Re: [secdir] Secdir review of draft-ietf-sidr-origin-validation-signaling-09

"John G. Scudder" <jgs@juniper.net> Mon, 28 November 2016 21:50 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52587129FC5; Mon, 28 Nov 2016 13:50:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mF7aOeK7gt0L; Mon, 28 Nov 2016 13:50:01 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0115.outbound.protection.outlook.com [104.47.41.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36EC512943D; Mon, 28 Nov 2016 13:50:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=QTxWyKFRBYxPFpP+6+g7b38rSqDekvrNvYriry3oC+E=; b=VFUInfYNlIi8NXDn8mMAEw7TRFDGcO+zAq8v2N24DqpyZTxaaDDFtbIO9LZakNjFrUyCUBe/tMzcMmYtDCOPXrunVhraloQjGF391FOGYGe+nij6u2fQ6jisEufMV9e/4fAHjK0xhPOA3n6R/uuSx+SfKpbI3fLbZZ0LgJgUsj8=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=jgs@juniper.net;
Received: from [172.29.33.83] (66.129.241.12) by SN2PR05MB2510.namprd05.prod.outlook.com (10.166.213.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.5; Mon, 28 Nov 2016 21:49:58 +0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: "John G. Scudder" <jgs@juniper.net>
In-Reply-To: <m2wpfnjy2o.wl-randy@psg.com>
Date: Mon, 28 Nov 2016 16:49:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <55828489-887F-4488-BF39-941D9ACD677F@juniper.net>
References: <22581.44823.269032.294446@fireball.acr.fi> <m2twaxmjix.wl-randy@psg.com> <528F862E-BBA4-44C5-9454-25A2AD1E103D@juniper.net> <m2wpfnjy2o.wl-randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3124)
X-Originating-IP: [66.129.241.12]
X-ClientProxiedBy: BN1PR08CA0028.namprd08.prod.outlook.com (10.242.217.156) To SN2PR05MB2510.namprd05.prod.outlook.com (10.166.213.19)
X-MS-Office365-Filtering-Correlation-Id: ef83831c-8f83-4c83-7b8e-08d417d88010
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SN2PR05MB2510;
X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2510; 3:FGPsj14KvYTnTp8yZGlyxxv9h5aJ9RARTyChxF/+1kP9Jn87CQ96l3xMdXVBIY4zh1b4TjpjtOPF+CjYRkdJ0QHUXrkY2c+n8wA9IK+/RCNSAerX0ILKXWWvX36pgJaMaS1fmDu/L0uDufVwowxL3CB/4rrmH5kam9Qu6v8tVtQO3jRPA75bTVmvPPUpy7G/JW6oOLfZSrJV0vJyLDanOFzilaFTs5daUgSBXNaugDth2xL9+HuUsya8GN5fdDw2D5AcFUtce+6gFKTE8xU4ww==; 25:5ulmnTg/5bjWIL7Dz2elbh0tdvn/G/GvCey9mYs5MC9Q7hCG5tuh5EQeZ+z6uwP43qBsiz9ivuplkKtlVbk8Raq3djrgzRVxdx5MYQAU6sG/CXgDiNKFhdPgwCDMcz8/RQyoLzKS9DRoVyATondWFdskcMyIynCF2FzUkfMEhcQ6R9ezOsfRNRMxjeCofZS8oO7Vb2DxzzHHXse0ZG1+vaMtQXqmin7ZHmuuehc9IgDnRrL/YIAtMv4/v+cIQa5InqMkmHmLCLXlSN5B+H5e03guHL0ACy6mTPVEUluogcbJSfM/gDzMeiJOfUZmTF9DWIstdCvE6lau//6GNC2btJIzrmTPoKNUbW92hqyKKLVh1JyZnuQ+7CDYwNgVzQT9YkvIw/u6xlHm1o3u83wf0htqnso+fmRpZczKGhCDjTipt7J8rkeGENe5XMkCMzqRcrfNC5N6sOzt7BUg9FyYSA==
X-LD-Processed: bea78b3c-4cdb-4130-854a-1d193232e5f4,ExtAddr
X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2510; 31:1c20cWveIIQ0RACdTVpq14+yWlBAeWbECt1dqY+azIHQSgo/hsXBeWp2+XKCmMsXeCI4V+wRrMdicT5AY6UcBzGw+/3/unhXv94b7IssyY6LXBFu3F33Hkj/ivQvJMjmbtAEjCOBeGfu3mGp19mmglqEz1ZVvSOC6YM2TnpfkjlzHVjEVmQIIb6LKDbf5MEHFopGEXSnNUDLNghaEwm+c9wcjXu18KqmVwpAQbjDSMEAUDq6T0D6XaK5cHyl7IVnVdfc3hsvwNuQRUW6KpTVExj18FEnX7OZMgVFingWr0Q=; 20:/yFah0/G/93szdtk/BcBgNlzq50lvbjLLT2ABqnRHL3GVX4sDtCetio3xNghL99aQtkLRjAjAuFxGkyThVunrYeM7yAWK/XPVVL/bhHf+JwB6zZctBFjb5/sVACxX9nw5goeeeWczFtC3o8bSegZ4AYgQSu2rHyiMXx2lemmKlNKXu27kNG/wS/p98WGKVyMSMB+EL1asvLWL3EfTlV9MyBCF0S8tw536Sl5LtC/dMrZhe+C1rZykbP+3Y2p9+jBrq8jQ1Uo1A5sKx1pPi190pJ3FB7DmS0bq9vId+dm/rUpCdIAfqR9mU3RUJ/PFtxSByXrDoBVu5NFvrF2HVGniYCR5ztIV+bAEadHI1FTVKc9WsJwYD/GnIZBxcGw13Zp/ehe2Dog2oesqVO2RzLZvi5igdHHpVypqSujBSQ1141Vbs8pkdc36rkQjRQzL/WWrp51XYV1qxlkNna93tUKP8UBNzB75u0F/sB5+2JygRzq1LC1/6vuc+dgwEmc38+4WBoKwf9iNa1cPBgELeQsyHewiYZR8V/g/AKx5p0OJC+P4nxr2hVAU65TyIIEkmpa2O9MS/tUzzWfbtUm1bS7murZPNlRqBF/mmdTwUe7ghw=
X-Microsoft-Antispam-PRVS: <SN2PR05MB2510C795E37340E74E8BD734AA8A0@SN2PR05MB2510.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6060326)(6040361)(6045199)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(6061324)(6041248)(20161123555025)(20161123562025)(20161123558021)(20161123564025)(20161123560025); SRVR:SN2PR05MB2510; BCL:0; PCL:0; RULEID:; SRVR:SN2PR05MB2510;
X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2510; 4:MiToqN58BcdbnUfOjJQf1dQv9ehTqleKedtSUT99Y7k4M/4i/+XpUBoN5cmpOLA5WwDsrsCnd9t/hQrfWwo2hL/EaIZgnyrVaH4uTBfc4LHzvrdD7cVsRfRXs+UwUZLP3i/GYSIMls7wWY2GEHHdX/5lCjQ4+lUZqWlE2GdsorUFoI1Ij9OyXB3OOykQoecaZhpog7u2qzU3M7E8Hoil8+aiyvim4dt5T5tD+uAEzLoUDZTwB3LbmovIuGJxpJv/ZKTkxJuejAzCaxnkMMpz06i17WcBUzxaTDiojvWUAZBUw4AkgZwetKlPJ6G5C8kzRmMjfqJ+MIkUN6gXgtg6jC63kLuckx5yP26i/CDbYE2fCs9hYfRVAQNhhHpIv7Eg4GiWnecuslrrt5BGTPJFwBVnJoHGruHeuin8vbmknFOeTN6lyyqng35IcOKgX21pS9c9gaWMmetz3aluZFZgve9bKNovL30/5umn4UCYQa6x/86/ZKSjHc+3j0c6mjDbHsSh3TkHkLltu4x+di1RDweCaJWt5Nj6Up2O8D+ea1l4hF64VcBWARwj9/tF4/sU9o2CI6dC/Sjn+h3gsAJBWG8aX+ok7NvYpFtPUJxrtuKhgwqKdokJ+IS5x0QY9bCoZ9cdiwily/bGFfJFWLwPTb1QHohYjiZ8CWFD5ciu1W6K0tlVwnz4TEb7V8funCaKWUU8BailjAHevIzrE373zQ==
X-Forefront-PRVS: 01401330D1
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6049001)(6009001)(7916002)(24454002)(51914003)(189002)(377454003)(199003)(4326007)(2950100002)(6486002)(42186005)(6916009)(33656002)(305945005)(38730400001)(7846002)(7736002)(110136003)(39380400001)(50986999)(229853002)(106356001)(189998001)(733004)(97736004)(39410400001)(77096006)(76176999)(39450400002)(39400400001)(92566002)(39060400001)(5660300001)(105586002)(36756003)(101416001)(81156014)(50226002)(97756001)(82746002)(46406003)(81166006)(8746002)(83716003)(230783001)(47776003)(93886004)(68736007)(3846002)(2906002)(66066001)(6116002)(50466002)(23726003)(6666003)(8676002)(57306001)(86362001)(104396002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR05MB2510; H:[172.29.33.83]; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received-SPF: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2510; 23:pPQy9k0ZuIrEPVGUq14hKKXtEY+FglDzwStQlZ139YVzRFyUmb8O4QJxHSyLL1p+qXAOqMvgjqRikVEjJ3KvW6BsnH+j6pF5CsZcbpJxuNU/+vuJrztQz5rnfkz8fGQPdtmbKVnQkCHSNxSZNOO3sdUuG7BvDmacdn8+8sm30MVYmxZ5clGwW4HGkTda/6qs6kKCATLjvjslrtkew5riEQBzfGltWYIGHgkJETfTArF23Ast/GoFamGuY/Ji8OILX84cCUtp8k4u7a++mOTwwVhnYCoW6woiVhjGgq/JEMUxY+a2WUfzR0xlQeV6fh+hih6IU48PhIfvvtsPJdXBkofOG1WT85z8VW1BNJL07WLF7hJ10JvDvwIZjZvH7LQ42nF0D6iKsE5s9f9gF0EiwqGgcJjOLh9nALuqSzcQFuI9/6ayZ4HvV7cCBkwaBvV3ovT2RsoE+60OhkJLPcK/CdocHaBi8MERdVQaXRADiFNoVVXEEHbGdIjcVjN77kbvPX63mQACf1csgkZqKlWrHDJCbqkJ76Cw0ZdEwW0gjqHjfgcZ3ygui5eG3ASlTEsOMW1BqL2RnpOXAKTYtjVZfnq9jIPDuiCQAGzB1v74bxelBo9cgzn/kKXmuVCdnRS1sgVHxi1KhScRxxaj7e4VSBKYB4VXA+wKq+n3K+e9qKpyAf0ohw1Y7dO8SeU2l1RlQTLg6iDSHtCiyZK/dEfdq1/N0+295FjxGk1uG0CHsclKLrdjLk9kI2BSWAQFPU0OCxplA3WKzLoD8MyjBrtYbNH+VDt1d4yCwofxD9LPmCc+aBXt0TvBlbACS1t5VaCONerfNEFvk2bVug6QwMa2POVL/A6nVPJp4qedYSybjNGhKk/41Tx62+/Y6ijjx5OEu8blejp++AwPaUMkHPBzBDvDqDQ93oCP1w0IsaD5hDB6lhfizgSLUtobtRxDgnjYMyo7NtNrt9vWXJrghdV6J2yOxrY3ZfvsBrC2aW8swVEr2xk8Xg4mUjl/KXsC9Kb3RACfB2/DFy/K47uIQkiCEIfKjCsBSfmZ3UWyfQ47vy/GXRQHvK445491ChYN4flYYNsXOb7Z3VmFpojs3RF9C+9bsffJ9UdcKGcoJPv8LyIImha0/ZA77ZEZycSi9zPW3oR//rENITRGltYQNwGiA+OiesrQbMnLYO5OdPrhRbvpXxDH0bKixg3h9u7P6mMnVk7RKKHb7BKsvWVIheHde6k43w97IjyjXHX3Jwkw5MpwvSXpD5UT2MbCzdhK/XhCHY/aVDXWjzNo+KihRDVwPddUoEObDeNpELSmLtUAkpTDc3iPijCLdx+l8HVJF9ZUS9bv8jDISPu3vkRxe3lICPgQAJPKDOwqXdHZHlPcV/tqlROqQl/H09AGMviaWN4tk3Fjo43P4ML1EnrvpXQ5cUdPXiBFI47cQ504ruvzuAvpBDDU1dYkYDvgGBoowLmF
X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2510; 6:KmaRqt6Xbi345fvCRkpdiKRSWx523XQsD2BXmFb4jOQAxJ/en/mxpjFNcbWHA6XQgx+Om++SctIsEag1XdTlAi1zAJqpcD9DxHYNszQKJyY5O9bCJavUmHS2YfP+uzscP5cMkYBcwXzKLTree6ViUA0uwYKQIgc8YsJMMEkvulSKZWIiDClRFLLooQ55+VxU+b/3RUcwBgcTEsRCK11DhBri5Y2HoGARDv1FRKvwTgMbmVoILUCsWgi2mBbJpiZvv3fEzrJSVm+vNBPgF/IwitBhlI07SUgiCbac1F3XvgS+DXdC5z5aW716C4VkqVcewqpwthx1kTl/PPyv8SdRLntp9iGIis6P6FMRZ9O2zdgiPCh7OdZNbku8gSAlk5pxlPEnSBRQwMFfvUZZVCAFerhnYQ6HIPIHq4l9zjzHx1q57ViMF4Lem5oO2mhh3P8UnkP6iSHxVdMhstpivRZzxkjJzQ9JIA8mCooHtEoUxcdtTTv6e2+lPD+fhM2nk6bm; 5:g5m+p/LcUw5lRZcE3amtzxnWv27ZRUGDfl0u4A7BskmUfyfs592UWI5lbYsy0Q8hNu8EUE+BwpmUxuC79jnzy+3rh+J3jIdGHo47kmB9pt40FP1AH/at6S0Iv415T8gMQSWhnxw3zmNYyW0p0sA/4g==; 24:s0VLz/ZtDfAQeXA0oNaIO5Hz9GTt8xtbUjJDdRqvyQ+0Kfqh13lCAFapbPdYZ3VzXyTNbNOF/IlTGGDxHTBRdHY2Mlz3kGDH5hMUWZSX83E=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2510; 7:4FE3YuCp/HLF4oeQJupavlcXBX8ZfLFrNjaG/R+G4Yc1mLqb9JP4H4zqMzWbYXgozdHtWDAnl3sSWHeX0Jkw9A1NIZFxmhSaPSJe1r48vLRRhkNB8o6UGZcW0WT1CDXPQzOVX3KULAwHWrHXKKEqQcqH2poy22Db0gTtLmYltfQVC7LL3/cgwTWS8JML0T3uxAB2hHUPONnaRMjScWjq7b18ymbJ96lEILFTlOTIW3/kwbziCmTI3y9EB+1HzBVbip1cipwkt1IaqzRnnnij2KRAB3h+WNZ2bnFlD803Dz8TKX88GlzKD7NsuNQagzqHpE+5PhkhKttVHTUsdzt5Iufk0lgYY0Pkpfyt+nhnxPAxgtJDmZLvqPt58PK9BDpdS3blcb4gIj6Qri2uJv6JL3N8bw42WOGd2LcbK/MRmOJuAIQhVpbXx8MaiDWhMwlMhCUWMnSg6bEp5hR3F9QZZg==
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2016 21:49:58.6293 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR05MB2510
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Ve0k7WTBPm_Bm0P4sk_JeEjPP48>
Cc: secdir <secdir@ietf.org>, Keyur Patel <keyurpat@yahoo.com>, David Ward <dward@cisco.com>, IESG <iesg@ietf.org>, Pradosh Mohapatra <mpradosh@yahoo.com>
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-origin-validation-signaling-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 21:50:03 -0000

[Fixed up some addresses]

> On Nov 28, 2016, at 12:47 PM, Randy Bush <randy@psg.com> wrote:
> 
> This document describes a scheme where router A out-sources validation
> to some router B.  Out-sourcing security is generally dangerous.  It is
> strongly recommend that, if this scheme is to be used, that the
> participating routers be under the same administrative control;
> i.e. router B has truest in router A, and that there be some assurance
> of the propagation path (TCP/MD5 authentication etc.).
> 
> randy

How about this?

 This document describes a scheme where router A outsources validation
 to some router B. If this scheme is to be used, the participating
 routers should have the appropriate trust relationship -- B should
 trust A either because they are under the same administrative control
 or for some other reason (for example, consider
 [draft-ietf-sidr-route-server-rpki-light]). The security properties of
 the propagation path between the two routers should also be
 considered. See [RFC 7454] Section 5.1 for advice regarding protection
 of the propagation path.

(both refs informative)

I'll wait a day or two for comments and if none, I'll publish. Thanks for the text.

--John