Re: [sidr] Ben Campbell's No Objection on draft-ietf-sidr-delta-protocol-07: (with COMMENT)
Tim Bruijnzeels <tim@ripe.net> Thu, 16 February 2017 14:31 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF71D129605; Thu, 16 Feb 2017 06:31:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79y7bP1KR87j; Thu, 16 Feb 2017 06:31:12 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 856541294D7; Thu, 16 Feb 2017 06:31:12 -0800 (PST)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1ceN5L-0005ZT-TW; Thu, 16 Feb 2017 15:31:05 +0100
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-196.ripe.net) by nene.ripe.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1ceN5L-0008DU-PD; Thu, 16 Feb 2017 15:31:03 +0100
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <148721586667.31507.17178698587667640093.idtracker@ietfa.amsl.com>
Date: Thu, 16 Feb 2017 15:31:03 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <6FE13EA4-CFDF-4FF0-BC4C-88CE7323571A@ripe.net>
References: <148721586667.31507.17178698587667640093.idtracker@ietfa.amsl.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ---------
X-RIPE-Spam-Report: Spam Total Points: -9.4 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0002]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719c066571be4ee67e09ece1face6815a53
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/dmGHctZLCLTPuKhHqvR2WnYfhWM>
Cc: Chris Morrow <morrowc@ops-netman.net>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, sidr@ietf.org, draft-ietf-sidr-delta-protocol@ietf.org
Subject: Re: [sidr] Ben Campbell's No Objection on draft-ietf-sidr-delta-protocol-07: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 14:31:19 -0000
Dear Ben, all, > On 16 Feb 2017, at 04:31, Ben Campbell <ben@nostrum.com> wrote: > > Ben Campbell has entered the following ballot position for > draft-ietf-sidr-delta-protocol-07: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > - 3.4.1, 3rd paragraph: In a number of other protocols, a "User-Agent" > header can be used for implementation fingerprinting, so that an attacker > can guess what vulnerabilities might exist in that instance. Is that a > concern here? TL;DR: This is not strictly required by the delta protocol and can be taken out if big concerns exist. But I believe that this will help with operational planning of changes in RPKI standards. I do not see big security concerns - obviously if I did I would not have insisted to my co-authors that we should have this :) Longer: The "User-Agent" was introduced here solely to help capability tracking that may help in operations of *other* changes in the RPKI standards. For example: validation-reconsidered introduces new OIDs that when present will lead to current RPs rejecting objects that use them. If this happens at the trust anchor level that can be problematic. Because of this, the reconsidered document includes an intended timeline where RP software MUST be updated with this capability before CAs MAY use this. A timeline is one way to do this, but being able to also actually track if updated RP software is really deployed is useful. Similarly capability tracking can help with other (currently unplanned) changes in the RPKI: new object types, or changes to existing ones. And it can help if we ever need to do an algorithm roll-over, e.g. to elliptic-curve instead of RSA - then again knowing which proportion of RPs supports the new algorithm can help. On the other hand I do not see a huge security concern with this because even though Repository Servers would know which version of RP software is deployed where, they would not be able to attack them easily because RPs can normally be contacted only inside the trusted network where they are operated: e.g. routers using rpki-rtr. > - 3.5.3.2, 2nd paragraph: The MAY sounds more like a statement of fact > than permission. yes, but whether the files *are* cached is a choice, so I thought a normative MAY was in order. I don't particularly mind changing this though, because I don't think it will lead to ambiguity. > > - 5.2, 2nd paragraph: The RECOMMENDED sounds like a statement of fact as > worded. > I am not sure that I understand your comment. We RECOMMEND that RP software polls the Update Notification File for changes. We believe that is useful to mention here because new implementations may find it useful and it sends a message to Repository Servers that they should be prepared to deal with this. However, another strategy can also be used. For example the current RIPE NCC RPKI Validator will actually re-trigger a complete validation process every X (configurable) minutes and then try to fetch updates. This works, but is somewhat resource intensive for the RP. Would it be better if we did not RECOMMEND, but rather said something like this? RPs MAY poll the Update Notification File for changes, so that a potentially resource intense RPKI validation process can be avoided if there is no new content available.
- [sidr] Ben Campbell's No Objection on draft-ietf-… Ben Campbell
- Re: [sidr] Ben Campbell's No Objection on draft-i… Tim Bruijnzeels
- Re: [sidr] Ben Campbell's No Objection on draft-i… Ben Campbell