IETF Logo Mail Archive

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs

Christopher Morrow <morrowc.lists@gmail.com> Mon, 05 May 2014 16:51 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B684A1A017E for <sidr@ietfa.amsl.com>; Mon, 5 May 2014 09:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PefjSXMd79wQ for <sidr@ietfa.amsl.com>; Mon, 5 May 2014 09:51:45 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id C1ECE1A01B1 for <sidr@ietf.org>; Mon, 5 May 2014 09:51:44 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id mc6so979802lab.23 for <sidr@ietf.org>; Mon, 05 May 2014 09:51:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=sJaVtc4mqFsoXklHpMqoDyFUjoqmEUghZBEW4G4lhxU=; b=k/xdGJNG19h8ZgQ+INsp0KMcpqyC7UJVbkO1XpO52blkxcZnjlv4M0F5sprUhXtUYQ Xe0Vt4cXHsV6p/3Uj4zm2vQwNUq7HXjrcafG3fEbK9Ce39Ex0zJ5AQ0Wpx3YN+m1g1gk 9FIC00jjlutCTSuHpV+dmC0mTDasFvVvEO1HLSS2Mb09b5rBQLmfl/C3DMe69vZOhT4G syn5iHNfNx+gQp5N8O+cliZ3BnnGX9uS3iJqCsyH4ZB453Qu/pgxpeQDKEvBm28SEsxf Nyrpo6Xk9oNKUElvjR4+LPdf/C9Ibosxth5rpLaHz7z4Ewv/zsXTs6GWt+ApGyT/mY6L FEJg==
MIME-Version: 1.0
X-Received: by 10.112.100.231 with SMTP id fb7mr2062159lbb.56.1399308700724; Mon, 05 May 2014 09:51:40 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.114.95.74 with HTTP; Mon, 5 May 2014 09:51:40 -0700 (PDT)
In-Reply-To: <m2bnvcgouf.wl%randy@psg.com>
References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> <CF07E61E.AF86%wesley.george@twcable.com> <m238kcea01.wl%randy@psg.com> <CF0BE8F1.B1BE%wesley.george@twcable.com> <m2a9ehjto3.wl%randy@psg.com> <52E92B20.9060505@bbn.com> <CAL9jLaapjPL0_OU8-L0U5BiLXPPoEhkCZym=7R_qDDLSobKVjA@mail.gmail.com> <m2iosq8f9e.wl%randy@psg.com> <CAL9jLab5=JNbPRMji7xWWCR_+QLRpbguShU7K_Uu56jYxKymZw@mail.gmail.com> <m2vbucdkqi.wl%randy@psg.com> <CAL9jLaYeqtqf9ewN=A7Zxnx6xRGxV=64_TyX3NLgWUt237tCkg@mail.gmail.com> <m2ioqbed03.wl%randy@psg.com> <F415D68C-DC4B-4DA1-9DC8-FB4CB06558B9@cisco.com> <m2bnvcgouf.wl%randy@psg.com>
Date: Mon, 05 May 2014 12:51:40 -0400
X-Google-Sender-Auth: 7hL6TVIcAENFhzI8DbyaITzbLHo
Message-ID: <CAL9jLaasqgPv4SsEw5+0iPXhVub0fNc7Cw0G0fZ_PADmfLDTuA@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/ifPWP2l59EofnJb6NOT27lZ2xPU
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 16:51:49 -0000

On Mon, May 5, 2014 at 12:41 PM, Randy Bush <randy@psg.com> wrote:
>>>>>   3.14  While the trust level of a route should be determined by the
>>>>>         BGPsec protocol, local routing preference and policy MUST then
>>>>>         be applied to best path and other routing decisions.  Such
>>>>>         mechanisms SHOULD conform with [I-D.ietf-sidr-ltamgmt].
>>>>> ...
>>>>>   3.17  If a BGPsec design makes use of a security infrastructure, that
>>>>>         infrastructure SHOULD enable each network operator to select
>>>>>         the entities it will trust when authenticating data in the
>>>>>         security infrastructure.  See, for example,
>>>>>         [I-D.ietf-sidr-ltamgmt].
>>
>> What about adding that "the connection to this security infrastructure
>> MUST be through a secure channel"?

it's done via rcynic and/or rpki-to-rtr, right? depending on where in
the process you are... presuming the process looks like:
  publication-point - gatherer - cache - router
                      (rcynic)     (rcynic)   (rpki-rtr)


and above/before 'publication-point' is 'RIR tomfoolery'

> connection from what?  mains power?  :)

i think roque was referring to the above process...which I think
already includes 'security bits'. (rcynic == CMS, rpki-rtr == AO ||
ssh)

> this is about routers speaking bgpsec.  imiho, it would be ill-adviised
> to start down the rat-hole of operational practices of router management
> for which there is no proof of termination.

let's avoid that for now, especially since I think the request is
already taken care of.

If this is all satisfactory, let's get to a WGLC in the next 2 days,
and then see where that leads us?

-chris

v2.23.0 | Report a Bug | By Email