IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Christopher Morrow <morrowc.lists@gmail.com> Thu, 07 April 2011 16:26 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 321483A6A1C for <sidr@core3.amsl.com>; Thu, 7 Apr 2011 09:26:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dF5QVGG+nFYT for <sidr@core3.amsl.com>; Thu, 7 Apr 2011 09:26:32 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by core3.amsl.com (Postfix) with ESMTP id C68853A698B for <sidr@ietf.org>; Thu, 7 Apr 2011 09:26:31 -0700 (PDT)
Received: by eye13 with SMTP id 13so980497eye.31 for <sidr@ietf.org>; Thu, 07 Apr 2011 09:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=sBoIS9+VPRBkmdKPrqHvfurRNh0XZ5Aj2gvFNCvAeP0=; b=mMh0S5OZQKTmFDlP5y9Lv0Nj+6vz7IExUE8d9f1vBQM5cyu3/655ij0+5Gahm7Q1LK JV6L3N3XQQtCvLSrSisnUnSZjyPc2dnDgxb73t6tBhfQnzwjKDwD4qU6mTtCYlwiQvLB ZS8eyElC4Roog9iPFCj2ypbkCKPqCu1lzUw00=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=csgNv88M3r8v4KunsrVfFcku1Fh/oE2AQVhhqUbdw2OIN6ESWFn5mLSSE0dt9vP6Pj yBcHGsFNdlifCAH1DPgmalG8DLp7f3xWdO3eV00+dOVQqcxGL88iEZFSULwiZYjP/UAh tk4ZLO0vriezzPhpPTTaB5rThaYs1QyBW1+Wk=
MIME-Version: 1.0
Received: by 10.213.109.209 with SMTP id k17mr535423ebp.101.1302193694187; Thu, 07 Apr 2011 09:28:14 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.213.33.81 with HTTP; Thu, 7 Apr 2011 09:28:13 -0700 (PDT)
In-Reply-To: <8BE1C346-6214-4343-9E46-BFA8D96E4B6C@cisco.com>
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com> <AANLkTikfn_ZRQNQx0QLV7fJa8DDeqMa=yRqWUH4krMHD@mail.gmail.com> <AANLkTinV88U3cF6z51eNtPeF-xKG1aWVgALd06CPq4kE@mail.gmail.com> <m2d3l6cj2l.wl%randy@psg.com> <289DB32D-D175-49DE-AA82-100407F64C23@juniper.net> <Pine.WNT.4.64.1104012156360.4612@mw-PC> <20110401210506.GA3082@juniper.net> <Pine.WNT.4.64.1104021120430.4612@mw-PC> <20110404083237.GA1860@juniper.net> <FFD0D281-AA3C-4CF2-8AF2-E1A2FE0A53A0@tcb.net> <20110404125015.GA3277@juniper.net> <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com> <m21v1i9ha8.wl%randy@psg.com> <BF88D659-1BE5-4DD2-AB24-7A113360DF37@cisco.com> <m2tyea7urr.wl%randy@psg.com> <8BE1C346-6214-4343-9E46-BFA8D96E4B6C@cisco.com>
Date: Thu, 07 Apr 2011 12:28:13 -0400
X-Google-Sender-Auth: ltYRq7I3HFLft8oZdFekWzxVvMk
Message-ID: <BANLkTikTqCD4_=-Sjs7ng2qSLn3vYw5qLw@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Brian Weis <bew@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 16:26:33 -0000

On Thu, Apr 7, 2011 at 12:30 AM, Brian Weis <bew@cisco.com> wrote:
>
> On Apr 6, 2011, at 5:46 PM, Randy Bush wrote:
>
>>> Getting a new application (such as the rtr protocol) specifying
>>> hmac-md5 mandatory to implement through a Secdir review and then the
>>> Security ADs just won't happen. The only exception I can think of is
>>> if there were no possible alternatives, and that's obviously not the
>>> case here.
>>
>> with AO not implemented on any servers, routers not having ssh
>> libraries, and this being a server to router protocol, what are the
>> alternatives?
>>
>> randy
>
> I'm surprised IPsec hasn't been mentioned in this thread ... was it previously

see msgid: Message-ID: <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com>
(5-6 messages back in this thread, from me)

> discussed and rejected? Correct me if I'm wrong, but I believe it's common for
> BGP routers to support IPsec and servers definitely support IPsec. On the

it's not a guarantee that all bgp speakers here will have ipsec
capable code... for some long time at least one vendor in their 'ISP'
code didn't implement ipsec, or ssh for that matter. IPSEC is pretty
heavy weight (from a config perspective) for this. Something like AO
or MD5 is 'perfect', SSH as proposed does  a fine job as well, though
has a bugaboo on at least one platform apparently.

> router side, one or two IPsec sessions to servers should not be a burden. I'm
> less sure of the server IPsec scaling properties, but I would expect a LINUX
> or BSD kernel to have the scaling issues as were discussed earlier in this
> thread regarding SSH but I'm no expert here.

lots of at-scale vpn systems are nothing but crypto-accelerators +
linux/bsd underneath... I think there's an aversion to ipsec on
routers (complexity and unused codepaths), ssh is 'used all the time'
as is tcp-md5, as will (soon?) tcp-AO.

What is a reasonable way forward for now, MUST md5 and later when AO
is more ubiquitous hammer through an update to the draft? Keeping a
MAY for ssh transport?

(in the vein of moving this forward since running code exists for both
sides of this equation today)

-chris

>
> Brian
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>

v2.23.0 | Report a Bug | By Email