Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
Christopher Morrow <morrowc.lists@gmail.com> Fri, 22 April 2011 05:10 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfc.amsl.com
Delivered-To: sidr@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id AA4B7E078E for <sidr@ietfc.amsl.com>; Thu, 21 Apr 2011 22:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M1opIPXDkaoK for <sidr@ietfc.amsl.com>; Thu, 21 Apr 2011 22:10:17 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfc.amsl.com (Postfix) with ESMTP id 814A1E07A7 for <sidr@ietf.org>; Thu, 21 Apr 2011 22:10:17 -0700 (PDT)
Received: by wwa36 with SMTP id 36so246116wwa.13 for <sidr@ietf.org>; Thu, 21 Apr 2011 22:10:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=okNhJGYbywcsRHLVtO/vM54f/CO9ekX576wKn3MVQP4=; b=Xnfc+FqaPUcPNnIGNaTSoEv85jS1eWF/jsZSHRTjFArziqe3IqeSMGRWOwH0Nwx3yH kC2l9IDjT+HVy57A68nu5YIKc5CxOyKkbOgHDn5rODnyqMwPN/g1GZB7HvrpSgZJA2UM pWOMX2lbZbp9O40D/HGopmYQja5X2SVFpWR2U=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=tItUbZbd91CuXJMhIAgBVm12mLJFB4gPEt+ccNzN83dpXVw5VVO/bWaBw+rbnVG5l5 mNoAfQoYsXjVeBfq5U7wPFdUm0JqQptG0J7fdtYH3xjZc9Xi2bSdaTcA3AnGoECrwLuw pSZAvfEC2EcbvYMh+Kz3VYVZ99q6uKSiejecA=
MIME-Version: 1.0
Received: by 10.216.69.203 with SMTP id n53mr274144wed.88.1303449016694; Thu, 21 Apr 2011 22:10:16 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.216.234.156 with HTTP; Thu, 21 Apr 2011 22:10:16 -0700 (PDT)
In-Reply-To: <409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu>
References: <AANLkTimq3hcdK7-f_Pa9sWJJOTzF_GBLcYu36sB3WszN@mail.gmail.com> <AANLkTikfn_ZRQNQx0QLV7fJa8DDeqMa=yRqWUH4krMHD@mail.gmail.com> <AANLkTinV88U3cF6z51eNtPeF-xKG1aWVgALd06CPq4kE@mail.gmail.com> <m2d3l6cj2l.wl%randy@psg.com> <289DB32D-D175-49DE-AA82-100407F64C23@juniper.net> <Pine.WNT.4.64.1104012156360.4612@mw-PC> <20110401210506.GA3082@juniper.net> <Pine.WNT.4.64.1104021120430.4612@mw-PC> <20110404083237.GA1860@juniper.net> <FFD0D281-AA3C-4CF2-8AF2-E1A2FE0A53A0@tcb.net> <20110404125015.GA3277@juniper.net> <BANLkTi=eZ=pQ2gJfiPBfeb4frH8Tncempw@mail.gmail.com> <m21v1i9ha8.wl%randy@psg.com> <BF88D659-1BE5-4DD2-AB24-7A113360DF37@cisco.com> <m2tyea7urr.wl%randy@psg.com> <8BE1C346-6214-4343-9E46-BFA8D96E4B6C@cisco.com> <p06240810c9c90b883458@128.89.89.213> <4DAF44AC.8060408@isi.edu> <E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com> <4DAF796C.7010807@isi.edu> <BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com> <409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu>
Date: Fri, 22 Apr 2011 01:10:16 -0400
X-Google-Sender-Auth: 76WxLZNjRRWc9zeV5WoeyYsoUHY
Message-ID: <BANLkTikLi2p7UipJTRSQqVOL6GkLn=j9iA@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2011 05:10:18 -0000
On Fri, Apr 22, 2011 at 12:14 AM, Joe Touch <touch@isi.edu> wrote: > > > On Apr 21, 2011, at 7:45 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote: > >> So.. round and round the rosemary bush we go, still we have no actual >> things that run actual tcp-ao, so given that can we either: >> >> 1) use md5 (as a MUST, with ssh as a MAY) and rev the doc at a later >> point to say that AO is a MUST and remove md5 >> 2) move this doc along the path >> 3) get implementations of the protocol today to start using md5 > > You could instead do what the TCP-AO rfc recommends for apps like BGP: > > - MUST support TCP-AO > - MAY also support TCP MD5 for backward compatibility > > This avoids reinventing an answer for BGP caches and just applies the *current* advice for BGP in general. > bgp cache is not bgp... it's really just a random tcp session from a router to a thing some where else. (does that change your proposed above?) -Chris > Joe > > >> >> -chris >> (co-chair-toe-socks-on) >> >> On Wed, Apr 20, 2011 at 8:25 PM, Joe Touch <touch@isi.edu> wrote: >>> >>> >>> On 4/20/2011 5:19 PM, Brian Weis wrote: >>>> >>>> On Apr 20, 2011, at 1:40 PM, Joe Touch wrote: >>>> >>>>> >>>>> >>>>> On 4/11/2011 12:49 PM, Stephen Kent wrote: >>>>>> >>>>>> At 9:30 PM -0700 4/6/11, Brian Weis wrote: >>>>>>> >>>>>>> On Apr 6, 2011, at 5:46 PM, Randy Bush wrote: >>>>>>> >>>>>>>>> Getting a new application (such as the rtr protocol) >>>>>>>>> specifying hmac-md5 mandatory to implement through a Secdir >>>>>>>>> review and then the Security ADs just won't happen. The >>>>>>>>> only exception I can think of is if there were no possible >>>>>>>>> alternatives, and that's obviously not the case here. >>>>>>>> >>>>>>>> with AO not implemented on any servers, routers not having >>>>>>>> ssh libraries, and this being a server to router protocol, >>>>>>>> what are the alternatives? >>>>>>>> >>>>>>>> randy >>>>>>> >>>>>>> I'm surprised IPsec hasn't been mentioned in this thread ... >>>>>>> was it previously discussed and rejected? Correct me if I'm >>>>>>> wrong, but I believe it's common for BGP routers to support >>>>>>> IPsec and servers definitely support IPsec. On the router side, >>>>>>> one or two IPsec sessions to servers should not be a burden. >>>>>>> I'm less sure of the server IPsec scaling properties, but I >>>>>>> would expect a LINUX or BSD kernel to have the scaling issues >>>>>>> as were discussed earlier in this thread regarding SSH but I'm >>>>>>> no expert here. >>>>>>> >>>>>>> Brian >>>>>> >>>>>> A few years ago we were told by vendors that many router >>>>>> implementations of IPsec were available only to traffic passing >>>>>> through a router, not to the control plane terminating in a >>>>>> router. Unless that has changed, IPsec is not a good candidate >>>>>> here. >>>>> >>>>> FWIW, that was an artifact of the IPsec requirements for routers. >>>>> 4301 has the following requirements: >>>>> >>>>> (end sec 4.1, RFC 4301): In summary, >>>>> >>>>> a) A host implementation of IPsec MUST support both transport and >>>>> tunnel mode. This is true for native, BITS, and BITW >>>>> implementations for hosts. >>>>> >>>>> b) A security gateway MUST support tunnel mode and MAY support >>>>> transport mode. If it supports transport mode, that should be used >>>>> only when the security gateway is acting as a host, e.g., for >>>>> network management, or to provide security between two intermediate >>>>> systems along a path. >>>>> >>>>> A gateway acts as a host for all its routing protocol connections, >>>>> and thus its control plane should have to comply with (a). >>>>> >>>>> I agree, that's why IPsec isn't a good choice to protect BGP, but >>>>> we sort of created that situation in 4301, AFAICT. >>>>> >>>>> Joe >>>> >>>> I won't quibble with that argument as far as protecting BGP. But for >>>> the "router-to-server" protocol described by this draft is actually >>>> acting as a host for the exchange. >>> >>> Routers act as hosts for all routing protocol exchanges; that's not unique >>> to the router-server exchange. >>> >>>> There are more router IPsec implementations that can protect the >>>> control plane now, and meeting the requirements above would likely be >>>> doable. >>> >>> There are other potential reasons why IPsec may or may not be the best >>> choice, but I don't much care whether IPsec or TCP-AO is used; those are the >>> appropriate choices if you care that the transport protocol is protected. >>> >>> Joe >>> >>> >>> _______________________________________________ >>> sidr mailing list >>> sidr@ietf.org >>> https://www.ietf.org/mailman/listinfo/sidr >>> >
- [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Jared Mauch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Danny McPherson
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Smith, Donald
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr - t… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] draft-sidr-rpki-rtr Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr Stewart Bryant
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch