Re: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-rollover-00 - ENDS: 04/21/2017 (April 21 2017)
"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 17 July 2017 16:15 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575EE131C71 for <sidrops@ietfa.amsl.com>; Mon, 17 Jul 2017 09:15:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCNNova8zBHQ for <sidrops@ietfa.amsl.com>; Mon, 17 Jul 2017 09:15:56 -0700 (PDT)
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0096.outbound.protection.outlook.com [23.103.201.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E747912EC01 for <sidrops@ietf.org>; Mon, 17 Jul 2017 09:15:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=jp3n2WC13MZ92OpukMDvhrH/FTKdZ+1UTWIIOvH2QVo=; b=JmcUvCHHMUDDgEEPpwOrI+dMP7Dgs0t3kSz6YU+0kR+bDvB7mlxy+Nvajmwk2JwH8DF8056Bt1ES5d0I5O9jKGlYU7RcVoDDowG8iPO70Y42g1K4QQaYWCRkRTwvHORkI8wn5kQ+GZlHXG5g5yLZtjeWe3nKmoaiC7tmWsfBZsY=
Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0448.namprd09.prod.outlook.com (10.161.252.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Mon, 17 Jul 2017 16:15:54 +0000
Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([fe80::1c34:a069:468b:fa58]) by DM2PR09MB0446.namprd09.prod.outlook.com ([fe80::1c34:a069:468b:fa58%13]) with mapi id 15.01.1261.022; Mon, 17 Jul 2017 16:15:54 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: "Brian Weis (bew)" <bew@cisco.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-rollover-00 - ENDS: 04/21/2017 (April 21 2017)
Thread-Index: AQHSu+CYdM3RbugUgkmZcx58NwhSiaJY52QA///NRIA=
Date: Mon, 17 Jul 2017 16:15:53 +0000
Message-ID: <DM2PR09MB0446F956BFAE6B3E17A8314284A00@DM2PR09MB0446.namprd09.prod.outlook.com>
References: <DM2PR09MB0446B5F4C75D65324545E92E841C0@DM2PR09MB0446.namprd09.prod.outlook.com>, <17A30666-950F-4712-8FF1-64F61A5AF5F9@cisco.com>
In-Reply-To: <17A30666-950F-4712-8FF1-64F61A5AF5F9@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.220.133]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0448; 7:0wPOONH3yjOlfdSaITjYFKVllgsava2uBq1yw6LMTiwRJtSgHWbeyhpluCZAVBssCC4EvyiXkbDrLxM42jwPYD8mLAfuIKiUNFwT4Wc2BpYd4r0bqNTPBWsq5SHP6vnV8VJS2YjY1fMSLfp+HUKnmbexrdhqrto60UwzyXbJp3YuiujC8AFOP7J8QnnH2DhN9OiM7rVGtURyNO0bfMh9nJMR+dnJoyL1AM2ob8RqPD6bh0pwB81zcJMTnQybZ35vUf49+3mggjBMQy48YoF2RO0Vg5vWxAmg3OrcYEUe4wBeMvdREV52AJIMGwuNfAn5lC/CM0tHs9K2Q820n3qC29OW8AedNxXKhuW7iXFduDs8pWseZ/l4QX0S83zb6AWUT0ywtkUG7hILDC+oOtzQn3z2aHECTHtNHhvLZIy9bxSY9eRFCzpTyBZu2jfRuD3iasjx5BW8CDeKgB/OyozEJTmQ27pxrO4pcFmrbOpt9G/aTCeBBXLQELzZ+8rCD1HtfcEEiLV4mdUsx7yE6LqpQ9nt2qputci9PFYz3DDMmd32nCLuToI8atWgkd2wD0QoiLo6UUKV+BJSDAzahF9Av+TFPscbxV98ErWprmRo0Dh2jbY/J/UcuCHLXELo6gBROAhYE2N4q3pskYBeF7WMCxCjOUo1+ZmlX4XRrdnUocVZy3ce2yrEBvGHrPehJqLhFX6nos0NZ6Sd1Q2/DtSMMrqn6US3iij6s10rLhJ/c7dNw4w6CHPWkJLZnDYKXae6Gc1sb7znCuYc5gTf+cjydhs7vHJ0V+6Vvb0w1qRu+NQ=
x-ms-office365-filtering-correlation-id: 74386271-2253-40cd-34f5-08d4cd2f198d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:DM2PR09MB0448;
x-ms-traffictypediagnostic: DM2PR09MB0448:
x-exchange-antispam-report-test: UriScan:(125551606395959)(278178393323532)(65766998875637)(236129657087228)(192374486261705)(48057245064654)(148574349560750)(167848164394848)(209349559609743)(95692535739014);
x-microsoft-antispam-prvs: <DM2PR09MB04484E124ACBFB5EBD7D5F4884A00@DM2PR09MB0448.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(2017060910075)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(3002001)(6055026)(6041248)(20161123555025)(20161123560025)(20161123562025)(20161123558100)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:DM2PR09MB0448; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM2PR09MB0448;
x-forefront-prvs: 0371762FE7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39410400002)(39840400002)(39450400003)(39400400002)(39850400002)(66654002)(69224002)(5423002)(252514010)(24454002)(377454003)(76176999)(2950100002)(4326008)(50986999)(7696004)(229853002)(53936002)(6506006)(53546010)(33656002)(966005)(14454004)(54356999)(74316002)(110136004)(25786009)(38730400002)(6246003)(81166006)(8936002)(478600001)(6916009)(8676002)(7736002)(305945005)(5660300001)(3846002)(66066001)(6436002)(2906002)(3280700002)(5890100001)(3660700001)(6116002)(102836003)(86362001)(189998001)(99286003)(55016002)(9686003)(6306002)(5250100002)(230783001)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0448; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2017 16:15:53.8651 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0448
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/tbrxxb1qQi6KUFP8z0Kl-WDKclE>
Subject: Re: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-rollover-00 - ENDS: 04/21/2017 (April 21 2017)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 16:15:58 -0000
Brian, Thanks for letting me know. There was also a marked-up MS word file attachment in the same sidrops post -- I hope you've noted that. https://www.ietf.org/mail-archive/web/sidrops/current/msg00115.html Sriram ________________________________________ From: Brian Weis (bew) <bew@cisco.com> Sent: Monday, July 17, 2017 11:04 AM To: Sriram, Kotikalapudi (Fed) Subject: Re: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-rollover-00 - ENDS: 04/21/2017 (April 21 2017) Hi Sriram, Found your comments … somehow I missed them earlier. I’ll address them ASAP. > On Apr 23, 2017, at 6:53 AM, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov> wrote: > > Hi Brian, Keyur, Roque: > > Thanks for all your efforts in authoring this document. > I have carefully read the draft and have comments. > Some of my comments are listed here and I have also comments in the attached document > (marked in the MS word file using track changes). > My comments are aimed to help get the document into a good shape before advancing it to IESG review. > The technical accuracy of the method described in not in question but > still I feel that the draft needs a careful revision. > > First, it needs to clear some English issues (grammatical errors, some difficult to parse sentence structures). > Some of these are pointed out below here, and the rest in the attached word file. Good. I tried in the last version to address many of these (which originated from an author where English was not the first language), but no doubt missed some > > Second, the document needs to eliminate errors in terms of technical terms or phrases used. Precision is good — thanks. Many thanks, Brian > For example: > s/BGPsec certificate/router certificate/g > (Note: It is the router that has a certificate, not the BGPsec protocol) > s/BGPsec rollover/router key rollover/g > s/BGPsec emergency rollover/Emergency key rollover/g > Generally, "BGPsec_Path attributes" needs replaced with "BGPsec updates" > throughout the document. > For example: > s/...BGPsec_Path attributes signed with a new private key.../...BGPsec updates signed with a new private key.../ > (Note: The current AS’s signature covers the prefix, previous BGPsec_Path attribute including all previous signatures, > the current Secure_Path segment, and the Target AS. > So it is not correct to say “BGPsec_Path attribute is signed”; instead simply say “BGPsec update is singed”.) > > The following comments pertain only to the Abstract and the Introduction section. > (Please see the attached MS word document for my comments on the other sections.) > Abstract: minor problem with phrasing > > OLD> > This memo provides general recommendations for > that process, as well as describing reasons why the rollover of > BGPsec EE certificates might be necessary. > > NEW> > This document provides general recommendations for > the rollover process, while describing reasons why the rollover of > BGPsec-router EE certificates might be necessary. > > Section 2 (Introduction): > > OLD> > When a router receives or creates a new key pair (using a key > provisioning mechanism), this key pair will be used to sign new > BGPsec_Path attributes … > > NEW> > When a router receives or creates a new key pair (using a key > provisioning mechanism), this key pair will be used to sign new > BGPsec updates … > > s/to include a signature using the new key (replacing the replaced key)./ > include a signature using the new key (replacing the old key). > > Note: “replacing the replaced key” sounds like a bad phrase > > s/ the old BGPsec certificate (and its key) will not longer be valid,/ > the old BGPsec certificate (and its key) will no longer be valid,/ > > s/ and thus any BGPsec Update that includes a BGPsec_Path attribute with a signature performed by/ > and thus any BGPsec Update that includes a signature performed by/ > > OLD> > Consequently, if the router does not > refresh its outbound BGPsec Update messages, routing information may > be treated as unauthenticated … > NEW> > Consequently, if the router does not > refresh its outbound BGPsec Update messages, previously sent routing information may be treated as unauthenticated … > > OLD> > It is therefore extremely important that the BGPsec router key > rollover be performed in such a way that the probability of new > router EE certificates have been distributed throughout the RPKI > before the router begin signing BGPsec_Path attributes with a new > private key. > (Note: sentence is structurally cumbersome) > > NEW> > It is therefore extremely important that NEW > router EE certificates should have been distributed throughout the RPKI system > before the router begins signing BGPsec updates with the NEW private key. > > Please see comments on other sections in the attached MS word document. > Thank you. > Sriram > > > > > <draft-ietf-sidrops-bgpsec-rollover-00-ks.docx> -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com
- Re: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-… Sriram, Kotikalapudi (Fed)
- [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-roll… Christopher Morrow
- Re: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-… Randy Bush
- Re: [Sidrops] WGLC for draft-ietf-sidrops-bgpsec-… Sriram, Kotikalapudi (Fed)