Re: [sidr] Fwd: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt

Sean Turner <turners@ieca.com> Sun, 23 October 2011 22:25 UTC

Return-Path: <turners@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D289B21F8AF7 for <sidr@ietfa.amsl.com>; Sun, 23 Oct 2011 15:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEz87pmg9XvV for <sidr@ietfa.amsl.com>; Sun, 23 Oct 2011 15:25:06 -0700 (PDT)
Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [69.56.170.20]) by ietfa.amsl.com (Postfix) with SMTP id A5DED21F8AF2 for <sidr@ietf.org>; Sun, 23 Oct 2011 15:25:06 -0700 (PDT)
Received: (qmail 24367 invoked from network); 23 Oct 2011 21:24:39 -0000
Received: from gator1743.hostgator.com (184.173.253.227) by gateway02.websitewelcome.com with SMTP; 23 Oct 2011 21:24:39 -0000
Received: from [71.191.15.80] (port=47934 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1RI6TX-0004Mt-T6; Sun, 23 Oct 2011 17:25:04 -0500
Message-ID: <4EA4943F.80106@ieca.com>
Date: Sun, 23 Oct 2011 18:25:03 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Roque Gagliano <rogaglia@cisco.com>
References: <20110802092022.13671.96567.idtracker@ietfa.amsl.com> <1C1A5E2A-1C8A-4023-B2BA-A2D340470649@cisco.com> <p06240807ca5e0bcbcee5@[192.168.1.12]> <B02911FA-F807-4A6F-837A-205236B02325@cisco.com> <m239hiqa4p.wl%randy@psg.com> <4E3A9A65.4010207@ieca.com> <Pine.WNT.4.64.1108051408150.6664@SMURPHY-LT.columbia.ads.sparta.com> <4E3C503D.2050004@ieca.com> <EE05681A-CC67-4417-A335-379E7DB90338@cisco.com>
In-Reply-To: <EE05681A-CC67-4417-A335-379E7DB90338@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-71-191-15-80.washdc.east.verizon.net (thunderfish.local) [71.191.15.80]:47934
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: Sandra Murphy <Sandra.Murphy@sparta.com>, sidr@ietf.org
Subject: Re: [sidr] Fwd: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2011 22:25:14 -0000

Roque,

The algorithms used to issue and validate BGPSEC certificates are the 
same as those for RPKI res-certs.  This bit is in Section 2:

   Further, the algorithms used to generate RPKI CA certificates
   that issue the BGPSEC Router Certificates and the CRLs necessary
   to check the validity of the BGPSEC Router Certificates remain
   unchanged (i.e., they are as specified in [ID.sidr-rpki-algs]).

What that means is that a BGPSEC certs could be validated by a RP 
compliant with res-cert (modulo the things noted in Sec 3.3).  Now if 
that same RP wants to do BGPSEC it's got to support the bgpsec-prtocol, 
bgpsec-pki-profile, and bgpsec-pki-algs drafts too.  The other way to 
think about this is that if a BGPSEC RP is going to validate a BGPSEC 
signature - it's going to need to validate the BGPSEC protocol signature 
with the public key in the BGPSEC router's certificate using the algs in 
bgpsec-pki-algs, then the RP is going to need to validate the signature 
on the BGPSEC router's certificate with the public key and algs in 
rpki-certs and rpki-algs, and then repeat until it gets to a TA. I also 
made sure to put in the bgpsec-algs document that the algs used to sign 
the BGPSEC certs are found in rpki-algs.

I could see changing the following in Section 3.1:

OLD:

   A BGPSEC Router Certificate is a valid X.509 public key certificate,
   consistent with the PKIX profile [RFC5280] and [ID.sidr-res-cert-
   profile], containing the fields listed in this section.  Only the
   differences between this profile and the profile in [ID.sidr-res-
   cert-profile] are listed.

NEW:

   A BGPSEC Router Certificate is a valid X.509 public key certificate,
   consistent with the PKIX profile [RFC5280], containing the fields
   listed in this section.  This profile is based on [ID.sidr-
   res-cert-profile] and only the differences between this profile and
   the profile in [ID.sidr-res-cert-profile] are listed.

Section 3.1.2 points to the bgpsec-algs draft only for the key/alg in
the EE certificate.  The signature alg is still as specified in 
draft-ietf-sidr-rpki-algs-05 because the bgpsec-algs draft is only 
listing the differences.

Section 3.2 also points to the bgpsec-algs draft because the BGPSEC 
router is going to request the certificate using the algorithms 
specified in that draft.

But, I could see adding something like the following to Sec 3.3:

   NOTE: The cryptographic algorithms used by BGPSEC routers are
   found in [ID.sidr-bgpsec-algs].  Currently, the algorithms
   specified in [ID.sidr-bgpsec-algs] and [ID.sidr-rpki-algs] are
   different.  BGPSEC RPs will need to support algorithms that are
   needed to validate BGPSEC signatures as well as the algorithms
   that are needed to validate signatures on BGPSEC certificates,
   RPKI CA certificates, and RPKI CRLs.

I rambled a bit so let me know if this makes sense.

spt

On 8/9/11 11:59 AM, Roque Gagliano wrote:
> Sean,
>
> In Section 3.3 of http://datatracker.ietf.org/doc/draft-turner-sidr-bgpsec-pki-profiles/, you are missing to mention that one of the difference from draft-ietf-sidr-res-cert-profile is that your document refers a different algorithm suite document. Consequently, a BGPSEC certificate will not validate draft-ietf-res-cert-profile, as long as the two algorithm suites are different, correct? If that is the case, I believe you should clarify it and probably remove the references that the new profile is consistent with draft-ietf-sidr-res-cert-profile certificates.
>
> Roque
>
>
>
> On Aug 5, 2011, at 10:19 PM, Sean Turner wrote:
>
>> On 8/5/11 2:11 PM, Sandra Murphy wrote:
>>>
>>>
>>> On Thu, 4 Aug 2011, Sean Turner wrote:
>>>
>>>> On 8/3/11 8:43 PM, Randy Bush wrote:
>>>>>> The intention was to focus on the use case for the proposed changes
>>>>>> (BGPSEC certs).
>>>>>
>>>>> what is a "BGPSEC cert?"
>>>>
>>>> What Mark and I are currently proposing in
>>>> draft-turner-sidr-bgpsec-pki-profiles is that a BGPSEC certificate is a
>>>
>>> <snip>
>>>
>>>>
>>>> PS Technically, the EKU is defined in
>>>> draft-turner-bpgsec-pki-profiles. It's
>>>
>>> <snip>
>>>
>>>> If the WG decides to adopt this approach, then we'll go through the
>>>> appropriate procedures to request an OID and include it in the draft.
>>>
>>> Sean, would you like to request wg adoption for these two drafts?
>>
>> Yes I would like the wg to consider adoption of:
>>
>> http://datatracker.ietf.org/doc/draft-turner-sidr-bgpsec-pki-profiles/
>> http://datatracker.ietf.org/doc/draft-turner-sidr-bgpsec-algs/
>>
>> as the starting point for certificates and algorithms for BGPSEC.
>>
>> spt
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>