Re: [sidr] AD Review of draft-ietf-sidr-bgpsec-pki-profiles-18
Steve KENT <steve.kent@raytheon.com> Mon, 05 December 2016 17:05 UTC
Return-Path: <steve.kent@raytheon.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F229B129B1A; Mon, 5 Dec 2016 09:05:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.796
X-Spam-Level:
X-Spam-Status: No, score=-9.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kL14i6aAFFB; Mon, 5 Dec 2016 09:05:15 -0800 (PST)
Received: from dfw-mailout2.raytheon.com (dfw-mailout2.raytheon.com [199.46.199.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F35E9129C32; Mon, 5 Dec 2016 09:01:55 -0800 (PST)
Received: from ca-mailout10.rtnmail.ray.com (ca-mailout10.rtnmail.ray.com [147.25.146.12]) by dfw-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id uB5Gbfnd021143 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 5 Dec 2016 16:37:42 GMT
Received: from 008-smtp-out.ray.com ([23.103.8.214]) by ca-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id uB5GbfHW015911 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 5 Dec 2016 16:37:41 GMT
Received: from CY1PR0601MB023.008f.mgd2.msft.net (23.103.8.215) by CY1PR0601MB022.008f.mgd2.msft.net (23.103.8.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.721.19; Mon, 5 Dec 2016 16:37:40 +0000
Received: from CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) by CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) with mapi id 15.01.0721.017; Mon, 5 Dec 2016 16:37:40 +0000
From: Steve KENT <steve.kent@raytheon.com>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>, "draft-ietf-sidr-bgpsec-pki-profiles@ietf.org" <draft-ietf-sidr-bgpsec-pki-profiles@ietf.org>
Thread-Topic: AD Review of draft-ietf-sidr-bgpsec-pki-profiles-18
Thread-Index: AQHSTi4WSu/tt18RUk64ZuozIah2bKD5i9mD
Date: Mon, 05 Dec 2016 16:37:40 +0000
Message-ID: <c383b226d2d14e5bbc5cfae785a89a4c@CY1PR0601MB023.008f.mgd2.msft.net>
References: <C835CAC9-9CBB-41B3-B376-D1E3A79F4638@cisco.com>
In-Reply-To: <C835CAC9-9CBB-41B3-B376-D1E3A79F4638@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [23.103.8.69]
Content-Type: multipart/alternative; boundary="_000_c383b226d2d14e5bbc5cfae785a89a4cCY1PR0601MB023008fmgd2m_"
MIME-Version: 1.0
X-CC: aretana@cisco.com, draft-ietf-sidr-bgpsec-pki-profiles@ietf.org, sidr-chairs@ietf.org, morrowc@ops-netman.net, sidr@ietf.org
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-12-05_12:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/PemW2y5O8pkRnFr0HLLlSSRMnyU>
Cc: Chris Morrow <morrowc@ops-netman.net>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] AD Review of draft-ietf-sidr-bgpsec-pki-profiles-18
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2016 17:05:17 -0000
Alvaro, Thanks for the careful review. I agree with your suggested edits cited in C2, C3, C4, C6, C7, C8, C9, and C10. C1: yep, this sentence is broken in a few ways. How about: "A router holding the private key is authorized to send route advertisements (to its peers) identifying the router's ASN as the source of the advertisements. C5: The allusion to future updates is in anticipation of adopting the relaxed validation procedure that SIDR is about to forward to you. Still, the wording is poor" how about: "…is identical to the validation procedure described in Section 7 of [RFC6487] (and any RFC that updates this procedure), as modified below." C11: yes, my name should be removed from the Acknowledgements section. I'll rely on Sean to make these changes, if he concurs. Steve ________________________________ From: Alvaro Retana (aretana) <aretana@cisco.com> Sent: Sunday, December 4, 2016 7:58:20 AM To: draft-ietf-sidr-bgpsec-pki-profiles@ietf.org Cc: sidr-chairs@ietf.org; Chris Morrow; sidr@ietf.org Subject: AD Review of draft-ietf-sidr-bgpsec-pki-profiles-18 Dear authors: Hi! I just finished reading this document. I have some comments (please see below) I would like you to address, but I wouldn’t characterize any of them as major, so I’m starting the IETF Last Call and placing this document in the next available IESG Telechat. Thanks! Alvaro. Comments: C1. From the Introduction: “A router holding the private key is authorized to send route advertisements (to its peers) that contain one or more of the specified AS number as the last item in the AS PATH attribute.” First of all, if BGPSec is used, then the AS_PATH attribute is not. Second, what does “one or more of the specified AS number as the last item” mean? There is only one “last item”…but I’m guessing you might be referring to pre-pending. C2. “Border Gateway Protocol Security protocol (BGPsec)” I haven’t seen BGPsec expanded anywhere else like that. In fact, ID.sidr-bgpsec-protocol just used BGPsec (no expansion). C3. s/ID.sidr-rfc6485bis/rfc7935 C4. In Section 3.1.3.2. (Extended Key Usage): “As specified in [RFC6487] this extension MUST be marked as non-critical.” Because the behavior was specified in RFC6487, then the “MUST” shouldn’t be Normative here; s/MUST/must C5. Section 3.3. (BGPsec Router Certificate Validation) says that the “validation procedure…is identical to the validation procedure described in Section 7 of [RFC6487] (and any RFC that updates this procedure), but using the constraints applied come from this specification.” It Is strange to me that the phrase inside the parenthesis is included here since there isn’t an update to the procedure – is there a specific reason why you need to call future (unknown) updates out at this point? BTW, s/using the constraints applied come from this specification/using the constraints from this specification C6. References. - RFC6818 can be made Informative. - RFC6486 and ID.sidr-bgpsec-protocol should be Normative. C7. s/to an Internet Service Providers (ISP)/ to an Internet Service Provider (ISP) C8. s/The CA also generate./ (orphan phrase) C9. s/The [RFC6480]/[RFC6480] C10. s/3.1.1.1./3.1.1. C11. “…the efforts of Steve Kent…were instrumental in preparing this work” Steve is an author.
- [sidr] AD Review of draft-ietf-sidr-bgpsec-pki-pr… Alvaro Retana (aretana)
- Re: [sidr] AD Review of draft-ietf-sidr-bgpsec-pk… Steve KENT
- Re: [sidr] AD Review of draft-ietf-sidr-bgpsec-pk… Sean Turner
- Re: [sidr] AD Review of draft-ietf-sidr-bgpsec-pk… Alvaro Retana (aretana)