Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 04 January 2017 19:05 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28888129A4D; Wed, 4 Jan 2017 11:05:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmdSvQhLOA7N; Wed, 4 Jan 2017 11:05:52 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB8D1129A41; Wed, 4 Jan 2017 11:05:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0F222BE3E; Wed, 4 Jan 2017 19:05:49 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GlFoqfLNbvc1; Wed, 4 Jan 2017 19:05:45 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A433BBE38; Wed, 4 Jan 2017 19:05:44 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1483556745; bh=RX3pTgzIPfTm1hWY+zbrOUSWb7MmGoDg94myr2N30Eo=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=x7cAVAR+pR9cHL2nI8SYuwAglJ3opFYXqA6wsSOxlJTTE47Op/kv7uBWIqrb06ajo XD5EgPG4BIfVhdBiSGOwmCBeQDUYEd1RITkOwAXFQFkIKuz9amDZP7wAgvgWUcOcrU q78ZK1P8n3/2qmt6KGAvqbAF47HjVwL4yPz9z6wM=
To: Sean Turner <sean@sn3rd.com>
References: <148353798879.13011.5291414579598073386.idtracker@ietfa.amsl.com> <58B64FA8-7891-4D84-940B-AB737C3A76D1@sn3rd.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <f65475b1-c3bd-097d-46f8-ae6b342760fb@cs.tcd.ie>
Date: Wed, 04 Jan 2017 19:05:44 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <58B64FA8-7891-4D84-940B-AB737C3A76D1@sn3rd.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms020107000508000400010605"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/jvFMO7kZAjR8GabLZzapK7Q-c3U>
Cc: sidr-chairs@ietf.org, draft-ietf-sidr-bgpsec-protocol@ietf.org, The IESG <iesg@ietf.org>, m.waehlisch@fu-berlin.de, sidr@ietf.org
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-protocol-21: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 19:05:54 -0000
Hiya, On 04/01/17 18:48, Sean Turner wrote: > >> On Jan 4, 2017, at 08:53, Stephen Farrell >> <stephen.farrell@cs.tcd.ie> wrote: >> >> Stephen Farrell has entered the following ballot position for >> draft-ietf-sidr-bgpsec-protocol-21: Discuss >> >> When responding, please keep the subject line intact and reply to >> all email addresses included in the To and CC lines. (Feel free to >> cut this introductory paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/iesg/statement/discuss-criteria.html for more >> information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found >> here: >> https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/ >> >> >> >> ---------------------------------------------------------------------- >> >> DISCUSS: >> ---------------------------------------------------------------------- >> >> >> >> >> I have a couple of fairly straightforward things I'd >> like to briefly discuss... >> >> (1) 3.2/Figure 7: A fixed 20 byte SKI being a sha-1 hash of the >> public key is a bad plan, for all the usual reasons. Why is it ok >> for that to be hardcoded here when it could change if/when new alg >> choices are made for the RPKI? If it is not too late then I think >> you should add a length or alg field to that. If it is too late to >> do that, then are we really ok that you will need to rev the >> BGPsec version number in order to get rid of all sha-1 code from >> your implementation? That seems like a bad plan for a new >> protocol. > > Not sure it absolutely needs a length field; if the RPKI does ever > decide to change to another hash algorithm for SKI, e.g., > SHA-256/384/512, or to change to a hash of the SubjectPublicKeyInfo > they could always the procedures from > https://datatracker.ietf.org/doc/rfc7093/ to generate the values for > a 20-byte value. Something like that could work I guess e.g. if this draft said "if a router cert contains an SKI that's != 20 bytes long, then here's what you do..." that'd be fine. I'm not sure that's identical to what's in 7093 though but it is close and should be fairly obvious and uncontroversial. I do think it very worthwhile though to not so closely couple the code for generating SKIs with that for BGPsec as they will (I guess) tend to be different codebases not evolving in a tightly coupled manner. Cheers, S. > > spt >
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sean Turner
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Russ Housley
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Mehmet Adalier (Antara Teknik)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Montgomery, Douglas (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sriram, Kotikalapudi (Fed)
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Randy Bush