A2277F28@vigilsec.com> <CAJU8_nX-Timmuvv=vBpgXHYnbCLAd2ug-=BLy_Xp08ehLkGv9w@mail.gmail.com> <F6F67CB5-C824-4DA7-A85E-06EB4EBAD101@vigilsec.com> <CAJU8_nXr9MVefjgNxatfuAEWrvp+TzwLN3zGO8TVRmDJxTEoSQ@mail.gmail.com> <BF277402-4404-4D0D-9027-826C169E1A6F@vigilsec.com> <CAJU8_nUE3qTmRmyE3=88DzzyXbYdvq7-aceNV=bgrMUSv4W1kw@mail.gmail.com> <m24kfhnt3g.wl-randy@psg.com>
In-Reply-To: <m24kfhnt3g.wl-randy@psg.com>
From: Kyle Rose <krose@krose.org>
Date: Wed, 05 May 2021 10:50:55 -0400
Message-ID: <CAJU8_nXym=0LtCv4Gw5W2vRWmWrQWUjqVf0f0Oj7VbBOGHtdSw@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Russ Housley <housley@vigilsec.com>, Last Call <last-call@ietf.org>, Ops Area WG <opsawg@ietf.org>, draft-ietf-opsawg-finding-geofeeds.all@ietf.org, IETF SecDir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001724f105c19653a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/5adtEfSp5NX5hrJIJI-2HnNCdj4>
Subject: Re: [OPSAWG] [Last-Call] [secdir] Secdir last call review of draft-ietf-opsawg-finding-geofeeds-06
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 14:51:15 -0000

On Wed, May 5, 2021 at 10:38 AM Randy Bush <randy@psg.com> wrote:

> > Pivoting for a second, are you intending to support the case in which
> > a provider has adopted RPKI but has no intention of signing these
> > files?
>
> unfortunately, this will be common for a while.  methods for signing
> with keys from the rpki are baroque at the moment, with two documents
>    draft-ietf-sidrops-rpki-rta-00
>    draft-spaghetti-sidrops-rpki-rsc-03
> proposing means.
>

Noted.

> > If so, then web PKI integrity (i.e., being able to trust that the data
> > at the https geofeed URL is controlled by the same entity that
> > controls the routing data) is still required to prevent forgery.
>
> the draft does require tls for the temporary remarks: based url.  it
> will be fixed to do so for the geofeed: url.
>
> the web pki is not associated with ip address space control/ownership.
> web pki is based on control of domain name space.  the two are quite
> unrelated.
>

I still don't understand how this is relevant. I'm not asserting otherwise,
and never have been. Let me try again: what are you suggesting would be
basing its trust of geofeed IP ranges on the web PKI? Aren't the valid
ranges for an AS specified in the RPKI-protected routing data feed (where
RPKI is available)?
Kyle

v2.23.0 | Report a Bug | By Email