Re: [sidr] Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)
Christopher Morrow <morrowc.lists@gmail.com> Wed, 11 April 2012 18:31 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC00111E8098 for <sidr@ietfa.amsl.com>; Wed, 11 Apr 2012 11:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.337
X-Spam-Level:
X-Spam-Status: No, score=-103.337 tagged_above=-999 required=5 tests=[AWL=-0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_MILLIONSOF=0.315, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mm4xzEyyE6yN for <sidr@ietfa.amsl.com>; Wed, 11 Apr 2012 11:31:56 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6C74221F8483 for <sidr@ietf.org>; Wed, 11 Apr 2012 11:31:53 -0700 (PDT)
Received: by obbtb4 with SMTP id tb4so1797883obb.31 for <sidr@ietf.org>; Wed, 11 Apr 2012 11:31:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=/tIPlFjIR8ymEdVg7VPNR33Mp5L3s0EwQRwlTHuO+Bk=; b=pyTOp71IG5clH/PGrcUyjvuFg79b4Sc1NMK96VjOqBAYOj/gRZeN9DZVBSwVJkTdmw U06CnvAPuI8xtLG3/si8Sa2hUVGkqPXaybfO4ZJkdVN2R6kb2qgsiRO+WbFf80kEwfwD BaVnFiGcVxQBkT8jDRGSsfIrH35RGkbnL67JtXvBPlZwXCvQ3eEVRX4f5BMPklchhmhA 4aWZUKMclWhjvTpVQSQfvxMDUIqMsVQ2aBjMW03pA4H9GyTlmgShcpszP/+st2UCliJP 7p7CIf4rU80jh00PkxtF/m4GqH52kiVX5ZVFgKzBJUcpWRweij3w+t9AJggGNj5QAguF VvKw==
MIME-Version: 1.0
Received: by 10.182.54.114 with SMTP id i18mr21525291obp.49.1334169112841; Wed, 11 Apr 2012 11:31:52 -0700 (PDT)
Sender: christopher.morrow@gmail.com
Received: by 10.182.153.34 with HTTP; Wed, 11 Apr 2012 11:31:52 -0700 (PDT)
In-Reply-To: <CAH1iCirHuAnf99-3Gg0kBf0vVaHs3oBCJv10m0Z2r9jLnqs57A@mail.gmail.com>
References: <4F844D15.90402@ops-netman.net> <4F845123.60803@ops-netman.net> <3A499D67-D964-44A7-B1F5-BD103EBC67EE@tcb.net> <CAL9jLaZdVOW1YDm9cZEtfWQFgY=Qdc-_Be-gS8-FgRQiUxzw0A@mail.gmail.com> <CC95A8E0-4FA8-4FDF-BC53-E93340D62D64@tcb.net> <CAL9jLaaRV+W+C-amPAT3ALLd-QMr1XsoD_KLoDMYganTD-AGdg@mail.gmail.com> <C533B89C-F817-4111-A532-0165EC5D6786@tcb.net> <CAL9jLabTf8SHADEiKHJd0g6mKnG0T+mcjpydHjFEbHq16aOfxg@mail.gmail.com> <FFB084C8-960A-48DF-AF10-0CE08C09F819@tcb.net> <4F85C89D.3040307@ops-netman.net> <CAH1iCirHuAnf99-3Gg0kBf0vVaHs3oBCJv10m0Z2r9jLnqs57A@mail.gmail.com>
Date: Wed, 11 Apr 2012 14:31:52 -0400
X-Google-Sender-Auth: b7Xk5ZLKfZaDJcapwEHg6ukidM0
Message-ID: <CAL9jLaZyibH92y_SoeuBe21T6aPTy5CSNTyHVL=mS23ODNpP7A@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: sidr wg <sidr@ietf.org>, sidr-chairs@tools.ietf.org, sidr-ads@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [sidr] Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 18:31:57 -0000
(if the ads want off this train, speak up) On Wed, Apr 11, 2012 at 2:23 PM, Brian Dickson <brian.peter.dickson@gmail.com> wrote: > My understanding is, that at least for the origination aspect, the > "freshness" argument is that the keys get rolled periodically. they can get rolled periodically, sure. That could be as often as 1/yr or 1/N yrs... your (operators) choice, within reason... which the mic discussion also spun around in PAR. > And this has to occur on all the routers, with new keys published along with > the key roll, and possibly a unique key per router. could be per router? per POP? per METRO? per REGION? per Continent? per Country? per ASN? > So, the key roll frequency alone, there are operational scalability things > to be concerned about. Sure, just like updating prefix-lists for all your customers today... which L(3) does ~4x/day? NTTA does ~6x/day? > The keys in question (which go into ee-cert?) have to have private keys on > routers, and public keys in RPKI, right? > Sure, you are updating 2 things here, potentially. Or pulling data from a single store to put in 2 places (depends on your perspective and systems/OSS I suppose). > This isn't a "do it once when you build the router" thing, this is a live > update of all aspects of the whole system (router + RPKI). there are 2 systems there... with potentially very different operational requirements. we already all manage routers in the field ... this is just another 'prefix-list' or 'acl' or ... (or I hope it's just like that anyway - see 'stab in eye' vendor comment) > As in, we should probably take at least some of the time allotted for the > meta-discussion of, is private/public key really what we should be doing > here? > And if so, what are the ways that that can be done, with some analysis of > scaling factors (order of magnitude at a minimum). > > E.g. it is one thing to say "sort the data", and quite another thing to say > "When you sort the data, be aware that bubble-sort is really a bad idea, and > quicksort is what you should use for N>6". > > (Some thought should be given to comparative analysis of non-PKI crypto > mechanisms, such as hashing (SHA-256), including security, performance, and > whether onboarding-offboarding-purging are needed.) I think that ship sailed... but it seems like a fun list discussion. -chris > Brian > > On Wed, Apr 11, 2012 at 2:08 PM, Chris Morrow <morrowc@ops-netman.net> > wrote: >> >> >> >> On 04/11/2012 01:57 PM, Danny McPherson wrote: >> > >> > >> >> I suppose, to me this looks like any other configuration thing you >> >> do today on routers... beating the vendor over the head to support >> >> sane (netconf? maybe?) methods for provisioning, is already done. >> > >> > So how we onboard, update, or purge information from RPKI and sign >> >> I think there are 2 things here: >> 1) router-signing-cert (ee-cert?) >> 2) rpki-digested-data (prefix + origin + cert-sig/etc) >> >> they don't have to get to the router in the same way, do they? (I >> suppose they COULD, but that isn't necessarily mandatory and isn't how >> it's currently spec'd) >> >> > stuff on n routers in z locations that 10's of thousands of others >> > will evaluate in millions of routers to determine reachability of our >> >> wait, now you added a 3rd item: >> 3) rpki data repository/publication-point >> >> > information is relegated to "out of scope" of SIDR? >> >> nope, I think the part I was talking about was JUST #1 above. you put >> that cert on your router in some implementation-specific manner. Does >> the IETF have to (should it?) state there are some operational security >> concerns with this? ie: "It is probably a bad idea to copy/paste an >> unencrypted private key on a telnet session across the open Internet to >> the router." (that sort of thing could be placed in the bgpsec-ops doc, >> it's not there as near as I can tell today). >> >> -chris >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr > > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] Interim Meeting Draft Agenda: 04-30-2012 (… Chris Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Danny McPherson
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Danny McPherson
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Arturo Servin
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Murphy, Sandra
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Chris Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Danny McPherson
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Danny McPherson
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Chris Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Brian Dickson
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Randy Bush
- Re: [sidr] Interim Meeting Draft Agenda: 04-30-20… Christopher Morrow