Re: [sidr] LTAM Discussion and questions
Christopher Morrow <christopher.morrow@gmail.com> Fri, 23 August 2013 22:06 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0F6311E8127 for <sidr@ietfa.amsl.com>; Fri, 23 Aug 2013 15:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdLtxjnndE+0 for <sidr@ietfa.amsl.com>; Fri, 23 Aug 2013 15:06:05 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 828E811E8124 for <sidr@ietf.org>; Fri, 23 Aug 2013 15:06:04 -0700 (PDT)
Received: by mail-la0-f46.google.com with SMTP id eh20so918594lab.33 for <sidr@ietf.org>; Fri, 23 Aug 2013 15:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=NtbH6Grt7HTZfbG00nZ39j0xqR8q9w7V8W6Exsph0TE=; b=m162WWc1yglcrn0d7xEijDB9ndqSZpU17L1L9HxDocer73IAOMLB7eAI7BVAvpqYmO tNNF+5IDJi0yMMQELzQnqkgQIghWCVQu3Kg5jeDk5UAgZ8N93vJuxXgQNbuqihhsto4f VaDIa7x9kAn+ywPAlyhf+zyQXR2Zsc48g4HNw7ONIqkXeuMOJ0XZF37veszA1IdsdvSY EQJlaB9YbJYxgl1xwqX2i2pZ/PqUSdH1EQ06wIvtOR9p0wan06V9c8o2RJapaYYFhmaH 8nqzvE6TWodIw29Yk/18sh/izyUI9yBovBR1SGacaNEYplVdt9AT+8OAxQOlj1HfOa52 s96Q==
MIME-Version: 1.0
X-Received: by 10.152.116.7 with SMTP id js7mr1245526lab.11.1377295561224; Fri, 23 Aug 2013 15:06:01 -0700 (PDT)
Received: by 10.152.6.3 with HTTP; Fri, 23 Aug 2013 15:06:01 -0700 (PDT)
In-Reply-To: <520D4A3B.2010006@bbn.com>
References: <CAL9jLabdbzWs3UHdVOYksQU+vy2WBOEwf9Y4qz2Y=nWxrBEE_w@mail.gmail.com> <52B306E0-3C7B-4283-B683-F6EAD8BA4189@apnic.net> <CAL9jLabkdppnZk8pL95fdufzMJB6q_40On07xxWVqrx9rApucQ@mail.gmail.com> <520D4A3B.2010006@bbn.com>
Date: Fri, 23 Aug 2013 18:06:01 -0400
Message-ID: <CAL9jLaZzXj9_d2BbF7Zr6dtwtHk1cH7zxeHY80KcxN5w9MPYFg@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: sidr <sidr@ietf.org>
Subject: Re: [sidr] LTAM Discussion and questions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 22:06:06 -0000
On Thu, Aug 15, 2013 at 5:38 PM, Stephen Kent <kent@bbn.com> wrote: > > Chris, > > > I agree with several of the folks who commented about the LTAMv2 > presentation and your call for comments. > > We need to provide an updated description of the problems we are trying to > address, and details of how we propose to address these problems. The slide > presentation at the meeting was intended to provide a preview, but it is not > a substitute for detailed text. > ok... there seem to be several calls for 'please document what you mean to say'. > So, let's begin the revised problem discussion, starting with text from the > most recent version of the LTAM doc (v8). BTW, this text has not changed > since the 00 version, dated November, 2010. > > The abstract from the I-D(s) says: > > The primary motivation for the facility described in this > > document is to enable an RP to ensure that INR information > > that it has acquired via some trusted channel is not > > overridden by the information acquired from the RPKI > > repository system or by the putative TAs that the RP imports. > > This is still the primary motivation for LTAMv2, but I think it’s worth > expanding on the rationale behind this mechanistic description of the > motivation. The concerns we are addressing are twofold: > > - Local use of private (RFC 1918) address space in conjunction with RPKI > validation mechanisms > > - Ways to recover from errors, or malicious actions, by CAs in the RPKI > hierarchy > > > > In SIDR WG presentations we discussed the first rationale extensively. The > second concern was discussed more extensively in RIR meetings, where the > specter of law enforcement orders issued to RIRs was cited as a significant > concern by some folks. > > > > As I mentioned in my presentation two weeks ago, we noticed that the > mechanism that we documented was probably fine for dealing with allocations > performed at the IANA and RIR tiers of the RPKI. So, for example, if an RP > wants to employ RFC 1918 private address space with RPKI controls, the local > TA mechanism, which makes use of “re-parenting” and “hole punching” would > work. However, if we use these mechanism to "protect" address space for > ISP-1, who received an allocation from ISP-2 (vs. from an RIR), problems > could arise. Specifically, ROAs issued by ISP-2 could be rejected by an RP > using LTAM, due to hole-punching. This was an unintended side-effect of the > mechanism, one we would like to avoid. > this gets to some of the problem(s) that danny (and I think terry) were concerned with... across administrative domains this all becomes very dicey :( (or at least very undefined) > The abstract also says: > > This mechanism is designed for local use by an RP, > but any entity that is accorded administrative control over a > > set of RPs may use this mechanism to convey its view of the > > RPKI to RPs within its jurisdiction. The means by which this > > latter use case is effected is outside the scope of this > > document. > > > > The lack of a description of how to securely distribute the LTAM constraints > file was viewed by some folks as a shortcoming. Moreover, we were approached > by an NIR that wanted to extend the capability noted above. Their desire was > to be able to publish resource allocation data for folks in their country, > for consumption both internally and externally, in a way that would be > immune to errors or malicious actions by actors within the RPKI hierarchy > (but outside of their country). (This data needed to be valid as per the > RPKI hierarchy, prior to any errors or malicious actions, to limit the > ability of a country to make assertions about address space that was not > allocated to entities within the country.) No RPs outside of the country > would have to pay attention to this data, but they could make use of it if > they wished (if there were standards for how to make it available in a > secure fashion). While an NIR raised this issue, the concern is generally > applicable, irrespective of the presence of NIRs within a region. > sounds like 'crazy talk' (technical term), but sure. > > We revisited the LTAM design to see if we could address the cited > motivation(s) via a mechanism that would not have the problem we noted > above, and if we could also address the concerns raised by the NIR. We also > received some comments on the document noting that the mechanisms seemed > complex, even after we revised the text to try to better explain what was > happening. So, a simpler design was also a goal. Finally, we wanted to make > the design a bit more flexible, to accommodate other objects that might be > added to the RPKI system in the future. ok... so at the end of the day you are going to spin a draft to talk about this in more detail, or that's what it sounds like you're planning on doing :) If there were a draft out in the next say 4 weeks we could have a better discussion about this on-list and then a longer (and probably more fun) talk at the next meeting in Vancouver? Is 4wks doable for this? -chris
- [sidr] LTAM Discussion and questions Christopher Morrow
- Re: [sidr] LTAM Discussion and questions Geoff Huston
- Re: [sidr] LTAM Discussion and questions Christopher Morrow
- Re: [sidr] LTAM Discussion and questions Randy Bush
- Re: [sidr] LTAM Discussion and questions Terry Manderson
- Re: [sidr] LTAM Discussion and questions Carlos Martinez-Cagnazzo
- Re: [sidr] LTAM Discussion and questions Stephen Kent
- Re: [sidr] LTAM Discussion and questions Christopher Morrow
- Re: [sidr] LTAM Discussion and questions Stephen Kent