IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Christopher Morrow <morrowc.lists@gmail.com> Fri, 22 April 2011 05:31 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfc.amsl.com
Delivered-To: sidr@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 7AFF6E07C3 for <sidr@ietfc.amsl.com>; Thu, 21 Apr 2011 22:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MNswws1e8+2 for <sidr@ietfc.amsl.com>; Thu, 21 Apr 2011 22:31:08 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfc.amsl.com (Postfix) with ESMTP id 385D6E07AE for <sidr@ietf.org>; Thu, 21 Apr 2011 22:31:08 -0700 (PDT)
Received: by wyb29 with SMTP id 29so284437wyb.31 for <sidr@ietf.org>; Thu, 21 Apr 2011 22:31:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tNUSnEh8rna7g957rO9RL/btaFNu+JzvRRZQwQpGsB8=; b=NEk+tKfQ6Ra6VbeZfUpdTTMR2/6ni49/jNOfvWqkHyBDNOhSOZovyukZ7e0eBWSTdy Lnd2ghgCVF6bILOcfGLAjGPnmg4IgX0q73wWWtgAIBxxG4bQsM1RUSOHUehDqF6E7+q5 tLhpJYqYLjA6wepdJvmQp/qZsXKf8duwwE0B4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=ndPs8IJOWQgV/cyEOI6zME4leDuG95tnpANLpWVGQ2+393BzT1pXJhfzyFL6tMt+MN jhInWLLY8DMCdAUqbmdqdvAMSIfK5BrRsgjbrUHUdItAwyB0lWuK2UqWwPxSqLErkPVz uhLYZLSjTj4v2YdlbkvLe6DblGpZaEgx7VIUg=
MIME-Version: 1.0
Received: by 10.216.24.73 with SMTP id w51mr676278wew.72.1303450266495; Thu, 21 Apr 2011 22:31:06 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.216.234.156 with HTTP; Thu, 21 Apr 2011 22:31:06 -0700 (PDT)
In-Reply-To: <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu>
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com> <AANLkTikfn_ZRQNQx0QLV7fJa8DDeqMa=yRqWUH4krMHD@mail.gmail.com> <AANLkTinV88U3cF6z51eNtPeF-xKG1aWVgALd06CPq4kE@mail.gmail.com> <m2d3l6cj2l.wl%randy@psg.com> <289DB32D-D175-49DE-AA82-100407F64C23@juniper.net> <Pine.WNT.4.64.1104012156360.4612@mw-PC> <20110401210506.GA3082@juniper.net> <Pine.WNT.4.64.1104021120430.4612@mw-PC> <20110404083237.GA1860@juniper.net> <FFD0D281-AA3C-4CF2-8AF2-E1A2FE0A53A0@tcb.net> <20110404125015.GA3277@juniper.net> <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com> <m21v1i9ha8.wl%randy@psg.com> <BF88D659-1BE5-4DD2-AB24-7A113360DF37@cisco.com> <m2tyea7urr.wl%randy@psg.com> <8BE1C346-6214-4343-9E46-BFA8D96E4B6C@cisco.com> <p06240810c9c90b883458@128.89.89.213> <4DAF44AC.8060408@isi.edu> <E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com> <4DAF796C.7010807@isi.edu> <BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com> <409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu> <BANLkTikLi2p7UipJTRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu>
Date: Fri, 22 Apr 2011 01:31:06 -0400
X-Google-Sender-Auth: RLa1B2rYEr5ihTWkeq4XMMZ6bHk
Message-ID: <BANLkTim8xEEs=gGyKaJt4ygPr0sdtJ2h=g@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2011 05:31:09 -0000

On Fri, Apr 22, 2011 at 1:27 AM, Joe Touch <touch@isi.edu> wrote:
>
>
> On Apr 21, 2011, at 10:10 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
>
>> On Fri, Apr 22, 2011 at 12:14 AM, Joe Touch <touch@isi.edu> wrote:
>>>
>>>
>>> On Apr 21, 2011, at 7:45 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
>>>
>>>> So.. round and round the rosemary bush we go, still we have no actual
>>>> things that run actual tcp-ao, so given that can we either:
>>>>
>>>> 1) use md5 (as a MUST, with ssh as a MAY) and rev the doc at a later
>>>> point to say that AO is a MUST and remove md5
>>>> 2) move this doc along the path
>>>> 3) get implementations of the protocol today to start using md5
>>>
>>> You could instead do what the TCP-AO rfc recommends for apps like BGP:
>>>
>>> - MUST support TCP-AO
>>> - MAY also support TCP MD5 for backward compatibility
>>>
>>> This avoids reinventing an answer for BGP caches and just applies the *current* advice for BGP in general.
>>>
>>
>> bgp cache is not bgp... it's really just a random tcp session from a
>> router to a thing some where else.
>>
>> (does that change your proposed above?)
>
> Nope. (and I was aware it isn't a BGP protocol connection)

awesome, was a tad worried your quote was specific to bgp... a
loophole so to speak.

>>
>> -Chris
>>
>>> Joe
>>>
>>>
>>>>
>>>> -chris
>>>> (co-chair-toe-socks-on)
>>>>
>>>> On Wed, Apr 20, 2011 at 8:25 PM, Joe Touch <touch@isi.edu> wrote:
>>>>>
>>>>>
>>>>> On 4/20/2011 5:19 PM, Brian Weis wrote:
>>>>>>
>>>>>> On Apr 20, 2011, at 1:40 PM, Joe Touch wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 4/11/2011 12:49 PM, Stephen Kent wrote:
>>>>>>>>
>>>>>>>> At 9:30 PM -0700 4/6/11, Brian Weis wrote:
>>>>>>>>>
>>>>>>>>> On Apr 6, 2011, at 5:46 PM, Randy Bush wrote:
>>>>>>>>>
>>>>>>>>>>> Getting a new application (such as the rtr protocol)
>>>>>>>>>>> specifying hmac-md5 mandatory to implement through a Secdir
>>>>>>>>>>> review and then the Security ADs just won't happen. The
>>>>>>>>>>> only exception I can think of is if there were no possible
>>>>>>>>>>> alternatives, and that's obviously not the case here.
>>>>>>>>>>
>>>>>>>>>> with AO not implemented on any servers, routers not having
>>>>>>>>>> ssh libraries, and this being a server to router protocol,
>>>>>>>>>> what are the alternatives?
>>>>>>>>>>
>>>>>>>>>> randy
>>>>>>>>>
>>>>>>>>> I'm surprised IPsec hasn't been mentioned in this thread ...
>>>>>>>>> was it previously discussed and rejected? Correct me if I'm
>>>>>>>>> wrong, but I believe it's common for BGP routers to support
>>>>>>>>> IPsec and servers definitely support IPsec. On the router side,
>>>>>>>>> one or two IPsec sessions to servers should not be a burden.
>>>>>>>>> I'm less sure of the server IPsec scaling properties, but I
>>>>>>>>> would expect a LINUX or BSD kernel to have the scaling issues
>>>>>>>>> as were discussed earlier in this thread regarding SSH but I'm
>>>>>>>>> no expert here.
>>>>>>>>>
>>>>>>>>> Brian
>>>>>>>>
>>>>>>>> A few years ago we were told by vendors that many router
>>>>>>>> implementations of IPsec were available only to traffic passing
>>>>>>>> through a router, not to the control plane terminating in a
>>>>>>>> router. Unless that has changed, IPsec is not a good candidate
>>>>>>>> here.
>>>>>>>
>>>>>>> FWIW, that was an artifact of the IPsec requirements for routers.
>>>>>>> 4301 has the following requirements:
>>>>>>>
>>>>>>> (end sec 4.1, RFC 4301): In summary,
>>>>>>>
>>>>>>> a) A host implementation of IPsec MUST support both transport and
>>>>>>> tunnel mode.  This is true for native, BITS, and BITW
>>>>>>> implementations for hosts.
>>>>>>>
>>>>>>> b) A security gateway MUST support tunnel mode and MAY support
>>>>>>> transport mode.  If it supports transport mode, that should be used
>>>>>>> only when the security gateway is acting as a host, e.g., for
>>>>>>> network management, or to provide security between two intermediate
>>>>>>> systems along a path.
>>>>>>>
>>>>>>> A gateway acts as a host for all its routing protocol connections,
>>>>>>> and thus its control plane should have to comply with (a).
>>>>>>>
>>>>>>> I agree, that's why IPsec isn't a good choice to protect BGP, but
>>>>>>> we sort of created that situation in 4301, AFAICT.
>>>>>>>
>>>>>>> Joe
>>>>>>
>>>>>> I won't quibble with that argument as far as protecting BGP. But for
>>>>>> the "router-to-server" protocol described by this draft is actually
>>>>>> acting as a host for the exchange.
>>>>>
>>>>> Routers act as hosts for all routing protocol exchanges; that's not unique
>>>>> to the router-server exchange.
>>>>>
>>>>>> There are more router IPsec implementations that can protect the
>>>>>> control plane now, and meeting the requirements above would likely be
>>>>>> doable.
>>>>>
>>>>> There are other potential reasons why IPsec may or may not be the best
>>>>> choice, but I don't much care whether IPsec or TCP-AO is used; those are the
>>>>> appropriate choices if you care that the transport protocol is protected.
>>>>>
>>>>> Joe
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> sidr mailing list
>>>>> sidr@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/sidr
>>>>>
>>>
>

v2.23.0 | Report a Bug | By Email