IETF Logo Mail Archive

Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 05 January 2017 14:10 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95830129465; Thu, 5 Jan 2017 06:10:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPsv_UAGpB5E; Thu, 5 Jan 2017 06:10:10 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0128.outbound.protection.outlook.com [23.103.200.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53A21126579; Thu, 5 Jan 2017 06:10:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=N93aqEYEFvRFn0hVMxZ3RKqYkOpKP8zq2cU+xgZwx5A=; b=Ghg7S87a5jo0DscvuKWByd3eR6XoLCKSQDieNNamkvtKp9WPKAatgkwQZT9uA32sN9lWZkoeB2U68U2iAoA8qRWXFcB0ObLm9Y7af2EKOLxm7hpAdUBX/6iVHn/hdkTjT4CLR6Z/2GKg7ZKiooj3SE3G9t+DDzfrQMVk/72kOi4=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0445.namprd09.prod.outlook.com (10.161.252.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Thu, 5 Jan 2017 14:10:07 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0817.012; Thu, 5 Jan 2017 14:10:06 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
Thread-Index: AQHSZpHl3JK9Ep+Hw0SM2CHq7jfcT6Ep5Pcg
Date: Thu, 05 Jan 2017 14:10:06 +0000
Message-ID: <DM2PR09MB0446A3E1696278FBD040707F84600@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com>
In-Reply-To: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov;
x-originating-ip: [129.6.220.168]
x-ms-office365-filtering-correlation-id: 35952ddd-aa6b-48a0-4fec-08d435748d18
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0445;
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0445; 7:0Ea8/SXUbWDe37w3v43I0eOgZHXddim0eRSK8T1x/J+vp40OODmsWB5Z3d7+5Ruwz7nX5JfGbWm64WnufwLpRD949aDpKlV/mdbxknlZ6VheGgRj/GtxzGAOYNzDiewQMyS1DmxQAAk+OhSE9ZphPPWpKmeJqVGT3FjZlnYITAKrahz5AVZ6koWmbOnZkLWw00k3ztY+ETW9IlSFCZQUTSlVoGhlr8udIggpFi7nItoefmryx1sG2o1lt6+3E8fQQll/21MyNLEO/DvDVqvPoU1b2ks8A9Pqw6enIfpgdJ8g/w83a+BfLsan5vHEkWjDFWrkULfmpK5J9AEp9Rt3kqiv/q7OZcRr0sompt+/2xxHu/ZNonkbLFVxBEi6a6fgm/0jf/wscrzJ6byzv4HsgscbYp3fMtyWnvnLDkIbeDZHvNoo/VibrR8r1Uj7I+qTWKnqsncoM6QSz0wayhn6GQ==
x-microsoft-antispam-prvs: <DM2PR09MB04459BDBF0FAC55EE897E77384600@DM2PR09MB0445.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(6072148); SRVR:DM2PR09MB0445; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0445;
x-forefront-prvs: 0178184651
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39860400002)(39410400002)(39850400002)(39840400002)(39450400003)(189002)(199003)(8676002)(38730400001)(305945005)(92566002)(66066001)(189998001)(5001770100001)(54356999)(54906002)(4326007)(2906002)(3660700001)(97736004)(3280700002)(5660300001)(3846002)(345774005)(7696004)(6116002)(102836003)(74316002)(77096006)(81156014)(81166006)(7736002)(6506006)(6436002)(230783001)(106356001)(33656002)(2900100001)(9686002)(68736007)(229853002)(8936002)(25786008)(2950100002)(86362001)(55016002)(76176999)(50986999)(122556002)(101416001)(106116001)(99286003)(105586002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0445; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2017 14:10:06.3557 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0445
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Ror0VPtHttQfrWSXubx8SaHUU_Q>
Cc: "draft-ietf-sidr-bgpsec-protocol@ietf.org" <draft-ietf-sidr-bgpsec-protocol@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "m.waehlisch@fu-berlin.de" <m.waehlisch@fu-berlin.de>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 14:10:12 -0000

Stephen,

Thank you for the detailed review and comments.
Please see my responses marked with [Sriram] inline below.

[Sriram] Your DISCUSS points (1) and (3) were already
discussed /being discussed in separate threads.

> (2) Figure 8: It seems to me to be an error to omit the
signer's ASN from the signed data and only have that
included in the signer's certificate. Why is that intimate
level of binding to the RPKI desirable? There may well be
reasons but I'm not seeing 'em, and I am recalling that it
took a chunk of effort to make CMS less dependent on
X.509 for similar reasons (meaning identifying signers
exclusively via cert issuer and serial in that case).  I
would expect that there could be demand to have some level
of independence between BGPsec and RPKI for at least
internal uses such as those noted in the spec already.

[Sriram] Signer's ASN is indeed included in the signed data.
In Figure 8, "Secure_Path Segment : N" corresponds
to the signing AS (current AS) and that is where the 
signer's ASN is included along with its pCount and Flags.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------

> - Figures 2 and 5 present the fields in different orders.
That seems like a bad idea.

[Sriram] Good catch. Already fixed in my editor copy of version-22. 

> - 3.2: The reference to the pki profile doc is not precise
enough, the string "key identifier" does not occur in that
draft - it's in RFC6487, 4.8.2. 

[Sriram] Again, a good catch. Already fixed in my editor copy of version-22.  

> - 4.1, last para: is the distinction between an "internal
peer" and "iBGP peer" sufficiently clear to routing folk?
For me they sound similar but I assume it's ok.

[Sriram] I think it is well understood. But when I push version-22 out, 
I’ll consider if I should simply just use "iBGP peer" consistently 
and avoid using "internal peer". 

> - 5.2, I think you need to say something to the effect
that every Secure_Path MUST have a signature with an
algorithm that is supported. As I read the text, the
algorithm as stated here could be read to not require
that. E.g. the para before the bullets on p25 could be
read to mean "drop all stuff involving unsupported algs
and then continue to process the rest of the stuff."

[Sriram] Seems like a bit of a pathological case. 
Could happen only if the sender behavior was incorrect. 
Sender is not required to know which algorithms a peer supports 
but sender's expected behavior is this: MUST include a Signature_Block 
for the "current" algorithm (which every BGPsec speaker 
MUST support through the transition period), 
and if the sender supports the "next" algorithm, 
then it MUST include a Signature_Block for the "next" algorithm also.
So the peer BGPsec receiver (who MUST support 
at least the "current" algorithm) is not expected to be starved 
of a Signature_Block it can work with.   

> - section 7: WRT non-deterministic signature algorithms, I
think it'd be useful to note here that all such algorithms
require good random number generation on the signer's
system and that failing in that respect can expose the
signer's private key.  IMO deterministic signature schemes
are better for this reason but the need for a good RNG is
I think a real operational issue worthy of note.

[Sriram] I will include wording to cover this in Section 7 in version-22.

Sriram

v2.23.0 | Report a Bug | By Email