Re: [Sidrops] Eric Rescorla's No Objection on draft-ietf-sidrops-bgpsec-rollover-03: (with COMMENT)
"Brian Weis (bew)" <bew@cisco.com> Wed, 29 November 2017 01:04 UTC
Return-Path: <bew@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEDF2128CFF; Tue, 28 Nov 2017 17:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeXgELcQBqRY; Tue, 28 Nov 2017 17:04:29 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19471120724; Tue, 28 Nov 2017 17:04:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4660; q=dns/txt; s=iport; t=1511917469; x=1513127069; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=/um2tJpdUYSVDAfycu6cGH/uYwRlNUGuF6qLuKgVWGg=; b=RB4D9I7CgdL2EGUzvJhXUHZPnaTHxnfWbCUB9OjvCUWVv8EjlVlzlZGU YNKiLS4pTQ84ZqyrokD85Pct6SPlW7T6+mVdpJ8GW6gihNJ+GyBZWOUZl IH1JlR1oYZs3lngmMOuTsLCuvwzEsbJCgHqNXU9wCk+ZQc1GNLWWFByIH I=;
X-IronPort-AV: E=Sophos;i="5.44,470,1505779200"; d="scan'208";a="329171134"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Nov 2017 01:04:03 +0000
Received: from XCH-RTP-005.cisco.com (xch-rtp-005.cisco.com [64.101.220.145]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id vAT143iT020287 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 29 Nov 2017 01:04:03 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-005.cisco.com (64.101.220.145) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 28 Nov 2017 20:04:02 -0500
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Tue, 28 Nov 2017 20:04:02 -0500
From: "Brian Weis (bew)" <bew@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-sidrops-bgpsec-rollover@ietf.org" <draft-ietf-sidrops-bgpsec-rollover@ietf.org>, Chris Morrow <morrowc@ops-netman.net>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: Eric Rescorla's No Objection on draft-ietf-sidrops-bgpsec-rollover-03: (with COMMENT)
Thread-Index: AQHTaKaCadOR99Eeb0GsGuu+1n0OQ6Mq3moA
Date: Wed, 29 Nov 2017 01:04:02 +0000
Message-ID: <AEA8E961-0AAD-4610-9BA9-7BF2E2670539@cisco.com>
References: <151191424528.8057.5213964097673735635.idtracker@ietfa.amsl.com>
In-Reply-To: <151191424528.8057.5213964097673735635.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.172.166]
Content-Type: text/plain; charset="utf-8"
Content-ID: <D69331209505794480A9724FB59CC781@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/YQ4vxxsjHndplO_mlWxkCPmfp6c>
Subject: Re: [Sidrops] Eric Rescorla's No Objection on draft-ietf-sidrops-bgpsec-rollover-03: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Nov 2017 01:04:31 -0000
Hi EKR, Thanks for your review. Comments below are prefaced with BEW. > On Nov 28, 2017, at 4:10 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > Eric Rescorla has entered the following ballot position for > draft-ietf-sidrops-bgpsec-rollover-03: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sidrops-bgpsec-rollover/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > BGPsec router certificate with a new public key and the time a BGPsec > router begins to use its new private key). This can be due to a need > for a BGPsec router to distribute BGPsec updates signed with a new > Nit "the period between the time when an AS distributes …." BEW: This is the new text, which I believe matches the comment. “It is also important for an AS to minimize the BGPsec router key rollover interval (i.e., the period between the time when an AS distributes a BGPsec router certificate with a new public key and the time a BGPsec router begins to use its new private key)." > > Protection against withdrawal suppression and replay attacks: An AS > may determine withdrawn BGPsec updates are being propagated > instead of the most recently propagated BGPsec updates. > Nit: may determine that. BEW: fixed. > > certificate used for signing updates in transit is expected to live > longer than the one used for signing origination updates. > Why is it unimportant to worry about replays on transit updates? As I read the > references it's just that changing the transit key is expensive, right? But I'm > not sure why that means you don't have to do it. BEW: Replay attack protection provides an origin AS a way of ensuring its latest updates are being propagated through the network. A transit AS is not likely to know or care whether whether the policy of the origin AS has changed, however. So when an origin AS changes it’s signing key as a replay attack protection, it doesn’t have any motivation to change its transit signing key as well, and this is what the paragraph is intending to say. One reason to recommend not changing the transit key on the same schedule as the origin key (e.g., for replay attack protection) is to limit damage if there is a glitch in the rollover process. If a new origin key doesn’t get installed in time, then only the origin AS will be affected. But since large numbers of updates have been signed with that transit key, a failure in distributing a new transit key could result in large numbers of updates originated by many origins will have been invalidated, which could result in substantial damage to the Internet. Probably some text should be added to the paragraph to explain this. Thanks, Brian -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com
- Re: [Sidrops] Eric Rescorla's No Objection on dra… Brian Weis (bew)