Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt

Tim Bruijnzeels <tim@ripe.net> Fri, 08 July 2016 09:35 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70C5812D56D for <sidr@ietfa.amsl.com>; Fri, 8 Jul 2016 02:35:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcqYXbETlns3 for <sidr@ietfa.amsl.com>; Fri, 8 Jul 2016 02:35:34 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84068127071 for <sidr@ietf.org>; Fri, 8 Jul 2016 02:35:34 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <tim@ripe.net>) id 1bLSC3-000B86-K1 for sidr@ietf.org; Fri, 08 Jul 2016 11:35:33 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-71.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1bLSC3-0003sX-EL; Fri, 08 Jul 2016 11:35:31 +0200
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <20160708091943.32156.30842.idtracker@ietfa.amsl.com>
Date: Fri, 8 Jul 2016 11:35:30 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C570AE8F-A764-43ED-B273-005DABBDC836@ripe.net>
References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com>
To: sidr <sidr@ietf.org>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points: -10.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07199bdd3b1ea47af2a2fd377fb844a66e73
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/H1UJgfnol77e26ppSCLHbhKhAqY>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 09:35:36 -0000

Dear WG,

After receiving some feedback on the previous version and discussion with co-authors, this version:
- Does not reject 'over-claiming' EE certificates, but uses VRS-IP/AS there as well
- Includes text to update ROA validation (in short requires that all prefixes are in VRS-IP of the EE)
- Includes a request to the authors of the bgpsec-rpki-profile document.

The reason why the change that I proposed to reject EE certificates has been reverted is that:
- This way the validation algorithm is consistent between CA and EE certificates
- Even though ROAs still require that *all* prefixes are contained in the VRS-IP, there may be other future use cases of EE certificates where a VRS-IP/AS that is smaller than the resources contained in the extensions.

Stephen Kent comment on -04 of this document saying that it should not attempt to update the BGPSec Router Certificate I-D because it's not an RFC, just yet. It's currently in IESG Processing. The current document therefore has a request and some suggestion to the authors to change the document (in which case the section can be deleted in the next (hopefully final) version of this document.

I don't mind either way. Maybe the chairs have an idea about what the best process is. But in either case we would like to ask the BGPSec Router Certificate authors to review the included text.


Thanks,

Tim




> On 08 Jul 2016, at 11:19, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Secure Inter-Domain Routing of the IETF.
> 
>        Title           : RPKI Validation Reconsidered
>        Authors         : Geoff Huston
>                          George Michaelson
>                          Carlos M. Martinez
>                          Tim Bruijnzeels
>                          Andrew Lee Newton
>                          Daniel Shaw
> 	Filename        : draft-ietf-sidr-rpki-validation-reconsidered-06.txt
> 	Pages           : 12
> 	Date            : 2016-07-08
> 
> Abstract:
>   This document proposes an update to the certificate validation
>   procedure specified in RFC 6487 that reduces aspects of operational
>   fragility in the management of certificates in the RPKI, while
>   retaining essential security features.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-06
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-06
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr