IETF Logo Mail Archive

Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 09 January 2017 11:37 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E55129BFC; Mon, 9 Jan 2017 03:37:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.601
X-Spam-Level:
X-Spam-Status: No, score=-5.601 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rh-zFr-47LwU; Mon, 9 Jan 2017 03:37:22 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC4D12940D; Mon, 9 Jan 2017 03:37:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 557B4BE47; Mon, 9 Jan 2017 11:37:19 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SuwqV_nnUDz2; Mon, 9 Jan 2017 11:37:18 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 683F3BE38; Mon, 9 Jan 2017 11:37:17 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1483961837; bh=FCK5u7pIsBc5JvH9wFQEFuNMkRFDEBxLuRbGgu03ojI=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Xbo9VmJKqqSW40XDUzXnhbEfPkTlfxS10HBYJd9eMS3DsIg0nfykk70+dsWATvtKy a+ZEog5zYuBK92385uYzx/wZrADgQCKTJRGMaeSX9bV6gj6mjdlz5tTquABkiBLgd/ 8b4Akh8DbLsWlSdlsF70D3ZVNRIFTslPEoY4B3fg=
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, "Montgomery, Douglas (Fed)" <dougm@nist.gov>, Russ Housley <housley@vigilsec.com>
References: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com> <B659D894-672F-4059-A001-5C4D1D602470@vigilsec.com> <3ae7d707-3229-2508-7aeb-2cd617aa97fd@cs.tcd.ie> <D492BBD6.6F422%dougm@nist.gov> <f306df7c-06a0-0662-93f4-5cb984a8eb0e@cs.tcd.ie> <D492D3B6.6F4BE%dougm@nist.gov> <f1c2f28f-c889-ee6d-e670-e8f977492946@cs.tcd.ie> <DM2PR09MB04468F57A38A20A58A33982584640@DM2PR09MB0446.namprd09.prod.outlook.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <a092caaa-4c6d-e7c1-be3a-dd13c33fac10@cs.tcd.ie>
Date: Mon, 09 Jan 2017 11:37:17 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <DM2PR09MB04468F57A38A20A58A33982584640@DM2PR09MB0446.namprd09.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030307020401030207000206"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/DEjUmsoAsgfVJiEdCnUr3xVmY6o>
Cc: IESG <iesg@ietf.org>, IETF SIDR <sidr@ietf.org>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2017 11:37:24 -0000

Hiya,

Adding the text you propose for section 7 seems good.
You also asked about adding this:

On 09/01/17 05:41, Sriram, Kotikalapudi (Fed) wrote:
> In particular, by following these methods, security concerns 
> related to possible correlation of RPKI data access 
> and BGP update events are also mitigated.  

Maybe better to say something like:

"With these caching mechanisms it is believed that an
attacker wouldn't be able to meaningfully correlate
RPKI data flows with BGPsec RP actions, thus avoiding
attacks that attempt to determine the set of ASes
interacting with an RP via the interactions between
the RP and RPKI servers."

Also, I had a look back at the overall thread and I think
this is where we're at:

discuss point #1: the draft needs a bit of text saying
how to handle an SKI that is not 20 bytes long. I don't
think we have a text proposal but it should be easy
enough, e.g. you could say "If the SKI in a certificate is
not 20 bytes long then if it is longer, use the leftmost
20 bytes. If the SKI value is shorter than 20 bytes,
then pad left with zero bytes." Note that I don't care
which way you prefer to fix this, any way is fine.

discuss point #2: this one's sorted. (I updated my
ballot to indicate this one's cleared.)

discuss point #3: with your suggested text and something
like the above we should be good with this one too

If you'd like to submit a revised ID with those changes
then I should be fine to clear.

Cheers,
S.

v2.23.0 | Report a Bug | By Email