IETF Logo Mail Archive

Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05

Sean Turner <turners@ieca.com> Thu, 20 September 2012 21:47 UTC

Return-Path: <turners@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF68E21E809C for <sidr@ietfa.amsl.com>; Thu, 20 Sep 2012 14:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.915
X-Spam-Level:
X-Spam-Status: No, score=-100.915 tagged_above=-999 required=5 tests=[AWL=-0.950, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, MANGLED_LIST=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2JReIUlL3fA for <sidr@ietfa.amsl.com>; Thu, 20 Sep 2012 14:47:03 -0700 (PDT)
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [67.18.36.18]) by ietfa.amsl.com (Postfix) with ESMTP id E58E921E8049 for <sidr@ietf.org>; Thu, 20 Sep 2012 14:47:02 -0700 (PDT)
Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id 4453122CB6AE8; Thu, 20 Sep 2012 16:47:02 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway08.websitewelcome.com (Postfix) with ESMTP id 3964322CB6AC8 for <sidr@ietf.org>; Thu, 20 Sep 2012 16:47:02 -0500 (CDT)
Received: from [108.18.174.220] (port=49401 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1TEoaK-0000Iu-Pk for sidr@ietf.org; Thu, 20 Sep 2012 16:47:00 -0500
Message-ID: <505B8ED3.8020505@ieca.com>
Date: Thu, 20 Sep 2012 17:46:59 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: "sidr@ietf.org" <sidr@ietf.org>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F706AF@CMA-MB003.columbia.ads.sparta.com>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F625F706AF@CMA-MB003.columbia.ads.sparta.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.18.174.220]:49401
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Sep 2012 21:47:04 -0000

Here's my review:

One biggie:

1) MUST have an "IANA Considerations" section even if it says "none". 
But, I think you've Flags and Info Types to register right?

Algs are getting done elsewhere ;)

One not so biggie but a required formatting thing:

1) s9: If all references are normative, put "Normative" in the section 
title.

A bunch of nits mixed in with requests for additional clarifications 
(i.e., no biggies):

1) s1: r/must have an/needs an

2) s1: r/does not require/does not need

3) s2: r/[4]that/[4] that

4) s2, bits 2 and 3 as well as the fourth octet: normally this should 
would be a must any reason it's not a must?:

  These
  reserved bits should be set to zero by the sender and ignored by the
  receiver.

5) s2: contains the following:

  If there does not exist at least one version of BGPSEC that is
  supported by both peers in a BGP session, then the use of BGPSEC has
  not been negotiated.  (That is, in such a case, messages containing
  the BGPSEC_Path_Signatures MUST NOT be sent.)

Should this paragraph say something about the BGP NOTIFICATION message 
with the Error Code 2 (OPEN Message Error) and the OPEN Message Error 
SubCode 4 (Unsupported Optional Parameter) or is it the SubCode 7 
(Unsupported Capability) MUST be returned if both don't support bgpsec?

6) s2, Figure: If the AFI is 2 octets can we do the following:

    +---------------------------------------+
    |               AFI                     |
    +                                       +
    |                                       |
    +---------------------------------------+

so people won't ask what's in the blank line ;)

7) s2: Is there a reference for AFI that we can point to?

8) s2: ? r/speaker must include two/speaker includes two

9) s2: r/it has also advertises/it has also advertised

10) s2: r/(see RFC 4893)./[RFC 4893] - and add a reference.

11) s2: X2 (aligns with earlier sentences) r:/its open message/its BGP 
OPEN message/

12) s3: r/new optional/new OPTIONAL

13) High-Level Diagram of the BGPSEC_Path_Signatures Attribute
     BGPSEC_Path_Signatures figure: I might be reading way to much in to 
this but I don't want people to get the impression that signature X and 
Y for alg 1 and 2 are the same.  You might draw that conclusion from this:

  |     +-----------------+       +-----------------+       |
  |     | Sig Block 1     |       |  Sig Block 2    |       |
  |     +-----------------+       +-----------------+       |
  |     | Alg Suite 1     |       |  Alg Suite 2    |       |
  |     | SKI X           |       |  SKI X          |       |
  |     | Sig Length X    |       |  Sig Length X   |       |
  |     | Signature X     |       |  Signature X    |       |
  |     | SKI Length Y    |       |  SKI Length Y   |       |
  |     | SKI Y           |       |  SKI Y          |       |
  |     | Sig Length Y    |       |  Sig Length Y   |       |
  |     | Signature Y     |       |  Signature Y    |       |
  |     |      ...        |       |      ....       |       |
  |     +-----------------+       +-----------------+       |

Maybe in Sig Block 1 r/X/X1 and r/Y/Y1 and in Sig block 2 r/X/X2 and r/Y/Y2?

14) s3: If it does include the AS_PATH attribute what happens:

  That is, update messages that contain the
  BGPSEC_Path_Signatures attribute MUST NOT contain the AS_PATH
  attribute.

15) s3.1: Should probably add some ascii art for the flags:

+-+-+-+-+-+-+-+-+
|C|   Reserved  |
+-+-+-+-+-+-+-+-+

16) s3.1: r/These bits MUST be set to zero by the sender.
            /These bits MUST be set to zero by the sender and ignored
             by the recipient.

17) s3.1/3.2: Are the editor's notes going to get removed at some point 
or are we planning on keeping it?

18) s3.3: Probably worth adding the the SKI is copied from the signers 
certificate and need not be generated.  Or, is that implementation specific?

19) s4: In the last paragraph should the "must" be "MUST" x2.  It's in a 
"Note" paragraph so I could see not use MUST, but in that case maybe 
r/must possess/needs and r/must/needs to. If you use the MUST strike 
"Note" -  I don't think requirements should appear in Note paragraphs 
(though they often do).

20) s4.1: I'd just strike "Note that" from the those two paragraphs (x3).

21) s4.2: If we're going to keep NOT RECOMMENDED then you need to add it 
to the conventions.  Put it after RECOMMENDED so the nit checker won't 
barf on it.

    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
    "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
    and "OPTIONAL" in this document are to be interpreted as described
    in RFC 2119 [8].

Actually, the RFC editor is going to move the requirements language to 
the mainbody so might as well do it now.  Just slap it in as s1.1.

22) s4.3: MUST instead of must:

   Members of autonomous system confederations [3] must additionally
   follow the instructions in this section for processing BGPSEC update
   messages.

23) s4.3: r/it must remove all
            /it MUST remove all ?
           r/confederation members must make
            /confederation members MUST make ?

24) s5.2: I think there a link missing to how you determine whether the 
certificate is valid in the following:

   To do this, consult the valid
   RPKI end-entity certificate data and look up all valid (AS, SKI,
   Public Key) triples in which the AS matches the AS number in the
   corresponding Secure_Path segment.

To me that means do the RPKI certificate checks in RFC 6487 as augmented 
by s3.3 of draft-ietf-sidr-bgpsec-pki-profiles.  Probably just adding a 
pointer to [11] would wfm.

   To do this, consult the valid
   RPKI end-entity certificate data and look up all valid (AS, SKI,
   Public Key) triples, see Section 3.3 of [11], in which the AS matches
   the AS number in the corresponding Secure_Path segment.

or something like that.

25) s6.1, 1st para: r/must/needs to X2

26) s6.1, 2nd para, 2nd sentence: I think the bit about the 'new' 
algorithm being specified in [12] should be deleted. It doesn't say 
anything about 'new' algorithm right now and the 3rd paragraph says if 
and when the new alg is chosen that draft will be updated.

27) s6.1: r/the future the mandatory/the future mandatory

That's it for now.

spt


On 9/15/12 7:45 AM, Murphy, Sandra wrote:
> This starts a working group last call for draft-ietf-sidr-bgpsec-protocol-05.  The draft is available at http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-05 and https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/
>
> Please review this draft to see if you think it is ready for publication.  Send end comments to the list.
>
> The WGLC will end on 29 September 2012.
>
> --Sandy, speaking as wg co-chair
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>

v2.23.0 | Report a Bug | By Email