Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
Tim Bruijnzeels <tim@ripe.net> Thu, 30 April 2015 09:43 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43EF1ACD8B; Thu, 30 Apr 2015 02:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIzt6cmYK2nw; Thu, 30 Apr 2015 02:43:05 -0700 (PDT)
Received: from koko.ripe.net (koko.ripe.net [IPv6:2001:67c:2e8:11::c100:1348]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC5A1A90B0; Thu, 30 Apr 2015 02:43:05 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by koko.ripe.net with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1Ynkzm-0004Cb-4X; Thu, 30 Apr 2015 11:43:03 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:5009::151]) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1Ynkzl-0005bH-Vp; Thu, 30 Apr 2015 11:43:02 +0200
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <m2d22mfrqp.wl%randy@psg.com>
Date: Thu, 30 Apr 2015 11:43:01 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8271CC14-248D-4F65-852E-6436E8DBC935@ripe.net>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <EF4348D391D0334996EE9681630C83F02D173BEB@xmb-rcd-x02.cisco.com> <B1EDF7B6-1E42-440E-BD3F-29723AD7E4A4@muada.com> <986c7f50a5300c46ad05afb643be3a1d@mail.mandelberg.org> <4C80F9CE-06F9-4FB7-852B-BF1B205738FC@muada.com> <CY1PR09MB079302CC52C7791F3C0C512984D70@CY1PR09MB0793.namprd09.prod.outlook.com> <CF9FE7BA-C934-401C-B2F4-0CE4AF062ECC@muada.com> <CY1PR09MB079352552ED82496B5A4513D84D70@CY1PR09MB0793.namprd09.prod.outlook.com> <m2d22mfrqp.wl%randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.2098)
X-RIPE-Spam-Level: --
X-RIPE-Spam-Report: Spam Total Points: -2.9 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719a20cc706ea76f97e44c3a294f72fb301
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/TmZE-3DkmZ2qMhkjwcZZhrljWXU>
Cc: "sidr@ietf.org" <sidr@ietf.org>, "idr@ietf.org" <idr@ietf.org>, Iljitsch van Beijnum <iljitsch@muada.com>, "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>, David Mandelberg <david@mandelberg.org>
Subject: Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2015 09:43:09 -0000
Hi, > On 30 Apr 2015, at 01:18, Randy Bush <randy@psg.com> wrote: > >> First: >> There should be operational BCP recommendation based on the principle of make-before-break >> ( in doc like https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-ops-05 ): >> 1. Certificate should be renewed and pre-published in advance of expiry of the current certificate; >> There should be overlapping validity period bridging the two (current and new certs). >> (See https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-03 and >> https://www.ietf.org/proceedings/92/slides/slides-92-sidr-5.pdf ) >> 2. The update for the prefix should be re-originated (by origin AS) or re-propagated (by a transit AS). >> Basically, whoever got a new certificate should do this refresh within the above overlap period. >> >> The above two BCP steps, if followed, will help prevent "couldn't validate because of certificate lifetime". >> >> Second: >> The operational BCP can also say: >> Allow a certain grace period before you act on the update that became 'Not Valid' due to cert expiry. >> (Earlier Sandy also mentioned this.) >> >> Your other scenario "validation failed because of a bad signature or bad certificate chain" is fine. >> In this scenario, the update is labeled 'Not Valid' for good reason. > > > From: Randy Bush <randy@psg.com> > Subject: Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11 > To: Roque Gagliano <rogaglia@cisco.com> > Cc: idr wg <idr@ietf.org>, sidr wg <sidr@ietf.org> > Date: Wed, 29 Apr 2015 12:07:02 +0900 > > ca software should warn the user of upcoming expiration of certs, ee > certs, roas, crls, drivers' licenses, ... > > but what is the user gonna do? they're gonna renew. so maybe renew > automagically and tell the user? For the record in the RIPE NCC software we automagically re-issue CA certificates to members 6 months before they expire (and log errors in case of problems, so we have time to respond). Our system currently only supports non-hosted setups where a member runs their own remote CA in our pilot environment, but there too we pro-actively re-issue.. we don't tell the CA because in the provisioning protocol model the child CA can contact us, but we can't contact them. We do tell them about the new certificate when the CA queries, as they do regularly. We believe that this is safe to do. The new certificate is equivalent in every way to the last requested and issued certificate except that the validity time is longer, so we don't see any scenario where the child would not agree to this - i.e. we can be pro-active. For hosted member CAs we also re-issue ROAs 6 months before the expire, and we re-issue MFTs 16 hours before their 'next update time' and 6 days and 16 hours before their EE certificate expiration. > > randy > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- [sidr] wglc for draft-ietf-sidr-bgpsec-protocol-11 Sandra Murphy
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… George, Wes
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- [sidr] David M's point about the bgpsec protocol … Sandra Murphy
- Re: [sidr] David M's point about the bgpsec proto… Randy Bush
- Re: [sidr] David M's point about the bgpsec proto… Randy Bush
- Re: [sidr] David M's point about the bgpsec proto… Sandra Murphy
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Keyur Patel (keyupate)
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Montgomery, Douglas
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Randy Bush
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… David Mandelberg
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Matthew Lepinski
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Michael Baer
- Re: [sidr] wglc for draft-ietf-sidr-bgpsec-protoc… Sriram, Kotikalapudi
- [sidr] Levels of BGPsec/RPKI validation, was: Re:… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Roque Gagliano (rogaglia)
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… David Mandelberg
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sandra Murphy
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Roque Gagliano (rogaglia)
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Geoff Huston
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sriram, Kotikalapudi
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Jared Mauch
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Sriram, Kotikalapudi
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Iljitsch van Beijnum
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Randy Bush
- Re: [sidr] [Idr] Levels of BGPsec/RPKI validation… Tim Bruijnzeels
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Matthew Lepinski
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Matthew Lepinski
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Sriram, Kotikalapudi
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Stephen Kent
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Iljitsch van Beijnum
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Stephen Kent
- Re: [sidr] Levels of BGPsec/RPKI validation, was:… Sriram, Kotikalapudi