Re: [sidr] once more with feeling! WGLC for draft-ietf-sidr-slurm-04

Declan Ma <madi@zdns.cn> Tue, 27 June 2017 04:20 UTC

Return-Path: <madi@zdns.cn>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A94128B8E for <sidr@ietfa.amsl.com>; Mon, 26 Jun 2017 21:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zdns.cn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fi8Jr8vqm1JB for <sidr@ietfa.amsl.com>; Mon, 26 Jun 2017 21:20:19 -0700 (PDT)
Received: from mail.zdns.cn (smtp.zdns.cn [202.173.10.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E1A7128B8F for <sidr@ietf.org>; Mon, 26 Jun 2017 21:20:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zdns.cn; s=dkim; x=1499142019; i=madi@zdns.cn; h=Content-Type: Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; bh=go2q5fh4X TWskhAe2P/jwm+1C6/T9AIkWdcvWP6HIik=; b=skOjK63lj74tZ44tcKpStEqcv e+QA81lj2otsXBiOVpijL0TqUwJUmshx+4kqLm7BuWIOb5E+mx6e2mVy9EamT+ja 2+xwX1fea6lrMiby7m7kfOMIzY2hA6J/3gezxzcPidTsaHmuNjV79opxYf8vmRPy 9Vunlgljzqbeij4o+E=
X-TM-DID: 40c5fd475c6cb531536af8ce44a29874
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Declan Ma <madi@zdns.cn>
In-Reply-To: <5D93CE9B-B802-4014-A3B8-F8B3A2F42456@antarateknik.com>
Date: Tue, 27 Jun 2017 12:19:52 +0800
Cc: Sandra Murphy <sandy@tislabs.com>, Christopher Morrow <morrowc.lists@gmail.com>, sidr chairs <sidr-chairs@ietf.org>, sidr <sidr@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9ACE1099-C5F3-48A3-BE97-649BDA8123BC@zdns.cn>
References: <801A5228-4DF6-4882-A2A9-77B9BAD58871@tislabs.com> <FE73D619-1368-4A22-8FB1-D310F277D731@ripe.net> <CAL9jLaYv-RZz8rzDy9XpjAsuVV4tFtxO33-0OjLQo2J00R60GA@mail.gmail.com> <87ACB275-5A80-427B-A6D6-D888CC72E03C@tislabs.com> <5D93CE9B-B802-4014-A3B8-F8B3A2F42456@antarateknik.com>
To: Mehmet Adalier <madalier@antarateknik.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/x6rqTUtB1NGA30a5su1KMfZS3QI>
Subject: Re: [sidr] once more with feeling! WGLC for draft-ietf-sidr-slurm-04
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 04:20:22 -0000

Mehmet,

Thanks very much for your feedback.

See my comments in lines. 


> 在 2017年6月21日,14:07,Mehmet Adalier <madalier@antarateknik.com> 写道:
> 
> In my opinion:
> 
> 1) Irrelevant of the underlying hash function, BGPSec assertions based on “only with matching SKI” should not be recommended/possible

I believe that SKI collision issues is an inherited problem from SHA-1, not an issue SLURM brings about.

Nevertheless, I agree with your opinion since SLURM is intended to be a sort of RPKI safeguard in local networks. 


> 2)  Regarding keys, “only in combination with an asserted ASN for that key,” not on the key alone


I think it’s reasonable to make it obliged to do filtering on the SKI in combination with an asserted ASN. 

We authors will be figuring out how to get this done after WGLC.

Di

> 
> mehmet
> 
> On 6/20/17, 8:38 PM, "sidr on behalf of Sandra Murphy" <sidr-bounces@ietf.org on behalf of sandy@tislabs.com> wrote:
> 
>    The “not have gotten much” was one request from an author, which got no response from the working group.
> 
>    Come on, folks.  We can do this.
> 
>    Maybe the usual increase in attention and energy of an approaching meeting will help.
> 
>    This starts a second wglc for draft-ietf-sidr-slurm-04.  Since it is the second wglc, it will be short, ending 30 Jun 2017.
> 
>    Silence is not consent.  Consensus for publication requires actual comment.  Read it.  Speak up.
> 
>    —Sandy, speaking as one of the wg co-chairs
> 
> 
>> On Jun 20, 2017, at 11:52 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
>> 
>> Howdy WG folks. this seems to not have gotten much review (after the authors changed a bunch).. can we get some readin/reviewin/commentin going on here please? :)
>> 
>> On Mon, Apr 17, 2017 at 2:06 PM, Tim Bruijnzeels <tim@ripe.net> wrote:
>> Dear WG
>> 
>> One thing the authors noted was that there may be discussion needed around the filtering of BGPSec assertions based on matching SKI - as the document currently says. This was added mainly in an attempt to make the spec feature complete and give an operator full freedom on filter rules.
>> 
>> SKIs use SHA-1. And recently it has been shown that SHA-1 collisions can be generated. This could lead one to believe that filtering of assertions based on a SKIs may not be a good idea. However, it should be noted that such collisions are probably irrelevant here. A ‘malicious' CA can always issue another router certificate for an existing (and requested) router certificate SKI and public key. So ‘collisions’ can exist anyway and a more secure hashing algorithm would not help.
>> 
>> The more fundamental question here is if it is really useful to have filtering based on the key itself - and if so - should it be possible to filter on the key alone (as the draft allows) or only in combination with an asserted ASN for that key (also allowed in this draft)?
>> 
>> As said it was mainly added for feature completeness, but it would be good to hear from this WG what the thoughts are. Personally I don’t see a big issue here - and would leave it to operators to use the options as they see fit.  But if there are concerns and there is no clear use case then I for one would be happy to take it out again in which case BGPSec assertions can only be filtered on matching ASN.
>> 
>> Cheers
>> Tim
>> 
>>> On 10 Apr 2017, at 17:49, Sandra Murphy <sandy@tislabs.com> wrote:
>>> 
>>> The authors of draft-ietf-sidr-slurm-04, "Simplified Local internet nUmber Resource Management with the RPKI”, have indicated that they believe the current version includes all wg comments and is mature and ready for working group last call.
>>> 
>>> This message starts a WGLC for draft-ietf-sidr-slurm-04.  The WGLC will end 24 April 2017.
>>> 
>>> The draft can be found at https://tools.ietf.org/html/draft-ietf-sidr-slurm-04 or https://datatracker.ietf.org/doc/draft-ietf-sidr-slurm/.
>>> 
>>> Please reply to the list whether the document is ready for publication or you have comments that you think should be addressed.
>>> 
>>> Please do read and respond to the list.  Remember that responses are required to gauge consensus, silence is not consent.
>>> 
>>> —Sandy, speaking as wg co-chair
>>> _______________________________________________
>>> sidr mailing list
>>> sidr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>> 
> 
>    _______________________________________________
>    sidr mailing list
>    sidr@ietf.org
>    https://www.ietf.org/mailman/listinfo/sidr
> 
> 
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr