Re: [Sidrops] WGLC comments on draft-ietf-sidrops-bgpsec-rollover-02

"Brian Weis (bew)" <bew@cisco.com> Tue, 10 October 2017 00:22 UTC

Return-Path: <bew@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0CA1331DD for <sidrops@ietfa.amsl.com>; Mon, 9 Oct 2017 17:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5tVnbwwtnS1K for <sidrops@ietfa.amsl.com>; Mon, 9 Oct 2017 17:22:19 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DE0B1330AF for <sidrops@ietf.org>; Mon, 9 Oct 2017 17:22:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3138; q=dns/txt; s=iport; t=1507594939; x=1508804539; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=KQPwtT+U797fprMiWFI8HNbIM54vrr0i4Lq9LJbSDzw=; b=E9w93n8wKG2EJLMWeSgOlr51eOvkHZGLIFN+fCG58kXfB7dN4LQYfKQp 9qw+WyCG3lU2gi7esBOls91ZEj3Mcog3CPehIv63lJ6ATvL+gjkMkTIcX mlIFXlL/T8C1DFx84BGfW+iMWxbzsWdUBpleLkBz/NI+oAdt9BUIvPPPv 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DSAAClEdxZ/5ldJa1ZAxkBAQEBAQEBAQEBAQcBAQEBAYMwLWRuJweDc4ofkUgili8OggQKGAuESU8CGoQgPxgBAgEBAQEBAQFrKIUYAQEBAQIBAQEhEToLBQsCAQYCGAICJgICAiULFRACBA4FiigIEIognWeCJ4snAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBDoIfggKDOysLgnOEUQESATYKJoJML4IyBaE1ApRlghSJbYcKlS0CERkBgTgBHziBAwt4FUkSAYcKdoVSgSSBEAEBAQ
X-IronPort-AV: E=Sophos;i="5.42,502,1500940800"; d="scan'208";a="87725053"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Oct 2017 00:22:18 +0000
Received: from XCH-RTP-001.cisco.com (xch-rtp-001.cisco.com [64.101.220.141]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v9A0MIAh024827 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 10 Oct 2017 00:22:18 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-001.cisco.com (64.101.220.141) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 9 Oct 2017 20:22:17 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Mon, 9 Oct 2017 20:22:17 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: Sean Turner <sean@sn3rd.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] WGLC comments on draft-ietf-sidrops-bgpsec-rollover-02
Thread-Index: AQHTPhi+0glPpCOwakqhAr9NpsUtl6Lcgp+A
Date: Tue, 10 Oct 2017 00:22:17 +0000
Message-ID: <5EEC8BBA-0B0B-4018-8195-A3F05379CF33@cisco.com>
References: <A00DC4D3-06C8-48A8-BB65-CCBFC36773BD@sn3rd.com>
In-Reply-To: <A00DC4D3-06C8-48A8-BB65-CCBFC36773BD@sn3rd.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.173.58]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B9E9238ADF06214CAFC7688C74FB0EF2@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/VXo1Ijrcp0pmoo1YMOajyiN_MGY>
Subject: Re: [Sidrops] WGLC comments on draft-ietf-sidrops-bgpsec-rollover-02
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 00:22:23 -0000

Hi Sean,

Thanks for the review. I’ve resolved the nits. A couple of issues have a response below.

> On Oct 5, 2017, at 1:29 PM, Sean Turner <sean@sn3rd.com> wrote:
> 
> I read this draft way back when it was a SIDR WG draft, but reviewed it again today.  I think this document is ready to be pushed out of the WG and I only have the following nits that can be addresses now or later at the WG chair/author’s discretion:
> 
> 0. Abstract as per RFC5280: r/Certificate Authority (CA)/Certification Authority (CA)
> 
> 1. Abstract: Not sure I can parse this: "But the rollover of CA and EE certificates BGPsec router certificates” is there a missing word before “BGPsec”?

BEW: Oops, there are too many words. It should be "But the rollover of BGPsec router certificates have additional considerations ….”.

> 
> 2. s1: r/router's key/router's BGPsec key
> 
> 3. s1:/[RFC7030])/[RFC7030]
> 
> 4. s3: r/Emergency router key rollover/Emergency router key rollover:
> 
> 5. s3: r/OLD/old (?) unless you’re also going to change the new to NEW earlier in the paragraph

BEW: Reviewing the usage of NEW and OLD, I’m not sure there’s any value in making these stand out at all. I’ll change them all to “new” and “old”.

> 
> 6. s3.1, Item 1: This item describes a "the new public key in a new certificate”, but the previous paragraph in s3 mentioned issuing a new certificate with an old key so I’m not sure “new” is needed before public key.  I guess “new” is also mention at the end of Item 2.  Basically, I just think you need to look at the wording to make sure that it doesn’t imply the key actually has to be new ;). Hope this comment makes sense.

BEW: Good catch. I've changed the text make it clearer that a new key pair is generated only if required.

Thanks,
Brian

> 
> 7. s3.1, step 4: r/invalidate updates/invalidate BGPsec updates
> and
> r/OLD updates/OLD BGPsec updates
> 
> 8. s2, s3.1, s4 for consistency: r/roll-over/rollover
> 
> Cheers,
> 
> spt
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

-- 
Brian Weis
Security, CSG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com