Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
Stephen Kent <kent@bbn.com> Wed, 04 May 2011 13:14 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B2EE070C; Wed, 4 May 2011 06:14:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.07
X-Spam-Level:
X-Spam-Status: No, score=-105.07 tagged_above=-999 required=5 tests=[AWL=1.529, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSNfG7abgHFe; Wed, 4 May 2011 06:14:52 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0982EE06A4; Wed, 4 May 2011 06:14:51 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:45522 helo=[193.0.26.186]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1QHbuj-000CvY-RU; Wed, 04 May 2011 09:14:51 -0400
Mime-Version: 1.0
Message-Id: <p06240803c9e6f3747d1c@[193.0.26.186]>
In-Reply-To: <tslboziadpf.fsf@mit.edu>
References: <tslhbbag9m1.fsf@mit.edu> <4D791B26.8020001@vpnc.org> <tsl4o7ag5fw.fsf@mit.edu> <4D79271E.6080707@vpnc.org> <tslzkp2elyf.fsf@mit.edu> <p06240801c9ce424e70b1@[128.89.89.62]> <tsl62q2tj33.fsf@mit.edu> <p06240808c9e45144c8f9@[10.242.22.94]> <tslr58fbz9t.fsf@mit.edu> <p06240800c9e604898d1c@[193.0.26.186]> <tslk4e7a14w.fsf@mit.edu> <p06240803c9e6ae6a7fe9@[193.0.26.186]> <tslboziadpf.fsf@mit.edu>
Date: Wed, 04 May 2011 09:14:30 -0400
To: Sam Hartman <hartmans-ietf@mit.edu>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: draft-ietf-sidr-res-certs@tools.ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 13:14:52 -0000
At 7:48 AM -0400 5/4/11, Sam Hartman wrote: > >>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: > > Stephen> The BGPSEC protocol being defined does not pass around ROAs > Stephen> or other RPKI repository objects. It defines two new, > Stephen> signed objects that are passed in UPDATE messages, and are > Stephen> not stored in the repository. These objects are verified > Stephen> using RPKI certs and CRLs, so there is a linkage. > >OK, so how will the upgrade work for these signed objects? In >particular during phase 2, when both old and new certs (under the old >and new profile) are in use, what happens with these signed objects? >Can a party generate both old and new signed objects? If so, will the >protocol scale appropriately? If not, how does a party know which >signed object to generate? Sam, The BGPSEC protocol will have to accommodate changes in the algs used to validate BGPSEC signed objects, and changes in algs used to validate RPKI objects, and key (not alg) changes in the RPKI objects, especially the certs associated with routers. So, format changes are just another example of a change in the RPKI that BGPSEC will have to accommodate. This is a legitimate discussion point for the BGPSEC protocol design discussions that will take place in SIDR. It is out of scope for the current set of docs, since they deal only with origin AS validation. It would be inappropriate to suggest delaying this doc (or to suggest changes to it) based on discussions that will take place in the future, for a protocol that is just being adopted as a WG item now. Steve
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Jeffrey Hutzelman
- [secdir] Secdir review of draft-ietf-sidr-res-cer… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Paul Hoffman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Paul Hoffman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Rob Austein
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Martin Rex
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… John C Klensin
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman