IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Joe Touch <touch@isi.edu> Fri, 22 April 2011 04:16 UTC

Return-Path: <touch@isi.edu>
X-Original-To: sidr@ietfc.amsl.com
Delivered-To: sidr@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id F2DF1E07C0 for <sidr@ietfc.amsl.com>; Thu, 21 Apr 2011 21:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.161
X-Spam-Level:
X-Spam-Status: No, score=-104.161 tagged_above=-999 required=5 tests=[AWL=1.042, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s2lTVz9PITWI for <sidr@ietfc.amsl.com>; Thu, 21 Apr 2011 21:16:11 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by ietfc.amsl.com (Postfix) with ESMTP id E3052E06DD for <sidr@ietf.org>; Thu, 21 Apr 2011 21:16:10 -0700 (PDT)
Received: from [192.168.1.94] (pool-71-105-81-169.lsanca.dsl-w.verizon.net [71.105.81.169]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id p3M4ExAb003543 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 21 Apr 2011 21:15:08 -0700 (PDT)
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com> <AANLkTikfn_ZRQNQx0QLV7fJa8DDeqMa=yRqWUH4krMHD@mail.gmail.com> <AANLkTinV88U3cF6z51eNtPeF-xKG1aWVgALd06CPq4kE@mail.gmail.com> <m2d3l6cj2l.wl%randy@psg.com> <289DB32D-D175-49DE-AA82-100407F64C23@juniper.net> <Pine.WNT.4.64.1104012156360.4612@mw-PC> <20110401210506.GA3082@juniper.net> <Pine.WNT.4.64.1104021120430.4612@mw-PC> <20110404083237.GA1860@juniper.net> <FFD0D281-AA3C-4CF2-8AF2-E1A2FE0A53A0@tcb.net> <20110404125015.GA3277@juniper.net> <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com> <m21v1i9ha8.wl%randy@psg.com> <BF88D659-1BE5-4DD2-AB24-7A113360DF37@cisco.com> <m2tyea7urr.wl%randy@psg.com> <8BE1C346-6214-4343-9E46-BFA8D96E4B6C@cisco.com> <p06240810c9c90b883458@128.89.89.213> <4DAF44AC.8060408@isi.edu> <E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com> <4DAF796C.7010807@isi.edu> <BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com>
In-Reply-To: <BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8H7)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu>
Content-Transfer-Encoding: quoted-printable
X-Mailer: iPhone Mail (8H7)
From: Joe Touch <touch@isi.edu>
Date: Thu, 21 Apr 2011 21:14:57 -0700
To: Christopher Morrow <morrowc.lists@gmail.com>
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2011 04:16:12 -0000

On Apr 21, 2011, at 7:45 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:

> So.. round and round the rosemary bush we go, still we have no actual
> things that run actual tcp-ao, so given that can we either:
> 
> 1) use md5 (as a MUST, with ssh as a MAY) and rev the doc at a later
> point to say that AO is a MUST and remove md5
> 2) move this doc along the path
> 3) get implementations of the protocol today to start using md5

You could instead do what the TCP-AO rfc recommends for apps like BGP:

- MUST support TCP-AO
- MAY also support TCP MD5 for backward compatibility

This avoids reinventing an answer for BGP caches and just applies the *current* advice for BGP in general. 

Joe


> 
> -chris
> (co-chair-toe-socks-on)
> 
> On Wed, Apr 20, 2011 at 8:25 PM, Joe Touch <touch@isi.edu> wrote:
>> 
>> 
>> On 4/20/2011 5:19 PM, Brian Weis wrote:
>>> 
>>> On Apr 20, 2011, at 1:40 PM, Joe Touch wrote:
>>> 
>>>> 
>>>> 
>>>> On 4/11/2011 12:49 PM, Stephen Kent wrote:
>>>>> 
>>>>> At 9:30 PM -0700 4/6/11, Brian Weis wrote:
>>>>>> 
>>>>>> On Apr 6, 2011, at 5:46 PM, Randy Bush wrote:
>>>>>> 
>>>>>>>> Getting a new application (such as the rtr protocol)
>>>>>>>> specifying hmac-md5 mandatory to implement through a Secdir
>>>>>>>> review and then the Security ADs just won't happen. The
>>>>>>>> only exception I can think of is if there were no possible
>>>>>>>> alternatives, and that's obviously not the case here.
>>>>>>> 
>>>>>>> with AO not implemented on any servers, routers not having
>>>>>>> ssh libraries, and this being a server to router protocol,
>>>>>>> what are the alternatives?
>>>>>>> 
>>>>>>> randy
>>>>>> 
>>>>>> I'm surprised IPsec hasn't been mentioned in this thread ...
>>>>>> was it previously discussed and rejected? Correct me if I'm
>>>>>> wrong, but I believe it's common for BGP routers to support
>>>>>> IPsec and servers definitely support IPsec. On the router side,
>>>>>> one or two IPsec sessions to servers should not be a burden.
>>>>>> I'm less sure of the server IPsec scaling properties, but I
>>>>>> would expect a LINUX or BSD kernel to have the scaling issues
>>>>>> as were discussed earlier in this thread regarding SSH but I'm
>>>>>> no expert here.
>>>>>> 
>>>>>> Brian
>>>>> 
>>>>> A few years ago we were told by vendors that many router
>>>>> implementations of IPsec were available only to traffic passing
>>>>> through a router, not to the control plane terminating in a
>>>>> router. Unless that has changed, IPsec is not a good candidate
>>>>> here.
>>>> 
>>>> FWIW, that was an artifact of the IPsec requirements for routers.
>>>> 4301 has the following requirements:
>>>> 
>>>> (end sec 4.1, RFC 4301): In summary,
>>>> 
>>>> a) A host implementation of IPsec MUST support both transport and
>>>> tunnel mode.  This is true for native, BITS, and BITW
>>>> implementations for hosts.
>>>> 
>>>> b) A security gateway MUST support tunnel mode and MAY support
>>>> transport mode.  If it supports transport mode, that should be used
>>>> only when the security gateway is acting as a host, e.g., for
>>>> network management, or to provide security between two intermediate
>>>> systems along a path.
>>>> 
>>>> A gateway acts as a host for all its routing protocol connections,
>>>> and thus its control plane should have to comply with (a).
>>>> 
>>>> I agree, that's why IPsec isn't a good choice to protect BGP, but
>>>> we sort of created that situation in 4301, AFAICT.
>>>> 
>>>> Joe
>>> 
>>> I won't quibble with that argument as far as protecting BGP. But for
>>> the "router-to-server" protocol described by this draft is actually
>>> acting as a host for the exchange.
>> 
>> Routers act as hosts for all routing protocol exchanges; that's not unique
>> to the router-server exchange.
>> 
>>> There are more router IPsec implementations that can protect the
>>> control plane now, and meeting the requirements above would likely be
>>> doable.
>> 
>> There are other potential reasons why IPsec may or may not be the best
>> choice, but I don't much care whether IPsec or TCP-AO is used; those are the
>> appropriate choices if you care that the transport protocol is protected.
>> 
>> Joe
>> 
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>>

v2.23.0 | Report a Bug | By Email