IETF Logo Mail Archive

Re: [sidr] Expected protocols in rpki-rtr

Randy Bush <randy@psg.com> Tue, 02 August 2011 18:37 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A8A21F856A for <sidr@ietfa.amsl.com>; Tue, 2 Aug 2011 11:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.491
X-Spam-Level:
X-Spam-Status: No, score=-2.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFfJFcPZ8ICi for <sidr@ietfa.amsl.com>; Tue, 2 Aug 2011 11:37:31 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id DC67921F8564 for <sidr@ietf.org>; Tue, 2 Aug 2011 11:37:30 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from <randy@psg.com>) id 1QoJqU-000AEl-TJ; Tue, 02 Aug 2011 18:37:39 +0000
Date: Wed, 03 Aug 2011 03:37:37 +0900
Message-ID: <m262mfpslq.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <84CE1DEB-76A8-4123-B20D-0AEB72CA694B@vpnc.org>
References: <84CE1DEB-76A8-4123-B20D-0AEB72CA694B@vpnc.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Expected protocols in rpki-rtr
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 18:37:31 -0000

> Greetings again. Section 7 of draft-ietf-sidr-rpki-rtr-14 has a list
> of supported transports. However, it does not list the one that some
> people have said that they expect it to be run under sometimes, namely
> bare TCP.

huh?  i see the following:

   Caches and routers MUST implement unprotected transport over TCP
   using a port, RPKI-Rtr, to be assigned, see Section 12.  Operators
   SHOULD use procedural means, ACLs, ... to reduce the exposure to
   authentication issues.

> I propose the following for the end of section 7, just before 7.1:
> 
>    Caches and routers MAY use unprotected TCP as a transport,
>    even though this provides none of the security protections of
>    the other protocols listed here. Unprotected TCP MUST only be
>    used when there is other forms of trusted security in place.

we actually can't.  to rehash (null algroithm) the discussion

  o AO, which may come for some routers late this year or the first half
    of next year, does not exist for servers.  as the market for AO in
    servers is miniscule, i am not optimistic.  side note: for example a
    number of very large operators use only solaris.

  o MD5, does not exist for many server platforms, or is half-assed.

  o SSH, fine on servers, but many router platforms do not have SSH
    APIs.  they just have client code burned into the CLI.

  o TLS, fine on servers, but many router platforms do not have SSH
    APIs.  they just have client code burned in.

> being honest in the document might be better than pretending
> otherwise.

exactly!

randy

v2.23.0 | Report a Bug | By Email