Re: [Sidrops] RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02
"Brian Weis (bew)" <bew@cisco.com> Thu, 26 October 2017 23:19 UTC
Return-Path: <bew@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DDA513F48E; Thu, 26 Oct 2017 16:19:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knPxdeRtfSjr; Thu, 26 Oct 2017 16:19:38 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1614613F492; Thu, 26 Oct 2017 16:19:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17938; q=dns/txt; s=iport; t=1509059972; x=1510269572; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=q7vDuEaMUG6cMz+F+Za7sLyRlrhhe4byDX/XKJu2r7w=; b=kkIN75XscMDeHd+516zzNWyJ1n91VieZPqKperhjJHcN034APQZlP//p NKxNf4t0fc7frd0Y3SOTftRE4crkjbFRmpjuhhRkq1v0i3KTlbXjt7D9w ApyUt9X6K5Fm/q1QGbOgUfeufQySuFJ1faYeJSrwTTs25c7XYlKQhEThV 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CjAAAObPJZ/4sNJK1ZAxkBAQEBAQEBAQEBAQcBAQEBAYJvcGRuJweDc4ofjxGBepB8hUQQggEKI4UYAhqEJz8YAQIBAQEBAQEBayiFHgYjVhACAQgUKwMCAgIwFBEBAQQOBYk8ZBCpCIInimgBAQEBAQEBAQEBAQEBAQEBAQEBAQEdgy6CB4M5KYMBhFIBEgE2CQEmgk0vgjIFiiiOVYh+Aodjg2aJLoIVXoEYhAmEAocViimLNAIRGQGBOAEPEDiBA2V6FXYBgjYJhFZ3AYkqgSSBEQEBAQ
X-IronPort-AV: E=Sophos;i="5.44,302,1505779200"; d="scan'208,217";a="312868405"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Oct 2017 23:19:30 +0000
Received: from XCH-RTP-005.cisco.com (xch-rtp-005.cisco.com [64.101.220.145]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v9QNJU4n020632 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 26 Oct 2017 23:19:30 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-005.cisco.com (64.101.220.145) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 26 Oct 2017 19:19:29 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Thu, 26 Oct 2017 19:19:29 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: Daniele Ceccarelli <daniele.ceccarelli@ericsson.com>
CC: "<rtg-ads@ietf.org> (rtg-ads@ietf.org)" <rtg-ads@ietf.org>, rtg-dir <rtg-dir-bounces@ietf.org>, "draft-ietf-sidrops-bgpsec-rollover.all@ietf.org" <draft-ietf-sidrops-bgpsec-rollover.all@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02
Thread-Index: AdNOLsL0NRLGSLK4Tg6Kfsa5RK+XHAAo6PsA
Date: Thu, 26 Oct 2017 23:19:29 +0000
Message-ID: <CE0B48E2-FF01-4C6B-AC68-722AB09A7710@cisco.com>
References: <HE1PR0701MB2714765995E380B8545A6687F0450@HE1PR0701MB2714.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB2714765995E380B8545A6687F0450@HE1PR0701MB2714.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.172.194]
Content-Type: multipart/alternative; boundary="_000_CE0B48E2FF014C6BAC68722AB09A7710ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/BlkpPpItL1126LtIUqhooGoEs3U>
Subject: Re: [Sidrops] RtgDir review: draft-ietf-sidrops-bgpsec-rollover-02
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 23:19:41 -0000
Hi Daniele, Thanks for your review. On Oct 26, 2017, at 3:12 AM, Daniele Ceccarelli <daniele.ceccarelli@ericsson.com<mailto:daniele.ceccarelli@ericsson.com>> wrote: Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-sidrops-bgpsec-rollover-02 Reviewer: Daniele Ceccarelli Review Date: 25/10/2017 IETF LC End Date: On agenda of 2017-11-30 IESG telechat Intended Status: Standard Track Summary: I have some minor concerns about this document that I think should be resolved before publication. Comments: The draft is sometimes hard to read, mostly the abstract (which should be clear on the scope of the draft), what is being defined and above all the intended status. In some parts the draft seems to be a recommendation, in some others a standard track. Which one? It’s intended to be standards-track. We’ll change the tone of the document to match that (i.e., not describe “recommendations”). Also I’ve again reviewed the use of requirements language and made some appropriate changes to reflect a standards-track document. Major Issues: - None Minor Issues and nits: - The abstract is a bit hard to read. E.g. the usage of "will also manage" might become obsolete sooner or later and this sentence "But the rollover of CA and EE certificates BGPsec router certificates have..." doesn't make much sense. - - Moreover the abstract says: "This document provides general recommendations for the rollover process". How can it be a standard track then? Thanks for pointing out that the Abstract is hard to read — it’s old text that should have been updated to match the current state of BGPSEC. I have simplified the Abstract and addressed both of these points. Let me know if you believe it does not clearly describe the scope of the draft. Certification Authorities (CAs) within the Resource Public Key Infrastructure (RPKI) manage BGPsec router certificates as well as RPKI certificates. The rollover of BGPsec router certificates must be carefully performed in order to synchronize the distribution of router public keys with BGPsec Update messages verified with those router public keys. This document describes a safe rollover process, as well as discussing when and why the rollover of BGPsec router certificates are necessary. When this rollover process is followed the rollover will be performed without routing information being lost. - Intro: "Additionally, the BGP speaker MUST refresh its outbound BGPsec Update messages to include a signature using the new key (replacing the old key)." I wouldn't expect a MUST in the intro. I understand this is something defined in other documents, hence should not be in capital letters and probably added a reference. The normative language has been moved until a later section. There isn’t really a reference that can be given in this sentence though — it’s stating logically what needs to happen. - Section 3 ditto. "A BGPsec router certificate SHOULD be replaced when the following events occur" is this something new defined in this document? Yes, a description of when a key rollover should happen is a new topic for BGPsec. So this SHOULD is needed. - Typo/Punctuation/wrong usage of capital letters: there is a number of them all over the document. Why OLD key is always used with old in capital letters? Fixed. Thanks, Brian Thanks Daniele -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com<mailto:bew@cisco.com>
- [Sidrops] RtgDir review: draft-ietf-sidrops-bgpse… Daniele Ceccarelli
- Re: [Sidrops] RtgDir review: draft-ietf-sidrops-b… Brian Weis (bew)
- Re: [Sidrops] RtgDir review: draft-ietf-sidrops-b… Daniele Ceccarelli