IETF Logo Mail Archive

Re: [sidr] New Version Notification for draft-kklf-sidr-route-server-rpki-light-00.txt

Thomas King <thomas.king@de-cix.net> Tue, 05 April 2016 18:01 UTC

Return-Path: <thomas.king@de-cix.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7990312D764 for <sidr@ietfa.amsl.com>; Tue, 5 Apr 2016 11:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhRybdn_BrcP for <sidr@ietfa.amsl.com>; Tue, 5 Apr 2016 11:01:41 -0700 (PDT)
Received: from de-cix.net (relay4.de-cix.net [IPv6:2a02:c50:0:1e::4:1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5146712D7E4 for <sidr@ietf.org>; Tue, 5 Apr 2016 11:01:36 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.24,444,1454972400"; d="p7s'?scan'208"; a="3257916"
Received: from smtp.de-cix.net ([192.168.65.10]) by mailgw012.de-cix.net with ESMTP; 05 Apr 2016 20:01:34 +0200
Received: from MS-EXCHANGE.for-the-inter.net (unknown [192.168.49.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.de-cix.net (Postfix) with ESMTPS id 590A4B009D; Tue, 5 Apr 2016 20:01:34 +0200 (CEST)
Received: from MS-EXCHANGE.for-the-inter.net (192.168.49.2) by MS-EXCHANGE.for-the-inter.net (192.168.49.2) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 5 Apr 2016 20:01:34 +0200
Received: from MS-EXCHANGE.for-the-inter.net ([fe80::9449:4d85:69bf:3d4c]) by MS-EXCHANGE.for-the-inter.net ([fe80::9449:4d85:69bf:3d4c%12]) with mapi id 15.00.1156.000; Tue, 5 Apr 2016 20:01:34 +0200
From: Thomas King <thomas.king@de-cix.net>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Thread-Topic: New Version Notification for draft-kklf-sidr-route-server-rpki-light-00.txt
Thread-Index: AQHRNnoeBTQtz7wo5UuIHjaJS1blSp9v6SzwgAxStwA=
Date: Tue, 05 Apr 2016 18:01:33 +0000
Message-ID: <8865D28E-559D-42B5-AB5D-19E9D036681C@de-cix.net>
References: <20151214141704.6060.4078.idtracker@ietfa.amsl.com> <91A4DE37-13EF-4E45-9D7D-49C1D271D6A9@de-cix.net> <CY1PR09MB07936F92A7528605204D152C84860@CY1PR09MB0793.namprd09.prod.outlook.com>
In-Reply-To: <CY1PR09MB07936F92A7528605204D152C84860@CY1PR09MB0793.namprd09.prod.outlook.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3112)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.140.155]
Content-Type: multipart/signed; boundary="Apple-Mail=_D0FE2587-65A0-40A1-BD1F-806C72969A1D"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/_j1QjgIiAuP40fyj4a7M139u65I>
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] New Version Notification for draft-kklf-sidr-route-server-rpki-light-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 18:01:43 -0000

Hi Sriram,

thanks for your feedback. I comment inline.

> On 28 Mar 2016, at 22:14, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote:
> 
> I read the draft. A few comments:
> 
> 1. RPKI validation refers to checking cryptographic integrity of the RPKI objects such as certs, ROAs, etc.
> What you intend to signal from RS to peers is prefix-origin validation results (RFC 6811).
> s/RPKI validation results/ prefix-origin validation results/g

Fixed.

> 
> 2. "Route-servers providing RPKI-based route
>   origin validation set the validation state according to the RPKI
>   validation result (see [I-D.ietf-sidr-rpki-validation-reconsidered])."  (in Section 2)
> 
> The reference cited here is incorrect. It should be RFC 6811.
> RFC 6811 defines the prefix-origin validation states and also provides the validation algorithm.

Fixed.

> 3. How do you signal that the RS did not perform validation on an update (for whatever reason).
> Is that implicitly conveyed when the "Prefix Origin Validation State Extended Community"
> is absent in the update forwarded to peers? May be it needs to be said in the draft.
> For instance, 'Not Found' should not be used as default value in the extended community.
> 'Did not perform validation' should not be equated to 'Not Found’.

I see your point.
I do not want to add another state as ietf-sidr-origin-validation-signaling defines only the ones used in this draft. I would like to be as close as possible to ietf-sidr-origin-validation-signaling as this draft just adds another use-case (route servers) to the concept.
If validation could not be performed by the route server no community should be set. The receiving peer should treat the update as if no prefix origin validation information was provided by the route server for this prefix ever. If this is okay with you I will add section covering this topic in the Recommendation section.

Best regards,
Thomas

v2.23.0 | Report a Bug | By Email