Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
Terry Manderson <terry.manderson@icann.org> Thu, 19 May 2016 04:07 UTC
Return-Path: <terry.manderson@icann.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93E3312B032; Wed, 18 May 2016 21:07:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.627
X-Spam-Level:
X-Spam-Status: No, score=-5.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khVhpD6A8UEt; Wed, 18 May 2016 21:07:11 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A17B12B018; Wed, 18 May 2016 21:07:11 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Wed, 18 May 2016 21:07:08 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1130.005; Wed, 18 May 2016 21:07:08 -0700
From: Terry Manderson <terry.manderson@icann.org>
To: Brian Haberman <brian@innovationslab.net>, The IESG <iesg@ietf.org>
Thread-Topic: Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
Thread-Index: AQHRsQZpOwPGEWtT2U6DxoMlXXHouJ/AwrmA
Date: Thu, 19 May 2016 04:07:07 +0000
Message-ID: <D36376E0.89582%terry.manderson@icann.org>
References: <20160518033754.24796.52937.idtracker@ietfa.amsl.com> <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net>
In-Reply-To: <f1770d7b-7a16-6bab-91f7-dd6e41bb60ff@innovationslab.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.4.160422
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3546511621_11318057"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/lI7k81953ugfqXkDWjtKqJmjCyk>
Cc: "sidr@ietf.org" <sidr@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "draft-ietf-sidr-rpsl-sig@ietf.org" <draft-ietf-sidr-rpsl-sig@ietf.org>, "Sandra L. Murphy" <sandy@tislabs.com>
Subject: Re: [sidr] Terry Manderson's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 04:07:12 -0000
Hi Brian, On 18/05/2016, 11:08 PM, "Brian Haberman" <brian@innovationslab.net> wrote: > >You are correct that the use of the RPKI repository is one of >convenience. My original implementation of this approach used non-RPKI >certificates. I would be fine with putting a statement in the >Introduction along the lines of: > >"While the approach outlined in this document mandates the use of the >RPKI for certificate distribution, it is not dependent upon the RPKI for >correct functionality. Equivalent functionality can be achieved with a >more traditional certificate authority, RFC 3779 extensions within the >certificates, and the appropriate trust anchor material to verify the >digital signature." That is a fine snippet to include. Thank you. > >> >> The Signature expiration time field ("x") currently has no time >> constraints, and I'm very surprised that it is optional with the text in >> s2.5, given that the expiration time, by my reading, could not be beyond >> the 'not after' time of the corresponding certificate. Can you please >> instruct me as to what the consensus position on this was? A criticism >>of >> many IRRs is that data becomes stale. have the signature expiration time >> field could aide in data freshness models and reduce load on automated >> import and validation of these RPSL signatures. > >The validity of the signature is driven by the notAfter field of the >certificate described in 6487. My implementation does the validation >based on notAfter regardless of what is included in the "x" field. I >view "x" as a simple way for RPSL object signers to indicate the >lifetime, but not the authoritative way. Understood. I was considering a more operational triage of the signed objects prior to validation. But in reflection that can introduce an unintentional error situation. Put aside this item. > >> >> And lastly, IRRs tend to run over the (legacy?) whois port 43 that >> doesn't provide channel layer security. This means that while signature >> provide a means of detecting modification it may not stop a a MiTM event >> where the entire object is omitted. Do you agree? if so that might be >> appropriate for the Security Considerations section. >> > >I agree with the potential MiTM attack described, but view that as >orthogonal to digital signatures providing integrity protection. This >type of attack could easily occur regardless of whether objects are >signed or not. Correct. I raise the point so that people who implement and/or use rpsl-sig do not accidentally assume that by adding a signature some form of magic happens that unreservedly protects the object - you can take this now as 'comment' fodder. > >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> one nit: >> >> "MUST reject the signature and threat the object as a regular" I think >> you mean `s/threat/treat` > >Fixed in my pending edit buffer. Thanks > >> >> Misc comments: >> >> * Thank you for the very clear canonicalisation requirements! >> >> * For route6 objects, where two resource holder's signatures considered >> such that it might address the inability to properly sign the RPSL when >> one holder possesses the ASN and another possesses the prefix? (just a >> comment, nothing more) >> > >Not sure I can parse the above unless s/where/were/... If so, that was >originally in the document prior to -09, but the consensus of the WG was >to remove multiple signature support. Yes, I typo'd. Thanks for the info on the WG consensus for multiple signature support. I'll clear my discuss shortly. Cheers Terry
- [sidr] Terry Manderson's Discuss on draft-ietf-si… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Terry Manderson's Discuss on draft-iet… George Michaelson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Terry Manderson
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Robert Kisteleki
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Stephen Kent
- Re: [sidr] Terry Manderson's Discuss on draft-iet… Tim Bruijnzeels