Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Tue, 16 July 2013 08:55 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87C111E826D for <sidr@ietfa.amsl.com>; Tue, 16 Jul 2013 01:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9SBNUwd1TIq for <sidr@ietfa.amsl.com>; Tue, 16 Jul 2013 01:55:33 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id ECD8B11E826B for <sidr@ietf.org>; Tue, 16 Jul 2013 01:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7606; q=dns/txt; s=iport; t=1373964933; x=1375174533; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=mx/EQsBZn4os9Pb6e8meNkRR0yctN6eqX6yBxwZEMII=; b=C7HFMXPtcykkWV12fCzjNepBx93MUl8PvdYxk5uqOlKCJhPtzPSeandT ntxj/McH+KiQQoAd6PwRw/woganvUmj+/IqgN+aC6ERTWHQ0dQ67cMSgS 4UK2PnErQiK4aK2Eaod9fC/KRdeQbGYbvx/DlD3vzLi67D3OK2Pkp0fZ8 o=;
X-Files: smime.p7s : 4459
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhoFADUK5VGtJV2Z/2dsb2JhbABagwaBA8FegREWdIIjAQEBAwF5BQsCAQgYCiQCMCUCBA4FCAaHfAa2Fo8zMQeDC20DkA+BLZdtgxKBaiQa
X-IronPort-AV: E=Sophos; i="4.89,676,1367971200"; d="p7s'?scan'208"; a="235410733"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-4.cisco.com with ESMTP; 16 Jul 2013 08:55:32 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r6G8tU4t004871 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 16 Jul 2013 08:55:31 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.192]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0318.004; Tue, 16 Jul 2013 03:55:30 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Andy Newton <andy@arin.net>
Thread-Topic: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
Thread-Index: AQHOggI43ICaooFB+UuLQGBU0PP5qA==
Date: Tue, 16 Jul 2013 08:55:29 +0000
Message-ID: <EF4348D391D0334996EE9681630C83F0221213C8@xmb-rcd-x02.cisco.com>
References: <CE09A41F.268E1%andy@arin.net>
In-Reply-To: <CE09A41F.268E1%andy@arin.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.148.51.90]
Content-Type: multipart/signed; boundary="Apple-Mail=_AAD881B5-B8F1-44B7-9E9E-676DF3AC8DE8"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "Murphy, Sandra" <Sandra.Murphy@sparta.com>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 08:55:38 -0000

Thanks Andy.

Do you think we need to add something in the security section about the transition?

Something like:

"A RP that performs a strick validation based on RFC6487 and fails to support the updates described in this document, would incorrectly invalidate RPKI signed objects that implements the changes in Section 2. At the time of this writing, all known RP software suites (you can mention them as in IDR) were tested and supported the updates on this document" 

Roque

On Jul 15, 2013, at 7:07 PM, Andy Newton <andy@arin.net> wrote:

> On 7/15/13 10:22 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
> wrote:
> 
>> Before sending my support to advance to the IESG, I wanted to ask the
>> author if they have tested the effects of this change on existing RP
>> tools. Do they really set the certificate as invalid?
> 
> Yes, we have tested against the three RP suites. One did not require a
> change while the other two required simple one line changes. Current
> releases of all three now accommodate it.
> 
> -andy
>