[sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
"Stephen Farrell" <stephen.farrell@cs.tcd.ie> Wed, 04 January 2017 13:53 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A921294BC; Wed, 4 Jan 2017 05:53:08 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.40.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com>
Date: Wed, 04 Jan 2017 05:53:08 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Ex-1uYTyMzz-0yPqygvwqBsd1Rs>
Cc: draft-ietf-sidr-bgpsec-protocol@ietf.org, sidr-chairs@ietf.org, m.waehlisch@fu-berlin.de, sidr@ietf.org
Subject: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 13:53:09 -0000
Stephen Farrell has entered the following ballot position for draft-ietf-sidr-bgpsec-protocol-21: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I have a couple of fairly straightforward things I'd like to briefly discuss... (1) 3.2/Figure 7: A fixed 20 byte SKI being a sha-1 hash of the public key is a bad plan, for all the usual reasons. Why is it ok for that to be hardcoded here when it could change if/when new alg choices are made for the RPKI? If it is not too late then I think you should add a length or alg field to that. If it is too late to do that, then are we really ok that you will need to rev the BGPsec version number in order to get rid of all sha-1 code from your implementation? That seems like a bad plan for a new protocol. (2) Figure 8: It seems to me to be an error to omit the signer's ASN from the signed data and only have that included in the signer's certificate. Why is that intimate level of binding to the RPKI desirable? There may well be reasons but I'm not seeing 'em, and I am recalling that it took a chunk of effort to make CMS less dependent on X.509 for similar reasons (meaning identifying signers exclusively via cert issuer and serial in that case). I would expect that there could be demand to have some level of independence between BGPsec and RPKI for at least internal uses such as those noted in the spec already. (3) section 8: Is there a potential exposure here in that a relying party who emits e.g. certificate status checks or cert retrieval queries for an RPKI cert they've not previously seen is exposing something about the set of paths its traffic is likely to follow. (This is similar to why we have OCSP stapling in the web.) IIRC the RPKI specs may cover this but I suspect it'd be worth noting here as well even if so as this represents exposing something about BGP announcement content to off-path parties which I think is new for BGP. Is that a new thing for BGP? (I think the new aspect to the attack is that a bad actor who has already compromised some AS could more easily spot that traffic from the relying party's AS is likely to transit the compromised AS.) ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - (Non actionable comment really aimed at the IESG and not the authors/WG...) I'm kinda sad that even today we don't appear to have learned to value deploy-ability more highly. I fear that BGPsec and RPKI will suffer a similar lack of deployment as seen with S/MIME and DNSSEC and for possibly similar reasons (complexity, not starting with modest improvements, requiring a number of parties to change before seeing benefits). I hope I'm wrong about that, but equally, if I'm not and RPKI/BGPsec deployment turns out to be very very slow, (as opposed to the optimistic, "just slow";-) then I also hope the IESG at that time will be willing to consider alternatives - it's too easy for the IETF to just get stuck when a technology like this fails to deploy. But maybe I'm wrong and this'll all be fine and will be widely deployed and used in a few years. - Figures 2 and 5 present the fields in different orders. That seems like a bad idea. - 3.2: The reference to the pki profile doc is not precise enough, the string "key identifier" does not occur in that draft - it's in RFC6487, 4.8.2. - 4.1, last para: is the distinction between an "internal peer" and "iBGP peer" sufficiently clear to routing folk? For me they sound similar but I assume it's ok. - 5.2, I think you need to say something to the effect that every Secure_Path MUST have a signature with an algorithm that is supported. As I read the text, the algorithm as stated here could be read to not require that. E.g. the para before the bullets on p25 could be read to mean "drop all stuff involving unsupported algs and then continue to process the rest of the stuff." - section 7: WRT non-deterministic signature algorithms, I think it'd be useful to note here that all such algorithms require good random number generation on the signer's system and that failing in that respect can expose the signer's private key. IMO deterministic signature schemes are better for this reason but the need for a good RNG is I think a real operational issue worthy of note.
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Russ Housley
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Mehmet Adalier (Antara Teknik)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Randy Bush