IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-pki-profiles-08.txt

Sean Turner <TurnerS@ieca.com> Wed, 08 October 2014 02:31 UTC

Return-Path: <TurnerS@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 951101A901F for <sidr@ietfa.amsl.com>; Tue, 7 Oct 2014 19:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DBwaVDyteTz for <sidr@ietfa.amsl.com>; Tue, 7 Oct 2014 19:31:26 -0700 (PDT)
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [69.56.216.18]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB4EA1A00DB for <sidr@ietf.org>; Tue, 7 Oct 2014 19:31:25 -0700 (PDT)
Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id 553B2BEA3D1FA; Tue, 7 Oct 2014 21:31:24 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway08.websitewelcome.com (Postfix) with ESMTP id 36C7DBEA3D1B1 for <sidr@ietf.org>; Tue, 7 Oct 2014 21:31:24 -0500 (CDT)
Received: from [173.73.121.234] (port=55419 helo=[192.168.1.7]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <TurnerS@ieca.com>) id 1Xbh2B-0004mp-Eu; Tue, 07 Oct 2014 21:31:23 -0500
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <TurnerS@ieca.com>
In-Reply-To: <4556FA63-A6FD-471B-93FD-51D748C94EE8@tislabs.com>
Date: Tue, 07 Oct 2014 22:31:20 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BFAD7DD-7CEA-4720-86BB-09407C6C543D@ieca.com>
References: <20140813004442.10560.45299.idtracker@ietfa.amsl.com> <B97A6E28-4EDB-4EC5-B8DA-9803C7B21900@ieca.com> <4556FA63-A6FD-471B-93FD-51D748C94EE8@tislabs.com>
To: Sandra Murphy <Sandy@tislabs.com>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 173.73.121.234
X-Exim-ID: 1Xbh2B-0004mp-Eu
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([192.168.1.7]) [173.73.121.234]:55419
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Ixv2KhExOlTrBh4w_21kWOPMurg
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-pki-profiles-08.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 02:31:27 -0000

On Aug 13, 2014, at 12:42, Sandra Murphy <Sandy@tislabs.com> wrote:

> speaking as regular ol' member
> 
> A question about wording.
> 
> I understand the wording change in 3.1.1 (used to be 3.1.1.1) that results from the change from multiple ASs in a cert to a single AS in a cert.
> 
> But there is also a wording change having to do with multiple routers sharing the same key pair.
> 
> The wording went from:
> 
>                                   If the same certificate is issued to more
>   than one router (hence the private key is shared among these
>   routers), the choice of the router ID used in this name is at the
>   discretion of the Issuer.
> 
> to:
> 
>                                                      If more than one certificate
>   for an AS is issued (i.e., more than one router gets a certificate
>   for the AS and hence the private key is shared among more than one
>   router), the choice of the router ID used in Subject name is at the
>   discretion of the Issuer.
> 
> I don't understand the new wording.  If all routers in an AS have different keys, then there would be multiple certificates issued for the AS, but no sharing of keys and no confusion over the router ID to be used in each router's cert.  Right?
> 
> Apologies if I'm just not parsing the new sentence correctly.  The previous wording was fine with me.
> 
> [The certificate request format does not include the subject name anyway, so it looks to me like the subject name is ALWAYS at the discretion of the issuer.  No?)

Yep the issuer always gets to determine the subject name as per RFC 6487 s4.5 so how about we just leave that bit out and make that sentence a note:

  Note that more than one certificate can be issued to
  an AS (i.e., more than one router can get a certificate
  for the AS and hence the private key is shared among
  more than one router).

I guess the follow on question is whether we also point out that a router could support more than one AS but having key pairs for each AS:

  Also note that routers can support multiple ASs with
  separate keys pairs one for each AS.

or something like that?

spt

> --Sandy, speaking as regular ol' member
> 
> 
> On Aug 12, 2014, at 8:47 PM, Sean Turner <TurnerS@ieca.com> wrote:
> 
>> This version incorporates the change discussed at IETF 90 - namely include one and only one AS in the certificate.
>> 
>> The working version is also available at:
>>  https://github.com/seanturner/draft-ietf-sidr-bgpsec-pki-profiles
>> 
>> spt
>> 
>> On Aug 12, 2014, at 20:44, internet-drafts@ietf.org wrote:
>> 
>>> 
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>> This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.
>>> 
>>>      Title           : A Profile for BGPSEC Router Certificates, Certificate Revocation Lists, and Certification Requests
>>>      Authors         : Mark Reynolds
>>>                        Sean Turner
>>>                        Steve Kent
>>> 	Filename        : draft-ietf-sidr-bgpsec-pki-profiles-08.txt
>>> 	Pages           : 13
>>> 	Date            : 2014-08-12
>>> 
>>> Abstract:
>>> This document defines a standard profile for X.509 certificates for
>>> the purposes of supporting validation of Autonomous System (AS) paths
>>> in the Border Gateway Protocol (BGP), as part of an extension to that
>>> protocol known as BGPSEC.  BGP is a critical component for the proper
>>> operation of the Internet as a whole.  The BGPSEC protocol is under
>>> development as a component to address the requirement to provide
>>> security for the BGP protocol.  The goal of BGPSEC is to design a
>>> protocol for full AS path validation based on the use of strong
>>> cryptographic primitives.  The End-Entity (EE) certificates specified
>>> by this profile are issued under Resource Public Key Infrastructure
>>> (RPKI) Certification Authority (CA) certificates, containing the AS
>>> Identifier Delegation extension, to routers within the Autonomous
>>> System (AS).  The certificate asserts that the router(s) holding the
>>> private key are authorized to send out secure route advertisements on
>>> behalf of the specified AS.  This document also profiles the
>>> Certificate Revocation List (CRL), profiles the format of
>>> certification requests, and specifies Relying Party certificate path
>>> validation procedures.  The document extends the RPKI; therefore,
>>> this documents updates the RPKI Resource Certificates Profile (RFC
>>> 6487).
>>> 
>>> 
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-pki-profiles/
>>> 
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-08
>>> 
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-pki-profiles-08
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>> 
>>> _______________________________________________
>>> I-D-Announce mailing list
>>> I-D-Announce@ietf.org
>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>

v2.23.0 | Report a Bug | By Email