IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Joe Touch <touch@isi.edu> Mon, 22 August 2011 16:00 UTC

Return-Path: <touch@isi.edu>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A37C721F863A; Mon, 22 Aug 2011 09:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.959
X-Spam-Level:
X-Spam-Status: No, score=-102.959 tagged_above=-999 required=5 tests=[AWL=-0.960, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 863SP34aWu+S; Mon, 22 Aug 2011 09:00:45 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 19F9521F853E; Mon, 22 Aug 2011 09:00:45 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id p7MG1VPO014838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 22 Aug 2011 09:01:34 -0700 (PDT)
Message-ID: <4E527D5B.2080104@isi.edu>
Date: Mon, 22 Aug 2011 09:01:31 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com> <CAL9jLaaVbmExEM2ZwBf5Ur6aRbBayxX13xGBL27r-svOmC3Wvg@mail.gmail.com> <001801cc60bb$19329d00$4001a8c0@gateway.2wire.net>
In-Reply-To: <001801cc60bb$19329d00$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Christopher Morrow <christopher.morrow@gmail.com>, sidr-chairs@ietf.org, sidr@ietf.org
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2011 16:00:45 -0000

Hi, Tom,

On 8/22/2011 4:03 AM, t.petch wrote:
> Chris
>
> I don't know if your training included
> draft-ietf-tsvwg-iana-ports-10
> currently in AUTH48 but it does say, as some on this list know well,
>
> "   A service name or port number assignment request contains the
>     following information.  The service name is the unique identifier of
>     a given service:
>
>        Service Name (REQUIRED)
>        Transport Protocol(s) (REQUIRED)
>        Assignee (REQUIRED)
>        Contact (REQUIRED)
>        Description (REQUIRED)
>        Reference (REQUIRED)
>        Port Number (OPTIONAL)
>        Service Code (REQUIRED for DCCP only)
>        Known Unauthorized Uses (OPTIONAL)
>        Assignment Notes (OPTIONAL)"
>
> which suggests a fairly rapid rejection of our I-D.

Sure, but on trivial grounds (the service names you provide have spaces).

To assist with your application, here's a suggestion (this need not be 
in the RFC, but the RFC should conform to the following information 
where it differs, e.g., the list of requested service names - note that 
this isn't guaranteed to fly, though, as per below):

         Service Name (REQUIRED) RPKI-Rtr
         Transport Protocol(s) (REQUIRED) TCP
         Assignee (REQUIRED) IESG <iesg@ietf.org> (as per sec 8.1.1.)
         Contact (REQUIRED) IETF Chair <chair@ietf.org>
         Description (REQUIRED) request/response exchange, including
	an initial message indicating version number; data transferred
	as native records with in-band record separators and
	transaction terminators; transport connection is
	persistent across multiple request/response exchanges;
	exchanges MUST be protected by access control, and MAY
	use TCP MD5, TCP-AO, or IPsec
         Reference (REQUIRED) See RFC (TBD)
         Port Number (OPTIONAL) any in the well-known range
         Service Code (REQUIRED for DCCP only) N/A
         Known Unauthorized Uses (OPTIONAL) N/A
         Assignment Notes (OPTIONAL)

         Service Name (REQUIRED) RPKI-Rtr-TLS
         Transport Protocol(s) (REQUIRED) TCP
         Assignee (REQUIRED) (as per sec 8.1.1.)
         Contact (REQUIRED) IETF Chair <chair@ietf.org>
         Description (REQUIRED) request/response exchange, including
	an initial message indicating version number; data transferred
	as native records with in-band record separators and
	transaction terminators; transport connection is
	persistent across multiple request/response exchanges;
	exchanges MUST be protected by access control and TLS
         Reference (REQUIRED)See RFC (TBD)
         Port Number (OPTIONAL) any in the well-known range
         Service Code (REQUIRED for DCCP only) N/A
         Known Unauthorized Uses (OPTIONAL) N/A
         Assignment Notes (OPTIONAL)

Regarding Chris's question:
On 8/22/2011 6:17 AM, Christopher Morrow wrote:
 > Oddly, 'CONTACT' there is a person? or a WG? a 'person' seems
 > non-scalable in a number of dimensions.

Again see Sec 8.1.1. It's a person (usually the person who issues the 
request) in all cases except IETF document stream assignments.

> The section on two ports or
> one, which I alluded to earlier, is section 7.2 which starts with
> "   o  IANA strives to assign only one assigned port number per service
>        or application"\

This was updated as a result of IETF last call and IESG review. The 
current text (pending final typo corrections) reads as follows (the 
tracker here shows this:)
https://datatracker.ietf.org/doc/draft-ietf-tsvwg-iana-ports/writeup/

--
o  IANA strives to assign only one assigned port number per service
       or application

Note: At the time of writing of this document there is no IETF consensus
on when it is appropriate to use a second port for an insecure version 
of a protocol.
--

This is a bit of a sticky example, mostly because you're asking for a 
well-known port. It'd help to have IESG consensus on the use of an 
insecure protocol in that range.

The current doc is a bit confusing on this point - do you ever intend to 
allow both insecure and TCP MD5/TCP-AO/IPsec on the same port?

AFAICT, you actually want (need) three ports:

	RPKI-Rtr-open - insecure
	RPKI-Rtr-tnsec - transport/network security
	RPKI-Rtr-apsec	- application-layer security (TLS)

Then you need to explain clearly why you *cannot* determine which 
category a connection falls from the packets that arrive -- and 
performance alone is not a sufficient reason (that could then be used to 
argue, e.g., for dozens of ports for various services, and the port 
space is too limited to support that just for performance reasons).

It seems like -open is an uphill issue if you ask for a well-known port, 
IMO.

Joe

v2.23.0 | Report a Bug | By Email