Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
Sam Hartman <hartmans-ietf@mit.edu> Wed, 04 May 2011 14:32 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5BEE0719; Wed, 4 May 2011 07:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.618
X-Spam-Level:
X-Spam-Status: No, score=-103.618 tagged_above=-999 required=5 tests=[AWL=-1.353, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQeegOHWpULJ; Wed, 4 May 2011 07:32:43 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 9D9C7E070C; Wed, 4 May 2011 07:32:43 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 261F52034A; Wed, 4 May 2011 10:28:55 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 415F841F4; Wed, 4 May 2011 10:32:36 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Stephen Kent <kent@bbn.com>
References: <tslhbbag9m1.fsf@mit.edu> <4D791B26.8020001@vpnc.org> <tsl4o7ag5fw.fsf@mit.edu> <4D79271E.6080707@vpnc.org> <tslzkp2elyf.fsf@mit.edu> <p06240801c9ce424e70b1@[128.89.89.62]> <tsl62q2tj33.fsf@mit.edu> <p06240808c9e45144c8f9@[10.242.22.94]> <tslr58fbz9t.fsf@mit.edu> <p06240800c9e604898d1c@[193.0.26.186]> <tslk4e7a14w.fsf@mit.edu> <p06240803c9e6ae6a7fe9@[193.0.26.186]> <tslboziadpf.fsf@mit.edu> <p06240803c9e6f3747d1c@[193.0.26.186]>
Date: Wed, 04 May 2011 10:32:36 -0400
In-Reply-To: <p06240803c9e6f3747d1c@[193.0.26.186]> (Stephen Kent's message of "Wed\, 4 May 2011 09\:14\:30 -0400")
Message-ID: <tsl1v0ebkor.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: draft-ietf-sidr-res-certs@tools.ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 14:32:44 -0000
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: Stephen> At 7:48 AM -0400 5/4/11, Sam Hartman wrote: >> >>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes: >> Stephen> The BGPSEC protocol being defined does not pass around ROAs Stephen> or other RPKI repository objects. It defines two new, Stephen> signed objects that are passed in UPDATE messages, and are Stephen> not stored in the repository. These objects are verified Stephen> using RPKI certs and CRLs, so there is a linkage. >> >> OK, so how will the upgrade work for these signed objects? In >> particular during phase 2, when both old and new certs (under the >> old and new profile) are in use, what happens with these signed >> objects? Can a party generate both old and new signed objects? >> If so, will the protocol scale appropriately? If not, how does a >> party know which signed object to generate? Stephen> Sam, Stephen> The BGPSEC protocol will have to accommodate changes in the Stephen> algs used to validate BGPSEC signed objects, and changes in Stephen> algs used to validate RPKI objects, and key (not alg) Stephen> changes in the RPKI objects, especially the certs Stephen> associated with routers. So, format changes are just Stephen> another example of a change in the RPKI that BGPSEC will Stephen> have to accommodate. This is a legitimate discussion point Stephen> for the BGPSEC protocol design discussions that will take Stephen> place in SIDR. It is out of scope for the current set of Stephen> docs, since they deal only with origin AS validation. Let me see if I can summarize where we are: You've describe an upgrade strategey for the origin validation in the current set of docs. It depends on the ability to store multiple certs, ROAs and other objects in the repository. You agree that when SIDR looks at using RPKI objects in the newly adopted work it will need some upgrade strategy for format, keys and algorithms. There are probably a number of options for how to accomplish this. Even if the working group did decide to update processing of RPKI objects at that point, requiring new behavior from parties implementing a new protocol would be possible. Is that a reasonable summary?
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Jeffrey Hutzelman
- [secdir] Secdir review of draft-ietf-sidr-res-cer… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Paul Hoffman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Paul Hoffman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Rob Austein
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Martin Rex
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… John C Klensin
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Stephen Kent
- Re: [secdir] Secdir review of draft-ietf-sidr-res… Sam Hartman