Re: [sidr] WGLC draft-sidr-rpki-rtr

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Christopher Morrow <morrowc.lists@gmail.com> Tue, 17 May 2011 00:03 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=l+GwfspZQfsKW87BK1Pv5Q11mJWJcO0eTS5zzAjoahg4os71nwXHq8Y1GW4hW8H8m5 iAorZzLjqk4kKJq5pUfYw4tY1PwBBkXffEtol4AO1NxJFb+JF8F2egF8Y2le5vdCyT5N DHK55Kvqn3GZe75jrmp3ow57PYtscF9PHtnEU=
MIME-Version: 1.0
Sender: christopher.morrow@gmail.com
In-Reply-To: <017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net>
References: <4DAF44AC.8060408@isi.edu> <E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com> <4DAF796C.7010807@isi.edu> <BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com> <409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu> <BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu> <01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net> <4DB592B3.3090805@isi.edu> <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net> <4DB9A456.3060709@isi.edu> <BANLkTikg18FV5H0bOdOfWMzpTcm_B__EVQ@mail.gmail.com> <017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net>
Date: Mon, 16 May 2011 20:03:42 -0400
Message-ID: <BANLkTink82qvhge6rRhqt5+h-2mEkKBMhA@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: "t.petch" <ietfc@btconnect.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
Precedence: list

On Mon, May 16, 2011 at 3:25 PM, t.petch <ietfc@btconnect.com> wrote:
> Chris
>
> Stepping back from the immediate technical question, I would be surprised
> if the Security ADs would accept the Security Considerations in 2011.
>
> I lack the knowledge of where these sessions will be from and too,
> and see no guidance in any of the other I0Ds, but

I think the idea is that a router gets it's cache data from inside the
local ASN, there may be cases where an operator decides to use an
extra-AS cache, but that seems less than ideal (bootstrapping issues,
business issues, etc).

> suspect that they will span the Internet, ie totally different to an IDR
> session.
> And that suggests that anyone anywhere can attack them, so I would expect
> to see a threat analysis and counters thereto.

interesting, Randy does this seem like something that you were
thinking of as well? or since the intent is to do this sort of thing
inside a single ASN (or single administrative domain) is this
something that's less critical?

>
> Just my 0.02£
>
> Tom Petch
>
> ----- Original Message -----
> From: "Christopher Morrow" <morrowc.lists@gmail.com>
> To: "Joe Touch" <touch@isi.edu>
> Cc: "t.petch" <ietfc@btconnect.com>; "sidr wg list" <sidr@ietf.org>
> Sent: Monday, May 16, 2011 8:25 PM
> Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
>
>
> So.. this spun along for a time, the last real bit of controversy was
> "to AO or not to AO"... The author(s) I think are off looking at
> alternate options. For now we'll withdraw this WGLC and start another
> once the authors have updates to report.
>
> thanks though folks!
> -Chris
>
> On Thu, Apr 28, 2011 at 1:31 PM, Joe Touch <touch@isi.edu> wrote:
>>
>>
>> On 4/28/2011 6:27 AM, t.petch wrote:
>>>
>>> ----- Original Message -----
>>> From: "Joe Touch"<touch@isi.edu>
>>> To: "t.petch"<ietfc@btconnect.com>
>>> Cc: "Christopher Morrow"<morrowc.lists@gmail.com>; "sidr wg list"
>>> <sidr@ietf.org>
>>> Sent: Monday, April 25, 2011 5:26 PM
>>>
>>>> Hi, Tom,
>>>>
>>>> On 4/25/2011 1:47 AM, t.petch wrote:
>>>> ....
>>>>>
>>>>> I think that the point is not that it is or is not a BGP connection
>>>>> but that security for BGP was predicated on the assumption that
>>>>> the TCP connection would be short in terms of hops, ie none,
>>>>> and it was that that made a less stringent approach to security
>>>>> acceptable, one that would not be acceptable for an Internet
>>>>> wide access for - say - a Web site.
>>>>
>>>> Hopcount security, i.e., GTSM (RFC 3682) is not at all related to TCP-AO.
>>>
>>> Understood; I was thinking of RFC4278 which calls out the unusual nature
>>> of
>>> BGP sessions and the impact on security requirements.
>>
>> That document explains why TCP MD5 was considered appropriate for BGP, given
>> the variance in the maturity level of the standards of the two docs.
>>
>> TCP-AO has no such assertions or qualifications. It is a general purpose
>> mechanism that includes some properties useful for BGP, but that are also
>> very relevant to exchanges between clients and caches as well.
>>
>>> I am familiar with TCP-AO from the TCPM list, but am not enough of a
>>> cryptanalyst to know whether or not it is appropriate for rpki-rtr.
>>>
>>> By contrast, I have seen SSH and TLS discussed much more extensively
>>> on their lists and have been part of the pain of adding them to syslog and
>>> SNMP.
>>>
>>> And I do not know where these rpki-rtr sessions will go to and from but
>>> suspect that they will not be BGP-like.
>>
>> BGP-like presumably means:
>> - long lived
>> - between known endpoints
>> - over short IP hops
>>
>> Of these, only "long lived" had any impact on the TCP-AO design.
>>
>> Of these, any can be relevant to rpki-rtr sessions, from the traffic I've
>> seen on this list.
>>
>> Keying is another relevant issue; configuration of SSH and TLS for
>> pre-shared keys is different than for TCP MD5 (and TCP-AO, which uses
>> similar master keys), and not the typical case.
>>
>> My point is that TCP-AO wasn't designed for BGP; it was designed as a
>> general purpose mechanism.
>>
>> Joe
>>
>>
>
>

[sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Jared Mauch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Danny McPherson
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Smith, Donald
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
[sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr - t… Paul Hoffman
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr… Paul Hoffman
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] draft-sidr-rpki-rtr t.petch
Re: [sidr] draft-sidr-rpki-rtr Joe Touch
Re: [sidr] draft-sidr-rpki-rtr Randy Bush
Re: [sidr] draft-sidr-rpki-rtr Stewart Bryant
Re: [sidr] draft-sidr-rpki-rtr t.petch
Re: [sidr] draft-sidr-rpki-rtr Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch