IETF Logo Mail Archive

Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-pki-profiles-19: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 05 January 2017 00:39 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0A8B12947A; Wed, 4 Jan 2017 16:39:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkNUikER0Fcx; Wed, 4 Jan 2017 16:39:30 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE35612946D; Wed, 4 Jan 2017 16:39:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 39135BE32; Thu, 5 Jan 2017 00:39:28 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJxRnwEm1y7K; Thu, 5 Jan 2017 00:39:26 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 28C24BE2F; Thu, 5 Jan 2017 00:39:26 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1483576766; bh=RibU54lH/CDLgN+2F5AhsPo/vfXeBFuBxFe+RQDNiak=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=3Mt/f2C/OXNEZ3ldeS593Di+wLYTZMtIU0i3df0u4+nmrTFYFE2GbBjyv6cFOSBno bZ+Himad7BNFjUUMf9BFMs4rhaVab2hE2fGprW48rhlkTbPmZhj4hjQVQ3lGKQOe52 FdMtQbpetAiA064LeGqX2E4e/Js4j9Rm1MMnwrc8=
To: Sean Turner <sean@sn3rd.com>
References: <148353788046.13042.160471261406266.idtracker@ietfa.amsl.com> <F5E3802E-8FEB-4448-884F-CB6178A1FB6E@sn3rd.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <fffedb84-8d58-e76f-aef7-f4f025224051@cs.tcd.ie>
Date: Thu, 05 Jan 2017 00:39:25 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <F5E3802E-8FEB-4448-884F-CB6178A1FB6E@sn3rd.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms010806050602040900090506"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/rGlpF7O6iEunAY6uxNkehHxPSW4>
Cc: Chris Morrow <morrowc@ops-netman.net>, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidr-bgpsec-pki-profiles@ietf.org, sidr@ietf.org
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-pki-profiles-19: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 00:39:33 -0000

Hiya,

On 05/01/17 00:34, Sean Turner wrote:
>> ----------------------------------------------------------------------
>>
>> 
COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
- section 2: I think this is a bit badly written: "The use
>> of BGPsec Router Certificates in no way affects RPKI RPs that
>> process Manifests and ROAs because the public key found in the
>> BGPsec Router Certificate is used only to verify the signature on
>> the BGPsec certificate request (only CAs process these) and the
>> signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol]
>> (only BGPsec routers process these)." Do you mean that there's no
>> way that an entity can confuse a Manifest, ROA, CSR or BGPsec 
>> update so there's no issue with which public keys are used to
>> verify the signatures on those data structures?
> 
> Gahhhh … so that’s a little tortured; it’s a continuation of the
> whole “these certs don’t really affect the rest of the RPKI".  How
> about:
> 
> BGPsec Router Certificates are used only to verify the signature on
> the BGPsec certificate request (only CAs process these) and the
> signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol] (only
> BGPsec routers process these); BGPsec Router Certificates are not
> used to process Manifests and ROAs or verify signatures on
> Certificates or CRLs.

Yep, better.

> 
>> - section 3: As noted in my comments on the BGPsec protocol, it'd
>> be better to call out the SKI here if you don't add the direct ref
>> to 6487 to the BGPsec protocol draft.
> 
> Wait, I thought I wasn’t supposed to duplicate any of the crazy stuff
> from 6487 :)

Well, this is describing a different PDU though:-) But yeah, better
if the protocol spec points direct to 6487 direct.

Cheers,
S.


> 
> spt
>

v2.35.0 | Report a Bug | By Email | System Status