Re: [Sidrops] AD review of draft-ietf-sidrops-bgpsec-rollover
"Brian Weis (bew)" <bew@cisco.com> Tue, 03 October 2017 22:09 UTC
Return-Path: <bew@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90BC11344C6; Tue, 3 Oct 2017 15:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.519
X-Spam-Level:
X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3voc4z4nUZLg; Tue, 3 Oct 2017 15:09:11 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94308133187; Tue, 3 Oct 2017 15:09:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12450; q=dns/txt; s=iport; t=1507068551; x=1508278151; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dxFTI/SiEZKnc6gzN8YtKCy2vlOJXFzuKKwSPRlHgeM=; b=j6sM591YHu8Y+hvzJl+J4LNu+0zgr4mO78H3dNkQfiXqnJu+ciXXXLR6 AUFbMrDbi4eNGIC4AzbNZ3MSMUL+q/QPi9eI4kQ6TRl41+qWFP5jBxXzJ iteVTnbMkWghQxJEptvvrKEgoFkDswcN8xq+yJyJvNXr98iU7Q/mt08Us M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CfAAB5CdRZ/5JdJa1aAxkBAQEBAQEBAQEBAQcBAQEBAYNdZG4nB4Nyih+PY5JkhT4OggQKI4M6gV4CGoQ0PxgBAgEBAQEBAQFrKIUZBiNWEAIBCD8DAgICMBQRAgQOBYlMZBClVoIniyABAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMtggKDZoJ9hFEBEgE2CiaCTC+CMgWKGI5AiFoCh1yNB4IUgXGDfosGlScCERkBgTgBHziBAwt4FVsBhE40ggh2hzcNGAeBBYEQAQEB
X-IronPort-AV: E=Sophos;i="5.42,475,1500940800"; d="scan'208,217";a="301296241"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Oct 2017 22:09:10 +0000
Received: from XCH-RTP-005.cisco.com (xch-rtp-005.cisco.com [64.101.220.145]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id v93M9AZT025967 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Oct 2017 22:09:10 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-005.cisco.com (64.101.220.145) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 3 Oct 2017 18:09:09 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Tue, 3 Oct 2017 18:09:09 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: Warren Kumari <warren@kumari.net>
CC: "draft-ietf-sidrops-bgpsec-rollover@ietf.org" <draft-ietf-sidrops-bgpsec-rollover@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: AD review of draft-ietf-sidrops-bgpsec-rollover
Thread-Index: AQHTPGcBRi6CDD1UzUmuwq5mi1Ts66LS8sSA
Date: Tue, 03 Oct 2017 22:09:09 +0000
Message-ID: <4D3EF6F4-50E5-449B-ACDB-0EC9DBB1CCA3@cisco.com>
References: <CAHw9_iKACx39CX0N5sfaGnH8gfG0CNWSBOwSb+f1vVtpNR2U9w@mail.gmail.com>
In-Reply-To: <CAHw9_iKACx39CX0N5sfaGnH8gfG0CNWSBOwSb+f1vVtpNR2U9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.157.60.83]
Content-Type: multipart/alternative; boundary="_000_4D3EF6F450E5449BACDB0EC9DBB1CCA3ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/lB7l7H8lQLia-_mqcdoQaakPQEc>
Subject: Re: [Sidrops] AD review of draft-ietf-sidrops-bgpsec-rollover
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2017 22:09:13 -0000
Hi Warren,
Thanks for your careful review.
On Oct 3, 2017, at 9:44 AM, Warren Kumari <warren@kumari.net<mailto:warren@kumari.net>> wrote:
Hello,
Thank you to the editors and WG for your efforts on
this document, it's a well written and easy to understand
draft. I do have a few comments that I’d like addressed
before I start IETF LC — addressing these now will avoid
issues later in the process.
Questions:
1: Section 2. Introduction
"This document provides general recommendations for that process.
Certificate Practice Statements (CPS) documents MAY reference these
recommendations."
I do not understand the use of a 2119 MAY here -- can it be made
lowercase instead? I really don't understand what it is trying to
accomplish.
Hmmmm, since the subject of the MAY is not this document (i.e., is the CPS),
then use of requirements language does seem improper. We’ve changed
this to lower case as suggested.
2: 3.1. A proposed process for BGPsec router key rollover
"If there is no staging period, routing information may be lost."
I do not have any better text to suggest, but I don't really think
that routing information gets "lost" - when the session is fixed, the
information still gets through -- perhaps "routing may be disrupted”?
Yes, “routing may be disrupted” was the intent. We’ve replaced this phrase with
"routing may be disrupted due to the inability of a BGPsec router to validate
BGPsec updates signed with a new private key"
My comments are mostly editorial nits.
1: There are some IDNITs -- a number of the drafts are now RFCs:
== Outdated reference: draft-ietf-sidr-bgpsec-ops has been published as RFC
8207
== Outdated reference: draft-ietf-sidr-bgpsec-protocol has been published
as RFC 8205
== Outdated reference: draft-ietf-sidr-rpki-rtr-rfc6810-bis has been
published as RFC 8210
Ack … these RFCs were published after our -01 was published.
2: Section 3. Key rollover in BGPsec
"An BGPsec router certificate SHOULD be replaced ..."
s/An/A/
2: Section 3. Key rollover in BGPsec
"Protection against withdrawel supporession and replay attacks"
-- typos in "withdrawel" and "supporession"
3: Section 3.1. A proposed process for BGPsec router key rollover
"However, If an administrator"
s/If/if/
4: Section 6. Security Considerations
"When certificates containing a new public key are provisioning ahead"
s/provisioning/provisioned/
All fixed.
Please let me know once these are addressed, so I can start LC.
Done. <https://tools.ietf.org/html/draft-ietf-sidrops-bgpsec-rollover-02/<https://datatracker.ietf.org/doc/draft-ietf-sidrops-bgpsec-rollover/>>.
Thanks!
Brian
Thanks again,
W
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
--
Brian Weis
Security, CSG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com<mailto:bew@cisco.com>
- [Sidrops] AD review of draft-ietf-sidrops-bgpsec-… Warren Kumari
- Re: [Sidrops] AD review of draft-ietf-sidrops-bgp… Brian Weis (bew)
- Re: [Sidrops] AD review of draft-ietf-sidrops-bgp… Warren Kumari