Re: [sidr] FW: New Version Notification for draft-sriram-replay-protection-design-discussion-00.txt
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Wed, 24 October 2012 15:48 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE2E21F8C58 for <sidr@ietfa.amsl.com>; Wed, 24 Oct 2012 08:48:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.475
X-Spam-Level:
X-Spam-Status: No, score=-6.475 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c86c0UHSihb6 for <sidr@ietfa.amsl.com>; Wed, 24 Oct 2012 08:48:17 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 9131E21F8C81 for <sidr@ietf.org>; Wed, 24 Oct 2012 08:48:15 -0700 (PDT)
Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.421.2; Wed, 24 Oct 2012 11:48:10 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Wed, 24 Oct 2012 11:48:06 -0400
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
Date: Wed, 24 Oct 2012 11:48:12 -0400
Thread-Topic: [sidr] FW: New Version Notification for draft-sriram-replay-protection-design-discussion-00.txt
Thread-Index: AQHNrTENYVfUFBdyXUOH4ZzYAxQB0ZfIl8/g
Message-ID: <D7A0423E5E193F40BE6E94126930C4930BAAC890EA@MBCLUSTER.xchange.nist.gov>
References: <D7A0423E5E193F40BE6E94126930C4930BA86CE472@MBCLUSTER.xchange.nist.gov> <EF4348D391D0334996EE9681630C83F0206BEF8F@xmb-rcd-x01.cisco.com> <EF4348D391D0334996EE9681630C83F0206C8BCE@xmb-rcd-x01.cisco.com> <D7A0423E5E193F40BE6E94126930C4930BA93472E0@MBCLUSTER.xchange.nist.gov> <EF4348D391D0334996EE9681630C83F0206C9D12@xmb-rcd-x01.cisco.com> <D7A0423E5E193F40BE6E94126930C4930BAA4671D2@MBCLUSTER.xchange.nist.gov> <EF4348D391D0334996EE9681630C83F0206CDD4F@xmb-rcd-x01.cisco.com>
In-Reply-To: <EF4348D391D0334996EE9681630C83F0206CDD4F@xmb-rcd-x01.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Cc: "sidr wg list (sidr@ietf.org)" <sidr@ietf.org>
Subject: Re: [sidr] FW: New Version Notification for draft-sriram-replay-protection-design-discussion-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 15:48:17 -0000
Roque, Thanks. Some new observations below. Sriram > >The problem I have with the way you described EKR is that it suppose that there is > The description of EKR is based how it was discussed at the Feb. 2012 SIDR interim in San Diego. The meeting notes didn't capture the description well, but it is there (also didn't refer to it as EKR at the time): http://www.ietf.org/mail-archive/web/sidr/current/msg04000.html >some sort of "coordination" between ASes in a way that an origin AS has to >"trust" that whenever there is a topology change in a path, there will be a rollover >by the ASes involved in those changes. > You are right, but there is a reverse trust issue as well (with PKR). I suspect that PKR and EKR may co-exist in the BGPSEC network for the following reasons: It is known that 84% of all ASes are stubs. Over some time initially (during BGPSEC adoption), some or many of the stub ASes may participate in BGPSEC but not operate PKR as expected of them. They may be wary or clueless about rolling their certs every 24 hours or so. So they might just set their cert NotValidAfter time to some large value, and perhaps not want to be bothered with doing the rollover frequently. If a transit provider suspects that may be happening, then they would want to play it safe (i.e., avoid liability) and rollover their transit cert (i.e., perform EKR) whenever they have topology change or policy change in their AS that affects transit prefixes. This way they can be sure they are doing what is in their control to provide some protection from replay attacks for their transit prefixes even if some origin ASes may be negligent. It seems to me that the hooks needed to implement EKR are a subset of those needed for PKR. So the operators may choose to do EKR anyway until they are certain that there is close to full participation in PKR by origin ASes. Sriram
- [sidr] FW: New Version Notification for draft-sri… Sriram, Kotikalapudi
- Re: [sidr] FW: New Version Notification for draft… Roque Gagliano (rogaglia)
- Re: [sidr] FW: New Version Notification for draft… Roque Gagliano (rogaglia)
- Re: [sidr] FW: New Version Notification for draft… Sriram, Kotikalapudi
- Re: [sidr] FW: New Version Notification for draft… Roque Gagliano (rogaglia)
- Re: [sidr] FW: New Version Notification for draft… Sriram, Kotikalapudi
- Re: [sidr] FW: New Version Notification for draft… Roque Gagliano (rogaglia)
- Re: [sidr] FW: New Version Notification for draft… Sriram, Kotikalapudi