Re: [RTG-DIR] RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02
Daniele Ceccarelli <daniele.ceccarelli@ericsson.com> Fri, 27 October 2017 08:22 UTC
Return-Path: <daniele.ceccarelli@ericsson.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F7FC13F602; Fri, 27 Oct 2017 01:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lEKyvBE0hXqR; Fri, 27 Oct 2017 01:22:19 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01A69138FA0; Fri, 27 Oct 2017 01:22:17 -0700 (PDT)
X-AuditID: c1b4fb25-1b7d19c000000c94-b7-59f2ecb76173
Received: from ESESSHC012.ericsson.se (Unknown_Domain [153.88.183.54]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 64.A4.03220.7BCE2F95; Fri, 27 Oct 2017 10:22:15 +0200 (CEST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.54) with Microsoft SMTP Server (TLS) id 14.3.352.0; Fri, 27 Oct 2017 10:22:14 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZWeC/jORbnfuylGAC08NGWa1sgEb0D0NPsJvEGd7ytY=; b=S/zlD+3tOdJIoykC/cpFFsjUwbtwYRDUK2oKOopdHEH5YNAkrFuo1r/ZNikUYuLxU14aTgmtRMxBcqVp9gwy9zWTD0cGhE+tG3wzCG8svGoad/5knjlzsUnVWAt8Sd0sFcTj/i8DLBOJaMOQuypNkYwfyFxDU4Jozi3vde1x2wk=
Received: from HE1PR0701MB2714.eurprd07.prod.outlook.com (10.168.188.21) by HE1PR0701MB2714.eurprd07.prod.outlook.com (10.168.188.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.178.2; Fri, 27 Oct 2017 08:22:13 +0000
Received: from HE1PR0701MB2714.eurprd07.prod.outlook.com ([fe80::f83a:6afe:f24b:8376]) by HE1PR0701MB2714.eurprd07.prod.outlook.com ([fe80::f83a:6afe:f24b:8376%13]) with mapi id 15.20.0178.002; Fri, 27 Oct 2017 08:22:13 +0000
From: Daniele Ceccarelli <daniele.ceccarelli@ericsson.com>
To: "Brian Weis (bew)" <bew@cisco.com>
CC: "<rtg-ads@ietf.org> (rtg-ads@ietf.org)" <rtg-ads@ietf.org>, "draft-ietf-sidrops-bgpsec-rollover.all@ietf.org" <draft-ietf-sidrops-bgpsec-rollover.all@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, "rtg-dir@ietf.org" <rtg-dir@ietf.org>
Thread-Topic: RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02
Thread-Index: AdNOLsL0NRLGSLK4Tg6Kfsa5RK+XHAAo6PsAAApgKTA=
Date: Fri, 27 Oct 2017 08:22:13 +0000
Message-ID: <HE1PR0701MB27146AFEB3979ABCCBBF7186F05A0@HE1PR0701MB2714.eurprd07.prod.outlook.com>
References: <HE1PR0701MB2714765995E380B8545A6687F0450@HE1PR0701MB2714.eurprd07.prod.outlook.com> <CE0B48E2-FF01-4C6B-AC68-722AB09A7710@cisco.com>
In-Reply-To: <CE0B48E2-FF01-4C6B-AC68-722AB09A7710@cisco.com>
Accept-Language: it-IT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=daniele.ceccarelli@ericsson.com;
x-originating-ip: [151.0.200.100]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0701MB2714; 6:P5TkfpXXnh5SrXrLTHnYP6GwJmMKeYZTcsximddmHjzGfcIzMDrNipoPJMjdGCqifAUiWSMQPC9Hu4gXynatmu1bwFavLQfH6FG/hudOfbuLP8nK7Tyy5/nvhCdQ6qFU6sLLv490p4spP/4iKGYt1/c/bqyRfTKz4TFBlYuenxK2NhmYfUfWdcBjBv7Q4iZRqrZcM9Zn+ZjzL9TaTFcgXSLJXPNUxsjrBU0/m/dDMRminG+pYBgLbC5+zTfsflYvBzl2NHYn6uTcwXp0J4fBtH3boDG/72bnSwJ5TwoDu2vytdX+XDDRVFn922fsquiNjU6OcA8WEPiXMItanPUWmk18FkOU/zpukDSiBFArAAs=; 5:0wif2SV75hivnDa6pEn4gMqooq+O87z+Dq95RGWE8ECxXjjzFSNs/WRJFhbVSnxBvnbIXbPgya5oOpGG9jFngiBeNSngirLDP69r5LOau51hRHBIMIUv+P3rSjdKSMs8r2xc1xuncg2fuRQidrV39KlcxTwMn4zCz9l0s9LV5nA=; 24:jjfZGY2y6U43HV+yWTxlpiiy2j5W2RBB1JtxHTzN0/OFZwVH5kNw/HwnjXnQ5w/FqVhXHAS/bkGXFwOMkTGxjrxc7hZK2e8XX6Q1hkFWcRM=; 7:yHYFyPW9ikt6V3jdjJgRkW7qh3ZIMg7sQgGYlsmOeapM0B1r+srDKaePvFDTEsWEsKx98ci8wVbrVAUw+m+9q3fvG3n2fETqRhcyQSbisHRtbpjJzthU6eOLuyn+EOp1oO1pBFJmSb9Pz3L6Hz2LXHoOZBHqtfHg1DgWj3a4nB0TOvAth2b1kigHozo4b22m/TeW25WEUiDQKa5BtWKRoLPrvxgWJDM26E2y4szObyPQrHa6sOhy2joVRR/UTDV5
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 5e4e9c24-4555-48ef-c677-08d51d13d379
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199); SRVR:HE1PR0701MB2714;
x-ms-traffictypediagnostic: HE1PR0701MB2714:
x-exchange-antispam-report-test: UriScan:(37575265505322)(192374486261705)(95692535739014)(21748063052155);
x-microsoft-antispam-prvs: <HE1PR0701MB27149180903D3749D065A4C6F05A0@HE1PR0701MB2714.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(3231020)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6041248)(20161123562025)(20161123560025)(20161123555025)(20161123564025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:HE1PR0701MB2714; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:HE1PR0701MB2714;
x-forefront-prvs: 0473A03F3F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(39860400002)(199003)(24454002)(377424004)(189002)(252514010)(51914003)(97736004)(74316002)(25786009)(8936002)(68736007)(53936002)(790700001)(54896002)(189998001)(6246003)(236005)(6436002)(6116002)(3280700002)(9686003)(6306002)(86362001)(2900100001)(3846002)(102836003)(14454004)(4326008)(3660700001)(6506006)(33656002)(76176999)(54356999)(2906002)(50986999)(6916009)(2950100002)(99286003)(66066001)(8676002)(81166006)(606006)(81156014)(4001150100001)(106356001)(7696004)(316002)(55016002)(478600001)(5250100002)(101416001)(53546010)(5660300001)(229853002)(105586002)(7736002)(230783001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2714; H:HE1PR0701MB2714.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB27146AFEB3979ABCCBBF7186F05A0HE1PR0701MB2714_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e4e9c24-4555-48ef-c677-08d51d13d379
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Oct 2017 08:22:13.0788 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2714
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SazCUYRTHe/Z9393XTjvztMgZZRrbSMqlIrORhuqDJs2kT7YvWbwuuc4u QtMMUxiXXCLjsmXF7EgXZFlLwqZQiXGZSShlm2JcSpMuDNl9t5m+/c75/8//nHnmoQlhK2VN R8TEM7IYaZSIyyfLAjTuTpr5ZckBZZanOG8hjRK31N7jiPsVvwix8v4nnnils5frTfkWrzZS vjU1vzlnOef5R0OYqIhERuZyLJAfXrvexomr06Kk0iolkYrUapSNaBqwG2QuHclGfFqIexAo qlWILfoQrHX94RgKEl8n4EfOQy6rlHPg9tgiyRafEcw3q4xZXOwBep1fNjKjLfAeWMnpNEYR +CeC0httXINgjn2gTdNOsabjMP1ilMuyB7zKUpAGJrEdLBYqeAYW4EBoqpg1LStCUNI3jgyC GfaC2o584zDCNlDQfsfYJ7AVvNVXcgwMGEPN40GCZUuYnVmnWH8Q1Ke3mjy2MFRXbmIbGK7M MV4NuIcHcyULpmFnaC5cQCyfgdnpfBNXIHi+6s2yI+Q+qOCxrxoJ6gk7FmNB0xLMRr6hIPPq hGnXTng2nE4WIKfy/85mORZ61RtGFuBt0F+mJ8s3owjsAPVtLqzFFopzPvBY3gvpilu8//tK xKtDlnJGHhQddsjVmZFFBMvlsTHOMUz8I7T5n7rVq3ataGTeR4cwjURbBfUjyxIhJU2UJ0fr ENCEyELAG99sCUKkySmMLPaCLCGKkevQDpoUWQl8ngwFCHGYNJ6JZJg4RvZP5dBm1qnoUpKS 3zCnPFUf+dHF3GI25WJenLWaGpys8l0bczqsDdW5JzRV2XvelQydHOl7tyTdbWn/bWa/25WX Qx3vw9srtI5bdDe/6i9LbLom7U6POoTO+E3lVqZ+eS1pdH2qmrvWsr3oe8ZAAzc+Uzvgz1Xl j29MRzmdq/YP8eqe0u86kZYhIuXh0oP7CJlc+hcaPq/WSwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/qjI4oThlRpA3jwaUHsKNszvwiC8>
Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 08:22:21 -0000
HI Brian, thanks for the quick update. Please see inline. BR Daniele From: Brian Weis (bew) [mailto:bew@cisco.com] Sent: venerdì 27 ottobre 2017 01:19 To: Daniele Ceccarelli <daniele.ceccarelli@ericsson.com> Cc: <rtg-ads@ietf.org> (rtg-ads@ietf.org) <rtg-ads@ietf.org>; rtg-dir <rtg-dir-bounces@ietf.org>; draft-ietf-sidrops-bgpsec-rollover.all@ietf.org; sidrops@ietf.org Subject: Re: RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02 Hi Daniele, Thanks for your review. On Oct 26, 2017, at 3:12 AM, Daniele Ceccarelli <daniele.ceccarelli@ericsson.com<mailto:daniele.ceccarelli@ericsson.com>> wrote: Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-sidrops-bgpsec-rollover-02 Reviewer: Daniele Ceccarelli Review Date: 25/10/2017 IETF LC End Date: On agenda of 2017-11-30 IESG telechat Intended Status: Standard Track Summary: I have some minor concerns about this document that I think should be resolved before publication. Comments: The draft is sometimes hard to read, mostly the abstract (which should be clear on the scope of the draft), what is being defined and above all the intended status. In some parts the draft seems to be a recommendation, in some others a standard track. Which one? It’s intended to be standards-track. We’ll change the tone of the document to match that (i.e., not describe “recommendations”). Also I’ve again reviewed the use of requirements language and made some appropriate changes to reflect a standards-track document. [>DC] great. Major Issues: - None Minor Issues and nits: - The abstract is a bit hard to read. E.g. the usage of "will also manage" might become obsolete sooner or later and this sentence "But the rollover of CA and EE certificates BGPsec router certificates have..." doesn't make much sense. - - Moreover the abstract says: "This document provides general recommendations for the rollover process". How can it be a standard track then? Thanks for pointing out that the Abstract is hard to read — it’s old text that should have been updated to match the current state of BGPSEC. I have simplified the Abstract and addressed both of these points. Let me know if you believe it does not clearly describe the scope of the draft. Certification Authorities (CAs) within the Resource Public Key Infrastructure (RPKI) manage BGPsec router certificates as well as RPKI certificates. The rollover of BGPsec router certificates must be carefully performed in order to synchronize the distribution of router public keys with BGPsec Update messages verified with those router public keys. This document describes a safe rollover process, as well as discussing when and why the rollover of BGPsec router certificates are necessary. When this rollover process is followed the rollover will be performed without routing information being lost. [>DC] much better - Intro: "Additionally, the BGP speaker MUST refresh its outbound BGPsec Update messages to include a signature using the new key (replacing the old key)." I wouldn't expect a MUST in the intro. I understand this is something defined in other documents, hence should not be in capital letters and probably added a reference. The normative language has been moved until a later section. There isn’t really a reference that can be given in this sentence though — it’s stating logically what needs to happen. [>DC] ok - Section 3 ditto. "A BGPsec router certificate SHOULD be replaced when the following events occur" is this something new defined in this document? Yes, a description of when a key rollover should happen is a new topic for BGPsec. So this SHOULD is needed. - Typo/Punctuation/wrong usage of capital letters: there is a number of them all over the document. Why OLD key is always used with old in capital letters? Fixed. [>DC] great Thanks, Brian Thanks Daniele -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com<mailto:bew@cisco.com>
- Re: [RTG-DIR] RtgDir review: draft-ietf-sidrops-b… Daniele Ceccarelli