Re: [secdir] SecDir Review of draft-ietf-sidr-bgpsec-protocol-20
Russ Housley <housley@vigilsec.com> Thu, 22 December 2016 16:31 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C581129A47 for <secdir@ietfa.amsl.com>; Thu, 22 Dec 2016 08:31:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YigzAMl_pW_1 for <secdir@ietfa.amsl.com>; Thu, 22 Dec 2016 08:31:16 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50A4E1296F8 for <secdir@ietf.org>; Thu, 22 Dec 2016 08:31:16 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 18E633002C5 for <secdir@ietf.org>; Thu, 22 Dec 2016 11:20:59 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JF67_lznuy81 for <secdir@ietf.org>; Thu, 22 Dec 2016 11:20:57 -0500 (EST)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 7C24630026D; Thu, 22 Dec 2016 11:20:57 -0500 (EST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <DM2PR09MB04464E3468A02A51130A89D684920@DM2PR09MB0446.namprd09.prod.outlook.com>
Date: Thu, 22 Dec 2016 11:31:23 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <30C37BB9-9672-46CE-9442-636FFE9649E3@vigilsec.com>
References: <D915BDA3-A15D-4445-8C18-DA155A73E0D0@vigilsec.com> <DM2PR09MB04464E3468A02A51130A89D684920@DM2PR09MB0446.namprd09.prod.outlook.com>
To: Sriram Kotikalapudi <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wftCYMsf3JP2EJu2edG-uWty408>
Cc: "draft-ietf-sidr-bgpsec-protocol.all@ietf.org" <draft-ietf-sidr-bgpsec-protocol.all@ietf.org>, IETF SecDir <secdir@ietf.org>
Subject: Re: [secdir] SecDir Review of draft-ietf-sidr-bgpsec-protocol-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 16:31:17 -0000
On Dec 22, 2016, at 10:50 AM, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote: > Hi Russ, > > Thank you for your comments. > I am preparing a version 21 of the document to be submitted soon. > I have updated the document already to include all your comments > except the following thee: > (need your further guidance on these) > > > #1 >> In Section 3.2, the Signature Length within the Signature Segment does > not count the length field itself. It seems that all of the other > length values in this specification count the size of the length too. > Consistency will avoid implementation errors. > > [Sriram] I agree. However, this change would require modifications with two existing > implementations. If you say it doesn't matter, just do it; let the implementations catch up -- > then sure I will have no problem. I'll make the change in the spec. Better to point this out on the mail list and let the implementors have a say. > #2 >> It seems a bit wasteful to repeat the whole capability for each > direction. Wouldn't it be better to follow the example used in > other capability definitions (such as RFC 7911) by using one of the > unassigned bits? The Send/Receive pair of bits would have these > semantics: > > [Sriram] I spoke with Oliver Borchert. He thought there was some merit to > implementing it the way it currently is in the spec > (he already has the implementation in Quagga BGPsec). > This change would also require modifications with the two existing > implementations (NIST's and Parson's). > Again, if you feel strongly, please let me know. Again, please point this out on the mail list and let the implementors have a say. > #3 >> I think an additional consideration is needed in Section 6.2. This > protocol design assumes a signer will compute a message digest and > then digitally sign that digest. If someone wants to use a digital > signature that works differently, there may be a significant change > to this protocol. > > [Sriram] Is this not already taken care of by using the same approach that is > described in Section 6.2? Section 6.2 says: > > > "In the case that such a change to BGPsec were deemed desirable, it is > expected that a subsequent version of BGPsec would be created and > that this version of BGPsec would specify a new BGP path attribute, > let's call it BGPsec_Path_Two, which is designed to accommodate the > desired changes to BGPsec.” When I read that paragraph, I did not think it was talking about the hash and sign paradigm. Russ
- [secdir] SecDir Review of draft-ietf-sidr-bgpsec-… Russ Housley
- Re: [secdir] SecDir Review of draft-ietf-sidr-bgp… Sriram, Kotikalapudi (Fed)
- Re: [secdir] SecDir Review of draft-ietf-sidr-bgp… Russ Housley
- Re: [secdir] SecDir Review of draft-ietf-sidr-bgp… Sriram, Kotikalapudi (Fed)
- Re: [secdir] SecDir Review of draft-ietf-sidr-bgp… Russ Housley