Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
Joe Touch <touch@isi.edu> Thu, 28 April 2011 17:31 UTC
Return-Path: <touch@isi.edu>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05DEFE06CE for <sidr@ietfa.amsl.com>; Thu, 28 Apr 2011 10:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.584
X-Spam-Level:
X-Spam-Status: No, score=-102.584 tagged_above=-999 required=5 tests=[AWL=-0.585, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnrrLNuA9of6 for <sidr@ietfa.amsl.com>; Thu, 28 Apr 2011 10:31:42 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by ietfa.amsl.com (Postfix) with ESMTP id A9C48E069A for <sidr@ietf.org>; Thu, 28 Apr 2011 10:31:42 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id p3SHV2R1026477 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 28 Apr 2011 10:31:03 -0700 (PDT)
Message-ID: <4DB9A456.3060709@isi.edu>
Date: Thu, 28 Apr 2011 10:31:02 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>
References: <4DAF44AC.8060408@isi.edu><E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com><4DAF796C.7010807@isi.edu><BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com><409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu> <BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu> <01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net> <4DB592B3.3090805@isi.edu> <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net>
In-Reply-To: <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: p3SHV2R1026477
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2011 17:31:48 -0000
On 4/28/2011 6:27 AM, t.petch wrote: > ----- Original Message ----- > From: "Joe Touch"<touch@isi.edu> > To: "t.petch"<ietfc@btconnect.com> > Cc: "Christopher Morrow"<morrowc.lists@gmail.com>; "sidr wg list" > <sidr@ietf.org> > Sent: Monday, April 25, 2011 5:26 PM > >> Hi, Tom, >> >> On 4/25/2011 1:47 AM, t.petch wrote: >> .... >>> I think that the point is not that it is or is not a BGP connection >>> but that security for BGP was predicated on the assumption that >>> the TCP connection would be short in terms of hops, ie none, >>> and it was that that made a less stringent approach to security >>> acceptable, one that would not be acceptable for an Internet >>> wide access for - say - a Web site. >> >> Hopcount security, i.e., GTSM (RFC 3682) is not at all related to TCP-AO. > > Understood; I was thinking of RFC4278 which calls out the unusual nature of > BGP sessions and the impact on security requirements. That document explains why TCP MD5 was considered appropriate for BGP, given the variance in the maturity level of the standards of the two docs. TCP-AO has no such assertions or qualifications. It is a general purpose mechanism that includes some properties useful for BGP, but that are also very relevant to exchanges between clients and caches as well. > I am familiar with TCP-AO from the TCPM list, but am not enough of a > cryptanalyst to know whether or not it is appropriate for rpki-rtr. > > By contrast, I have seen SSH and TLS discussed much more extensively > on their lists and have been part of the pain of adding them to syslog and > SNMP. > > And I do not know where these rpki-rtr sessions will go to and from but > suspect that they will not be BGP-like. BGP-like presumably means: - long lived - between known endpoints - over short IP hops Of these, only "long lived" had any impact on the TCP-AO design. Of these, any can be relevant to rpki-rtr sessions, from the traffic I've seen on this list. Keying is another relevant issue; configuration of SSH and TLS for pre-shared keys is different than for TCP MD5 (and TCP-AO, which uses similar master keys), and not the typical case. My point is that TCP-AO wasn't designed for BGP; it was designed as a general purpose mechanism. Joe
- [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Jared Mauch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Danny McPherson
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Smith, Donald
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr - t… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] draft-sidr-rpki-rtr Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr Stewart Bryant
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch