Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
Randy Bush <randy@psg.com> Tue, 10 January 2017 05:43 UTC
Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11FA3129F47 for <sidr@ietfa.amsl.com>; Mon, 9 Jan 2017 21:43:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.1
X-Spam-Level:
X-Spam-Status: No, score=-10.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jbdv3GW55GHK for <sidr@ietfa.amsl.com>; Mon, 9 Jan 2017 21:43:41 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 462AF1294CA for <sidr@ietf.org>; Mon, 9 Jan 2017 21:43:41 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1cQpDc-0005mH-Mr; Tue, 10 Jan 2017 05:43:36 +0000
Date: Tue, 10 Jan 2017 14:43:34 +0900
Message-ID: <m2inpncvw9.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <10822F92-5B04-41FD-9D19-5866D7EEACAE@psg.com>
References: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com> <B659D894-672F-4059-A001-5C4D1D602470@vigilsec.com> <3ae7d707-3229-2508-7aeb-2cd617aa97fd@cs.tcd.ie> <D492BBD6.6F422%dougm@nist.gov> <f306df7c-06a0-0662-93f4-5cb984a8eb0e@cs.tcd.ie> <D492D3B6.6F4BE%dougm@nist.gov> <f1c2f28f-c889-ee6d-e670-e8f977492946@cs.tcd.ie> <DM2PR09MB04468F57A38A20A58A33982584640@DM2PR09MB0446.namprd09.prod.outlook.com> <a092caaa-4c6d-e7c1-be3a-dd13c33fac10@cs.tcd.ie> <m24m18e1ph.wl-randy@psg.com> <6e8e235e-0d51-19ab-2651-c1ef1a05ea73@cs.tcd.ie> <m2vatnd96h.wl-randy@psg.com> <m2k2a3d5zd.wl-randy@psg.com> <10822F92-5B04-41FD-9D19-5866D7EEACAE@psg.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/GJDClHtCbNFrDfwLOBQY3T_Ag5M>
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2017 05:43:43 -0000
i had to do some ascii porn for rob to deal with a secdir reviewer for draft-ietf-sidr-publication. it may help here. i added the routers for this discussion. +------+ +------+ +------+ | CA | | CA | | CA | +------+ +------+ +------+ | | | Publication Protocol | | | draft-ietf-sidr-publication +-------+ | +--------+ Business Relationship Set Up by | | | draft-ietf-sidr-rpki-oob-setup +----v---v--v-----+ | | | Publication | | Repository | | | +-----------------+ Distribution Protocols | draft-ietf-sidr-delta-protocol +--------------+----------------+ and/or rcynic | | | +-------v-----+ +------v------+ +------v------+ | Relying | | Relying | | Relying | | Party | | Party | | Party | +-+-----+----++ +---+-----+---+ +-+--------+--+ | | | | | | | | | | ++ | | +--+ | | RPKI to Router Protocol (RFC 6810) | | | | | | | | draft-ietf-sidr-rpki-rtr-rfc6810-bis v v v v v v v v / \ / \ / \ / \ / \ / \ / \ / \ |Rtr| |Rtr| |Rtr| |Rtr| |Rtr| |Rtr| |Rtr| |Rtr| \ / \ / \ / \ / \ / \ / \ / \ / V V V V V V V V we're talking about 6810-bis here, the rpki-rtr protocol which carries the router keys and origin roas for bgpsec and origin validation. it is a total database push from the RP cache to the router, not a piecemeal router driven request protocol. so a monkey in the middle receives no clues as to what the router is using. there is no side channel leakage that i can see. i would be happy to be educated otherwise. as 6810[-bis] has stripped the crypto of the rpki validataion chain to the root TA, it no longer has object security; red alert. so the two ops drafts, 7115 for origin validation and draft-ietf-sidr-bgpsec-ops for bgpsec, try to be very explicit about transport protection for these data. draft-ietf-sidr-bgpsec-ops points to rfc 7115 for RP cache advice. As RPKI-based origin validation relies on the availability of RPKI data, operators SHOULD locate RPKI caches close to routers that require these data and services in order to minimize the impact of likely failures in local routing, intermediate devices, long circuits, etc. One should also consider trust boundaries, routing bootstrap reachability, etc. For example, a router should bootstrap from a cache that is reachable with minimal reliance on other infrastructure such as DNS or routing protocols. If a router needs its BGP and/or IGP to converge for the router to reach a cache, once a cache is reachable, the router will then have to reevaluate prefixes already learned via BGP. Such configurations should be avoided if reasonably possible. If insecure transports are used between an operator's cache and their router(s), the Transport Security recommendations in [RFC6810] SHOULD be followed. In particular, operators MUST NOT use insecure transports between their routers and RPKI caches located in other Autonomous Systems. so maybe the bgpsec-protocol document can remove, as opposed to add, text just this once? randy
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Russ Housley
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Mehmet Adalier (Antara Teknik)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Randy Bush