[Sidrops] AD Review of draft-ietf-sidrops-rtr-keying
Warren Kumari <warren@kumari.net> Fri, 30 November 2018 01:49 UTC
Return-Path: <warren@kumari.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06A2129C6A for <sidrops@ietfa.amsl.com>; Thu, 29 Nov 2018 17:49:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wat1SRcWRH8O for <sidrops@ietfa.amsl.com>; Thu, 29 Nov 2018 17:49:50 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31095124408 for <sidrops@ietf.org>; Thu, 29 Nov 2018 17:49:50 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id a18so4151712wmj.1 for <sidrops@ietf.org>; Thu, 29 Nov 2018 17:49:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=AvFdfcNHoYOHcKqD0hTqMa+ZMlUHK03uBZBEGs0OngQ=; b=udXcKOOYuM8KkvbB2rUwDPSBxZniBlM2a9XkV5MrlaFk/9cpwQ6FqCrvOJBBp1PC5G 4lKMKd/9ilulHluPlFXbL7f2BDHEi56jOhbuR0ihd0PQaRUl7e0fsZp5Vw6kmwQtzU5i j3wIyvkK4Wh9gwwLKaBqgO6q0wGXbZ/2kuIlHe/6ZbiftU6sWA1fP2ryCKIMhY0HfE4f lGcFN3OizQDS3+S1AyvOD/vrOQjshI9s//PoHDx8xATJn5myjvJCR6n3Tulg8RaXbr0G 3wxp407OElJ1bWRU/ZtMhBrkxiYYKxZk9Gh4DrswPlksjYRNqFRbdazWNTlty/4lXTLs UkIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AvFdfcNHoYOHcKqD0hTqMa+ZMlUHK03uBZBEGs0OngQ=; b=M2iIyRAqEPhrwsPuw79TnRcmlbBmPOLGR6J91/eCMXqcvbvfDmNkl+B9WWkWRmfEbI c9UVTdSl3S//tfHo6erTcvWBAo24y1uUQev+OvrDG2TfIYwU2aBxp+DUn4udZZuSEcsY JnNV9TeOBoRru9bdyksbxlsaecYmIyVfZudq1FsEFLON8n4C61kQKdsP6AAxP99rL23e 9MGhMXI4iM+WBli2+VZwDUGZQnJJMTEx2tbtPohC+TXj7oaszT7gBLFUR9WtIYv9l6Pn lDsZN6mAO+wEDBLqHRvQ55TZFnWnNCBy0AAW5do5VRk6a8WKL55wsORQ1WkADRnl9C0E 7k1w==
X-Gm-Message-State: AA+aEWag+nRl0XGh4G1aY0xH3BLoP0uECFh2uH3DTiF9Jnu3VbXeGUw8 s0+wAs11u7NgfrcZXamLm2xdSkXz7T40W+kMJeYqjg==
X-Google-Smtp-Source: AFSGD/Uu+LLUQbfN5wQ7bdwqu6RK9aS/EEN+rFdHU0YhFsP3BSSc5nVmqGgs2mBtgidwVp/dc9uQB3FDgPCry7Zhmvo=
X-Received: by 2002:a1c:f605:: with SMTP id w5mr806885wmc.116.1543542588167; Thu, 29 Nov 2018 17:49:48 -0800 (PST)
MIME-Version: 1.0
From: Warren Kumari <warren@kumari.net>
Date: Thu, 29 Nov 2018 20:49:11 -0500
Message-ID: <CAHw9_iK4iNk9WYAzzw-9Ya8raSfFG9Pxvim2zSwfzh2pWdruVQ@mail.gmail.com>
To: draft-ietf-sidrops-rtr-keying.all@ietf.org, sidrops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a9e50f057bd8034d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/XUNzD5P6dqlgUpB329zSlF8nYXw>
Subject: [Sidrops] AD Review of draft-ietf-sidrops-rtr-keying
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 01:49:53 -0000
Thank you to the editors, SIDR and SIDROPS for your efforts on this document, it's a well written and easy to understand draft. This document is currently blocking the publication of https://datatracker.ietf.org/doc/draft-ietf-sidrops-bgpsec-rollover/ (for 344 days!), so I'm eager to get it out the door (and apologies for it taking almost a month for my AD review!) I do have a few editorial nits, and incorrect section numbers, that I’d like addressed before I start IETF LC — addressing these now will help avoid issues later in the process...[0] Section 1: ------------- 1: "For example, when an operator wants to support hot-swappable routers the same private key needs to be ..." [O] to support hot-swappable routers the same private key [P] to support hot-swappable routers, the same private key [R] readability/grammar 2: "The remainder of this document describes how operators can use the two methods to provision new and existing routers. The methods described involve the operator configuring the two end points (i.e., the management station and the router) and acting as the intermediary. Section 7 describes a method that requires more capable routers." [C]: I **think** that this is actually Section 8? Section 5.2. Operator-Generated Keys --------------------------------------- 3: That is the operator can verify the proof of possession [O] That is the operator [P] That is, the operator [R] readability (POP), as required by [RFC6484]. Section 7. Install Certificate ------------------------------ 4: To perform this verification the CA [O] To perform this verification the CA [P] To perform this verification, the CA [R] grammar certificate chain needs to be returned along with the router's certificate in the PKCS#7 certs-only message. Section 8. Advanced Deployment Scenarios ---------------------------------------------- 5: When a router is so configured the communication with the CA SHOULD [O] When a router is so configured the communication [P] When a router is so configured, the communication [R] grammar be automatically re-established by the router at future times to renew or rekey the certificate automatically when necessary (See Section 8). NOTE: I believe that this is now Section 9... Section 9.1. Key Validity -------------------------- 6: Regardless of the technique used to track router certificate expiry times, it is advisable to notify additional operators in the same organization as the expiry time approaches thereby ensuring that the [O] as the expiry time approaches thereby ensuring [P] as the expiry time approaches, thereby ensuring [R] grammar forgetfulness of one operator does not affect the entire organization. Section 9.3. Key Revocation ------------------------------- 7: Certain unfortunate circumstances may occur causing a need to revoke [O] Certain unfortunate circumstances may occur causing a need to revoke a router's BGPsec certificate. [P] In certain circumstances, a router's BGPsec certificate may need to be revoked. [R] readability a router's BGPsec certificate. 8: router's certificate, (possibly distributing a new key and certificate to the router), and distributing the status takes time [O] distributing the status takes time [P] distributing the status, takes time [R] readability. Or, better, could this be broken up into either a list or two sentences? during which the operator must decide how they wish to maintain 9: Keeping the router operational and BGPsec-speaking is the ideal goal, but if operational practices do not allow this then reconfiguring the [O] goal, but if operational practices do not allow this [P] goal; but, if operational practices do not allow this, [R] grammar router to disable BGPsec is likely preferred to bringing the router offline. 10: and then make a next generation soon-to-be- operational key, all hopefully without needing to take offline or [O] key, all hopefully [P] key. Hopefully, all this can be done [R] readability reboot the router. Section 9.4. Router Replacement ------------------------------------- 11: To allow operators to quickly replace routers without requiring update and distribution of the corresponding public keys in the RPKI, routers SHOULD allow the private BGPsec key to inserted via a [O] to inserted [P] to be inserted protected channel, e.g., SSH, NetConf (see [RFC6470]), SNMP. Section 10. Security Considerations ------------------------------------ 12: This document defines no protocols so in some sense introduces no new [O] no protocols so in some sense [P] no protocols. So, in some sense, it [R] readability security considerations. However, it relies on many others and the security considerations in the referenced documents should be consulted; notably, those document listed in Section 1 should be consulted first. 13: PKI-relying protocols, of which BGPsec is one, have many issues to consider so many in fact entire books have been [O] to consider so many in fact entire books [P] to consider - so many, in fact, that entire books [R] readability/grammar 14: written to address them; so listing all PKI-related security considerations is neither useful nor helpful; regardless, some boot- [O] helpful; regardless, [P] helpful. Regardless, [R] strapping-related issues are listed here that are worth repeating: 15: Public-Private key pair generation: Mistakes here are for all practical purposes catastrophic because PKIs rely on the pairing [O] Mistakes here are for all practical purposes [P] Mistakes here are, for all practical purposes, [R] readability/grammar of a difficult to generate public-private key pair with a signer; all key pairs MUST be generated from a good source of non- deterministic random input [RFC4086]. 16: Private key protection at rest: Mistakes here are for all practical purposes catastrophic because disclosure of the private key allows [P] same as prior comment another entity to masquerade as (i.e., impersonate) the signer; 17: Private key protection in transit: Mistakes here are for all practical purposes catastrophic because disclosure of the private [P] same as two prior. key allows another entity to masquerade as (i.e., impersonate) the signer; ------------------------------------------- Please let me know LOUDLY once you've had a chance to look at these, and I'll kick of IETF LC. W [0]: Once people start pointing out nits, they seem to continue (and yes, I get the irony :-)) -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [Sidrops] AD Review of draft-ietf-sidrops-rtr-key… Warren Kumari
- Re: [Sidrops] AD Review of draft-ietf-sidrops-rtr… Sean Turner
- Re: [Sidrops] AD Review of draft-ietf-sidrops-rtr… Warren Kumari