IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-rtr-keying-05.txt

Sean Turner <TurnerS@ieca.com> Tue, 13 May 2014 01:50 UTC

Return-Path: <TurnerS@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 991001A07DD for <sidr@ietfa.amsl.com>; Mon, 12 May 2014 18:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tKZktEz_aNT for <sidr@ietfa.amsl.com>; Mon, 12 May 2014 18:50:15 -0700 (PDT)
Received: from gateway11.websitewelcome.com (gateway11.websitewelcome.com [69.93.164.12]) by ietfa.amsl.com (Postfix) with ESMTP id 20B601A03AB for <sidr@ietf.org>; Mon, 12 May 2014 18:50:15 -0700 (PDT)
Received: by gateway11.websitewelcome.com (Postfix, from userid 500) id D941B4033D45F; Mon, 12 May 2014 20:50:08 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway11.websitewelcome.com (Postfix) with ESMTP id B94E44033D437 for <sidr@ietf.org>; Mon, 12 May 2014 20:50:08 -0500 (CDT)
Received: from [96.231.225.192] (port=51469 helo=[192.168.1.4]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <TurnerS@ieca.com>) id 1Wk1r5-00008E-Nk; Mon, 12 May 2014 20:50:07 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Sean Turner <TurnerS@ieca.com>
In-Reply-To: <CF86D3BA.1A323%wesley.george@twcable.com>
Date: Mon, 12 May 2014 21:50:05 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <25567F3D-6C59-48D2-B99F-A88F402D3058@ieca.com>
References: <20140429141007.21954.23015.idtracker@ietfa.amsl.com> <99F6C803-C724-430F-AF95-461CBE778C05@ieca.com> <CF86D3BA.1A323%wesley.george@twcable.com>
To: "George, Wes" <wesley.george@twcable.com>
X-Mailer: Apple Mail (2.1874)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.225.192
X-Exim-ID: 1Wk1r5-00008E-Nk
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([192.168.1.4]) [96.231.225.192]:51469
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 4
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/z84WIxIKx5V2hN0pWEEPbGLmyCk
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rtr-keying-05.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 01:50:16 -0000

Wes,

Randy and I bashed some text around; would this work:

When it is decided that an active router key is to be revoked, the
process of requesting the CA to revoke, the process of the CA
actually revoking the router’s certificate, and then the process of
rekeying/renewing the router’s certificate, (possibly distributing a
new key and certificate to the router), and distributing the status
takes time during which the operator must decide how they wish
to maintain continuity of operations, with or without the compromised
private key, or whether they wish to to bring the router offline to
address the compromise.  

Keeping the router operational and BGPsec-speaking is the ideal goal,
but if operational practices do not allow this then reconfiguring the
router to disabling BGPsec is likely preferred to bringing the router
offline.

Routers which support more than one private key, where one is
operational and the other(s) are soon-to-be-opertional, facilitate
revocation events because the operator can configure the router to make
a soon-to-be-operational key operational, request revocation of the
compromised key, and then make a new soon-to-be-operational key, all
hopefully without needing to take offline or reboot the router.  For
routers which support only one operational key, the operators should
create or install the new private key, and then request revocation of
the compromised private key.

spt

On Apr 30, 2014, at 16:26, George, Wes <wesley.george@twcable.com> wrote:

> This update address my comments on the document, and I think it’s in good
> shape now. The new section 4 is really good. The one thing I might
> recommend adding for completeness is a few additional words around
> revocation process at the end of section 4, specifically if there is any
> difference or recommendation in process for make before break (provision
> new key, then revoke old) or when that may not be a good idea compared
> with the risk of outage caused by revoking and then rekeying. It may be as
> simple as saying something similar to the above about whether a router
> supports multiple private keys or not, but I’m not sure if there are
> additional considerations that need to be discussed.
> 
> Thanks,
> 
> Wes
> 
> 
> 
> On 4/29/14, 10:14 AM, "Sean Turner" <TurnerS@ieca.com> wrote:
> 
>> Hi,
>> 
>> This version includes a new section 4 that addresses key management
>> (i.e., keep a timer to make sure your cert doesn’t expire).  There’s also
>> some editorial/readability corrections.  Please review as the authors
>> think this version pretty much wraps up what we wanted to say.
>> 
>> spt
>> 
>> On Apr 29, 2014, at 10:10, internet-drafts@ietf.org wrote:
>> 
>>> 
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> This draft is a work item of the Secure Inter-Domain Routing Working
>>> Group of the IETF.
>>> 
>>>       Title           : Router Keying for BGPsec
>>>       Authors         : Sean Turner
>>>                         Keyur Patel
>>>                         Randy Bush
>>>     Filename        : draft-ietf-sidr-rtr-keying-05.txt
>>>     Pages           : 10
>>>     Date            : 2014-04-29
>>> 
>>> Abstract:
>>>  BGPsec-speaking routers are provisioned with private keys to sign BGP
>>>  messages; the corresponding public keys are published in the global
>>>  RPKI (Resource Public Key Infrastructure) thereby enabling
>>>  verification of BGPsec messages.  This document describes two ways of
>>>  provisioning the public-private key-pairs: router-driven and
>>>  operator-driven.
>>> 
>>> 
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-sidr-rtr-keying/
>>> 
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-sidr-rtr-keying-05
>>> 
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rtr-keying-05
>>> 
>>> 
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>> 
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>> 
>>> _______________________________________________
>>> I-D-Announce mailing list
>>> I-D-Announce@ietf.org
>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
> 
> 
> This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

v2.23.0 | Report a Bug | By Email