Re: [sidr] two stranded docuemnts - stake time

Stephen Kent <> Fri, 22 July 2016 15:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE28512D830 for <>; Fri, 22 Jul 2016 08:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N2rbD-48E-F2 for <>; Fri, 22 Jul 2016 08:48:38 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE9EE126D74 for <>; Fri, 22 Jul 2016 08:48:37 -0700 (PDT)
Received: from ([]:45331 helo=COMSEC.fios-router.home) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1bQcgg-000Afa-SW; Fri, 22 Jul 2016 11:48:31 -0400
To: Christopher Morrow <>, Randy Bush <>
References: <> <> <> <> <> <>
From: Stephen Kent <>
Message-ID: <>
Date: Fri, 22 Jul 2016 11:48:30 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------78AE76FB0E018A26C978767D"
Archived-At: <>
Cc: Chris Morrow <>, sidr <>
Subject: Re: [sidr] two stranded docuemnts - stake time
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jul 2016 15:48:41 -0000


Here is my message to the SIDR list from 6/16:

    I read the latest version of this document and have a few comments,
    some of which I have made before, to no avail ;-).

    I still find the wording of the three examples in Section 4 to be
    unnecessarily informal. I’ve provided suggested text for previous
    versions of this document that probably is still applicable, since
    the examples do not seem to have changed much. It seems preferable
    to describe the first motivating case without reference to a
    specific RIR. (Including a parenthetical note about the historical
    precedent of a Dutch court order involving RIPE is relevant and
    might be included.) There is language in the adverse actions
    document that could be used here to be more formal, less folksy.
    Since adverse actions is now a Wg document, one might even cite
    sections of it to support the examples. In the second example, the
    term “borrowed” is not defined. I think I know what is implied, and
    it seems inappropriate to possibly condone advertisement of address
    space allocated to another party, just because that party is not
    advertising the space to the global Internet. Why not just stick
    with private address space in this example? The third example is a
    six-line, run-on sentence, so it’s not easy for a reader to be
    certain what the example really implies.

    The Notes section (5) seems to offer an analysis of requirement for
    potential solutions to address the use cases. Maybe a better section
    title is warranted.

    David’s SLURM document describes a mechanism that seems to address
    the local, customized view requirements described in Section 4.
    (David says that it addresses the second and maybe third uses cases,
    but I think he was modest in his assertion.) SLURM could support the
    first use case, if the community decided on a mechanism to
    distribute SLURM files in response to a CA being compelled to modify
    RPKI data. (It would be easy to ad a digital signature to the files,
    to provide authentication and integrity, but the there’s the little
    issue of key management and a suitable trust model …) The design
    accommodates merging of multiple SLURM files, meeting that
    requirement as stated in this section. Note that SLURM does not
    require modifying ROAs or GB records. It is a post-processing
    mechanism using “local” configuration data that overrides the global
    data acquired from the RPKI. This suggests that some of the comments
    in Section 5 are not accurate, e.g., ones that allude to the
    problems posed by not having keys to sign ROAs, etc. Although there
    is a need to achieve the effect of modifying, creating and/or
    replacing ROAs and GB records, that effect does not have to involve
    signatures on the affected data, as suggested in the first and third
    paragraphs of Section 5.


    … to be a formally formally defined set … (repeated word)

    … 'recipes' should be mergable (mergeable?)

    The Security Considerations text seems unduly negative. The approach
    being proposed here is not violating global security, because the
    results are intended to be local. How about the following wording:

    The use cases described in Section 4, and the notes for suggested
    solution approaches in Section 5, are not intended to undermine the
    security provided by the RPKI. Rather they identify potential
    obstacles to widespread adoption of the RPKI, and suggest changes
    that would enable network operators to generate custom “views” of
    the RPKI for use on a local basis. Providing the ability to create
    local RPKI views does not adversely affect global routing security.