IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Brian Weis <bew@cisco.com> Thu, 07 April 2011 22:29 UTC

Return-Path: <bew@cisco.com>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B690F3A69B9 for <sidr@core3.amsl.com>; Thu, 7 Apr 2011 15:29:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.474
X-Spam-Level:
X-Spam-Status: No, score=-110.474 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsWygUd4H452 for <sidr@core3.amsl.com>; Thu, 7 Apr 2011 15:29:38 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 687A53A69B1 for <sidr@ietf.org>; Thu, 7 Apr 2011 15:29:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=3067; q=dns/txt; s=iport; t=1302215483; x=1303425083; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=lWWEsUanVC96mXbDtkBQ+VLbLaOrT0FjW3Dv94wQ5ks=; b=IqUgIA0B+/WVd+gy4rlVKJwO0Mf9V5Qpn3FW1J5ndWnBVuDBSA3hRxzd 9c6EL8YigMFViolMkovz1H5Gq6WmSzV0U/cr8NdKOLNlmvjv+nN2h8gS3 SKv8gC4/nxilxVEsu13B1eB245QMlGAtfnXebM1J4PLRNFemt+8uVv5Ne 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAFc6nk2rRDoJ/2dsb2JhbACmEXeIeZt2nE6FbQSFUod4
X-IronPort-AV: E=Sophos;i="4.63,319,1299456000"; d="scan'208";a="425941376"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by sj-iport-1.cisco.com with ESMTP; 07 Apr 2011 22:31:23 +0000
Received: from dhcp-128-107-151-120.cisco.com (dhcp-128-107-151-120.cisco.com [128.107.151.120]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p37MURE5013682; Thu, 7 Apr 2011 22:31:23 GMT
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Brian Weis <bew@cisco.com>
In-Reply-To: <BANLkTikTqCD4_=-Sjs7ng2qSLn3vYw5qLw@mail.gmail.com>
Date: Thu, 07 Apr 2011 15:31:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <55B61488-045C-44FA-90DB-83543A6209FB@cisco.com>
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com> <AANLkTikfn_ZRQNQx0QLV7fJa8DDeqMa=yRqWUH4krMHD@mail.gmail.com> <AANLkTinV88U3cF6z51eNtPeF-xKG1aWVgALd06CPq4kE@mail.gmail.com> <m2d3l6cj2l.wl%randy@psg.com> <289DB32D-D175-49DE-AA82-100407F64C23@juniper.net> <Pine.WNT.4.64.1104012156360.4612@mw-PC> <20110401210506.GA3082@juniper.net> <Pine.WNT.4.64.1104021120430.4612@mw-PC> <20110404083237.GA1860@juniper.net> <FFD0D281-AA3C-4CF2-8AF2-E1A2FE0A53A0@tcb.net> <20110404125015.GA3277@juniper.net> <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com> <m21v1i9ha8.wl%randy@psg.com> <BF88D659-1BE5-4DD2-AB24-7A113360DF37@cisco.com> <m2tyea7urr.wl%randy@psg.com> <8BE1C346-6214-4343-9E46-BFA8D96E4B6C@cisco.com> <BANLkTikTqCD4_=-Sjs7ng2qSLn3vYw5qLw@mail.gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
X-Mailer: Apple Mail (2.1082)
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 22:29:39 -0000

On Apr 7, 2011, at 9:28 AM, Christopher Morrow wrote:

> On Thu, Apr 7, 2011 at 12:30 AM, Brian Weis <bew@cisco.com> wrote:
>> 
>> On Apr 6, 2011, at 5:46 PM, Randy Bush wrote:
>> 
>>>> Getting a new application (such as the rtr protocol) specifying
>>>> hmac-md5 mandatory to implement through a Secdir review and then the
>>>> Security ADs just won't happen. The only exception I can think of is
>>>> if there were no possible alternatives, and that's obviously not the
>>>> case here.
>>> 
>>> with AO not implemented on any servers, routers not having ssh
>>> libraries, and this being a server to router protocol, what are the
>>> alternatives?
>>> 
>>> randy
>> 
>> I'm surprised IPsec hasn't been mentioned in this thread ... was it previously
> 
> see msgid: Message-ID: <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com>
> (5-6 messages back in this thread, from me)
> 
>> discussed and rejected? Correct me if I'm wrong, but I believe it's common for
>> BGP routers to support IPsec and servers definitely support IPsec. On the
> 
> it's not a guarantee that all bgp speakers here will have ipsec
> capable code... for some long time at least one vendor in their 'ISP'
> code didn't implement ipsec, or ssh for that matter. IPSEC is pretty
> heavy weight (from a config perspective) for this. Something like AO
> or MD5 is 'perfect', SSH as proposed does  a fine job as well, though
> has a bugaboo on at least one platform apparently.

I agree AO would be a great choice, but you'd probably want to wait for implementations. Maybe mandating it would spur the implementations. :-)

> 
>> router side, one or two IPsec sessions to servers should not be a burden. I'm
>> less sure of the server IPsec scaling properties, but I would expect a LINUX
>> or BSD kernel to have the scaling issues as were discussed earlier in this
>> thread regarding SSH but I'm no expert here.
> 
> lots of at-scale vpn systems are nothing but crypto-accelerators +
> linux/bsd underneath... I think there's an aversion to ipsec on
> routers (complexity and unused codepaths), ssh is 'used all the time'
> as is tcp-md5, as will (soon?) tcp-AO.
> 
> What is a reasonable way forward for now, MUST md5 and later when AO
> is more ubiquitous hammer through an update to the draft? Keeping a
> MAY for ssh transport?

Possibly the use of md5 would be more palatable to the security area if the protocol were Experimental rather than Standards-Track.  If the authors and chairs would be willing to make that change, it would be worth asking the Security ADs what they think. Then revision it to be standards track later when AO can be mandated.

Brian 

> 
> (in the vein of moving this forward since running code exists for both
> sides of this equation today)
> 
> -chris
> 
>> 
>> Brian
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>>

v2.23.0 | Report a Bug | By Email