ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [IETF] Re: Last Call: <draft-ietf-sidr-rpki-rtr-19.txt> (The RPKI/Router Protocol) to Proposed Standard

2011-12-20 19:18:23
from [Warren Kumari] [Permanent Link] 

On Dec 20, 2011, at 6:00 PM, Danny McPherson wrote:



I'm kinda surprised the security ADs are OK with this in a brand new 
connection-oriented protocol meant to increase security of the network:

S.7:

"Caches and routers MUST implement unprotected transport 
over TCP using a port, rpki-rtr, to be assigned, see Section 12.
Operators SHOULD use procedural means, ACLs, ... to reduce 
the exposure to authentication issues."


Yup. 

Just below the text that you included there is: "If available to the operator, 
caches and routers SHOULD use one of the following more protected protocols." 
and a list of things including AO, SSH, TCP MD5, IPSEC, TLS. 

Sections 7.1. (SSH Transport), 7.2.  (TLS Transport), 7.3.  (TCP MD5 Transport) 
and 7.4.  (TCP-AO Transport) provide more information on using these.

The Security Considerations section also say:
      ...
      So the strength of the trust relationship and the transport
      between the router(s) and the cache(s) are critical.  You're
      betting your routing on this.
      …
      Transports which can not provide the necessary authentication and
      integrity (see Section 7) must rely on network design and
      operational controls to provide protection against spoofing/
      corruption attacks.

I'm sure that the authors would have preferred to simply say "Use TCP-AO", and 
saved themselves a bunch of typing (and Security warnings, etc) -- it is 
obvious that they are not tying to gloss over the concerns.

Unfortunately not all OSs support TCP-AO…. Well then, it seems that, as routers 
already support SSH it should be simple to wrap a TCP stream, yes? 
Unfortunately no -- not all implementations have a simple library type model. 
Same things for IPSec / TLS, etc.

In an ideal world there would be ubiquitous, secure, fast, cheap, reliable, 
unencumbered transport security -- unfortunately we are not there (yet). Folk 
who have support for secure transports available should use them, but if I 
don't, I'd still like to have the option to deploy this.

The perfect is the enemy of the good.


-danny


Warren.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: <draft-ietf-sidr-rpki-rtr-19.txt> (The RPKI/Router Protocol) to Proposed Standard, Danny McPherson
Next by Date:  Re: [IETF] Re: Last Call: <draft-ietf-sidr-rpki-rtr-19.txt> (The RPKI/Router Protocol) to Proposed Standard, Danny McPherson
Previous by Thread:  Re: Last Call: <draft-ietf-sidr-rpki-rtr-19.txt> (The RPKI/Router Protocol) to Proposed Standard, Randy Bush
Next by Thread:  Re: [IETF] Re: Last Call: <draft-ietf-sidr-rpki-rtr-19.txt> (The RPKI/Router Protocol) to Proposed Standard, Danny McPherson
Indexes:  [Date] [Thread] [Top] [All Lists]