IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Uma Chunduri <uma.chunduri@ericsson.com> Fri, 03 June 2011 21:33 UTC

Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FE2E07D4; Fri, 3 Jun 2011 14:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.067
X-Spam-Level:
X-Spam-Status: No, score=-6.067 tagged_above=-999 required=5 tests=[AWL=0.532, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIdQecZf2wH4; Fri, 3 Jun 2011 14:33:18 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by ietfa.amsl.com (Postfix) with ESMTP id B9429E07CA; Fri, 3 Jun 2011 14:33:17 -0700 (PDT)
Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id p53LWi5u016170 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 3 Jun 2011 16:33:13 -0500
Received: from EUSAACMS0701.eamcs.ericsson.se ([169.254.1.65]) by eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) with mapi; Fri, 3 Jun 2011 17:33:03 -0400
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: John Scudder <jgs@juniper.net>
Date: Fri, 03 Jun 2011 17:33:01 -0400
Thread-Topic: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
Thread-Index: AcwiMErQWDGCNIGNSASnLL88Mu7B7AABPUNQ
Message-ID: <D1D8138DDF34B34B8BC68A11262D10790F6233E057@EUSAACMS0701.eamcs.ericsson.se>
References: <4DAF44AC.8060408@isi.edu> <E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com> <4DAF796C.7010807@isi.edu> <BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com> <409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu> <BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu> <01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net> <4DB592B3.3090805@isi.edu> <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net> <4DB9A456.3060709@isi.edu> <BANLkTikg18FV5H0bOdOfWMzpTcm_B__EVQ@mail.gmail.com> <017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net> <BANLkTink82qvhge6rRhqt5+h-2mEkKBMhA@mail.gmail.com> <m21uzwr3tw.wl%randy@psg.com> <BANLkTimPnMfE1ii=6uwAckoFY0yUU=w43g@mail.gmail.com> <BANLkTinu8pxxCj4cdJzbS3z5h=8=s+U3Gw@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E006@EUSAACMS0701.eamcs.ericsson.se> <46A19095-4B42-4470-9143-9305D6F7EF04@juniper.net>
In-Reply-To: <46A19095-4B42-4470-9143-9305D6F7EF04@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Rob Austein <sra@isc.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2011 21:33:19 -0000

 

-----Original Message-----
From: John Scudder [mailto:jgs@juniper.net] 
Sent: Friday, June 03, 2011 1:53 PM
To: Uma Chunduri
Cc: Christopher Morrow; sidr@ietf.org; sidr-chairs@ietf.org; Sean Turner; stephen.farrell@cs.tcd.ie; Rob Austein
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

On Jun 3, 2011, at 4:23 PM, Uma Chunduri wrote:
> True, privacy through SSH is overkill but strong AUTH is *critical*, I feel:
>   - TCP-MD5 should not be considered (as it is any ways deprecated and 
> it's MD5)

What specifically do you mean by "should not be considered"?  

[Uma] I responded in other e-mail. No protection is better than weak protection.

>   - TCP-AO has only slight advantage as it has less overhead than ipsec-AH even when 
>     deployed with manual keys
>   - but it's better if it is "MUST support authentication of nodes 
> with TCP-AO or ipsec-AH" because

The drawback of saying "MUST support A or B" is that two implementations may be formally compliant yet not interoperable.  That would obviously be undesirable (to say the least).  IMO the spec should pick one mandatory one while leaving open the option to support others.

[Uma] True. Then probably TCP-AO. But ipsec-AH can give tough challenge as it's relatively 
     old and more readily available than AO (also understood better as it is already deployed 
     else where).
-Uma

--John

v2.23.0 | Report a Bug | By Email