IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Joe Touch <touch@isi.edu> Tue, 27 September 2011 21:51 UTC

Return-Path: <touch@isi.edu>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADE721F8EB9; Tue, 27 Sep 2011 14:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.906
X-Spam-Level:
X-Spam-Status: No, score=-102.906 tagged_above=-999 required=5 tests=[AWL=-0.907, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCkDd7CzHVee; Tue, 27 Sep 2011 14:51:41 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id A5B8E21F8EAC; Tue, 27 Sep 2011 14:51:41 -0700 (PDT)
Received: from [128.9.160.252] (pen.isi.edu [128.9.160.252]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id p8RLrXcS022869 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Sep 2011 14:53:34 -0700 (PDT)
Message-ID: <4E8245DD.6050800@isi.edu>
Date: Tue, 27 Sep 2011 14:53:33 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com><CAL9jLaaVbmExEM2ZwBf5Ur6aRbBayxX13xGBL27r-svOmC3Wvg@mail.gmail.com><001801cc60bb$19329d00$4001a8c0@gateway.2wire.net><4E527D5B.2080104@isi.edu><003f01cc626f$4d2d2d40$4001a8c0@gateway.2wire.net><4E554ECC.3020408@isi.edu><F350099E-1EEA-4478-BFC2-72A4622012E5@vpnc.org><4E5570EF.4020202@isi.edu><6E68CE6B-920E-4A4C-AEB4-1E775C702284@vpnc.org><4E55925A.90309@isi.edu> <CAL9jLaasfBXB531wpANhCNXfedSaOi3FO-BJEEN0ggnkS=3D9A@mail.gmail.com> <011b01cc7cea$48e59a20$4001a8c0@gateway.2wire.net>
In-Reply-To: <011b01cc7cea$48e59a20$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Christopher Morrow <christopher.morrow@gmail.com>, sidr-chairs@ietf.org, sidr@ietf.org
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 21:51:42 -0000

Right - for those on this list:

-16 says:

    This document requests the IANA to assign 'well known' TCP Port
    Numbers to the RPKI-Router Protocol for the following, see Section 7:

            RPKI-Rtr
            RPKI-Rtr TLS

It should say:

    This document requests the IANA to assign 'well known' TCP Port
    Numbers to the RPKI-Router Protocol for the following, see Section 7:

            RPKI-Rtr	TCP
            RPKI-Rtr-s	TCP

(with corresponding changes to section 7).

Joe

On 9/27/2011 12:51 AM, t.petch wrote:
> Chris
>
> Joe also made the point that the Service names as currently specified have an
> invalid syntax in that there is a space in there, so that needs fixing, I think
> before an IETF LC.
>
> Tom Petch
>
>
> ----- Original Message -----
> From: "Christopher Morrow"<christopher.morrow@gmail.com>
> To: "Joe Touch"<touch@isi.edu>
> Cc:<sidr-chairs@ietf.org>; "Paul Hoffman"<paul.hoffman@vpnc.org>;
> <sidr@ietf.org>
> Sent: Monday, September 26, 2011 3:44 PM
> Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
>
>
> On Wed, Aug 24, 2011 at 8:07 PM, Joe Touch<touch@isi.edu>  wrote:
>>
>>
>> On 8/24/2011 3:57 PM, Paul Hoffman wrote:
>>>
>>> On Aug 24, 2011, at 2:45 PM, Joe Touch wrote:
>>>
>>>> On 8/24/2011 1:27 PM, Paul Hoffman wrote:
>>>>>
>>>>> On Aug 24, 2011, at 12:19 PM, Joe Touch wrote:
>>>>>
>>>>>> Is there ever a reason that this service should exist as a totally open
>>>>>> and insecure port?
>>>>>
>>>>> Given that it is explicitly listed in the draft, I find it worrisome
>>>>> that you even ask the question.
>>>>>
>>>>> Caches and routers MUST implement unprotected transport over TCP
>>>>> using a port, RPKI-Rtr, to be assigned, see Section 12. Operators
>>>>> SHOULD use procedural means, ACLs, ... to reduce the exposure to
>>>>> authentication issues.
>>>>
>>>> I saw a declaration that this was required, but no REASON that
>>>> unprotected transport was necessary.
>>>
>>> Three paragraphs earlier in the document:
>>>
>>> Unfortunately,
>>> there is no protocol to do so on all currently used platforms.
>>> Therefore, as of this document, there is no mandatory to implement
>>> transport which provides authentication and integrity protection.
>>
>> I recall that discussion, but not the assertion that this would mean that
>> you'd suggest using an insecure port.
>>
>> If that's the case, I strongly recommend NOT asking for a system port.
>>
>>> This was discussed heavily in the WG.
>>>
>>>>>> Also, is there a reason for not assuming that the out-of-band and
>>>>>
>>>>> in-band services cannot exist on the same port (other than performance
>>>>> of the connection establishment)?
>>>>>
>>>>> Those aren't enough !?!?
>>>>
>>>> "those"? I listed only one - performance.
>>>
>>> Sorry, I misread your parenthetical as "other than performance and
>>> connection establishment". The idea that you can do TLS on the same port
>>> as not-TLS has been widely debated. It was finally agreed (maybe not by
>>> you) that the STARTTLS method for sharing a port may or may not be
>>> appropriate for each protocol. When I look at this protocol, I do not
>>> see a way to do it without completely rewriting the protocol interactions.
>>
>> Here I wasn't asking about TLS vs open, I was asking about TLS vs.
>> IPsec/MD5/AO, and whether that has a different answer than TLS vs. open.
>>
>> Whether for this protocol or not, I would appreciate understanding that in
>> more detail - even if off-list. I cannot see how the protocol matters if TLS
>> is started or not on a per-connection basis since the TLS would wrap (or
>> not) the data of the connect at the start. We can continue that off-list,
>> though.
>
> The doc in question hit version 16 on 8/13/2011... I think the authors
> feel that the problems/issues/discussion-points here are addressed in
> this version. Are we cycled down to acceptance of the language or no?
> The -16 version asks for a 'well-known' port, which gets to the main
> point of this discussion I think.
>
> (and an IANA request would still need to be made when the doc goes
> toward publishing)
>
> -Chris
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email