[sidr] Last Call: (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
The IESG has received a request from the Secure Inter-Domain Routing WG (sidr) to consider the following document: - 'An Out-Of-Band Setup Protocol For RPKI Production Services' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the i...@ietf.org mailing lists by 2017-01-10. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This note describes a simple out-of-band protocol to ease setup of the RPKI provisioning and publication protocols between two parties. The protocol is encoded in a small number of XML messages, which can be passed back and forth by any mutually agreeable secure means. This setup protocol is not part of the provisioning or publication protocol, rather, it is intended to simplify configuration of these protocols by setting up relationships and exchanging BPKI keying material. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/ballot/ No IPR declarations have been submitted directly on this I-D. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] Last Call: (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
When I saw BPKI in the Abstract, I thought 'typo'! Reading on, it isn't; in which case, it needs expanding in the Abstract. Appendix A is in RelaxNG; I would like a reference for that language. Is Appendix A Normative? i.e. in the event of a mismatch between the body of the I-D and Appendix A, which wins? If Appendix A, then that reference should be Normative. Tom Petch - Original Message - From: "The IESG" To: "IETF-Announce" Cc: "Chris Morrow" ; ; ; Sent: Tuesday, December 20, 2016 9:06 PM > > The IESG has received a request from the Secure Inter-Domain Routing WG > (sidr) to consider the following document: > - 'An Out-Of-Band Setup Protocol For RPKI Production Services' >as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > i...@ietf.org mailing lists by 2017-01-10. Exceptionally, comments may be > sent to i...@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > >This note describes a simple out-of-band protocol to ease setup of >the RPKI provisioning and publication protocols between two parties. >The protocol is encoded in a small number of XML messages, which can >be passed back and forth by any mutually agreeable secure means. > >This setup protocol is not part of the provisioning or publication >protocol, rather, it is intended to simplify configuration of these >protocols by setting up relationships and exchanging BPKI keying >material. > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] Last Call: (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
At Wed, 28 Dec 2016 10:55:15 +, tom p. wrote: > > When I saw BPKI in the Abstract, I thought 'typo'! Reading on, it > isn't; in which case, it needs expanding in the Abstract. > > Appendix A is in RelaxNG; I would like a reference for that language. > > Is Appendix A Normative? i.e. in the event of a mismatch between the > body of the I-D and Appendix A, which wins? If Appendix A, then that > reference should be Normative. Thanks for the review! I agree with all of the above, will post revisions post-LC unless there is reason to update sooner. Yes, I think the RelaxNG schema had best be normative. We already found and fixed one minor disagreement between text and schema; unsurprisingly, running code in that case agreed with the schema. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] Last Call: (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
Looking some more at this, I would not want to try and troubleshoot this protocol with such a limited range of error messages. Not something I am likely to be doing but were I to, I would like to see an indication of the nature of the error (eg in attribute, element, certificate) and where the error was found (the relevant name) and for authentication errors, well, look at the certificate related TLS Alerts which suggest to me the level of detail that has found to be needed in at least some quarters. And bear in mind that you are making no recommendation about most of the certificate options, just that you expect them to be the usual ones:-) As it is, I would not know where to place most errors into the three possibilities provided. Tom Petch - Original Message - From: "Rob Austein" To: "tom p." Cc: "Chris Morrow" ; ; ; ; Sent: Thursday, December 29, 2016 11:15 PM Subject: Re: [sidr] Last Call: (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard > At Wed, 28 Dec 2016 10:55:15 +, tom p. wrote: > > > > When I saw BPKI in the Abstract, I thought 'typo'! Reading on, it > > isn't; in which case, it needs expanding in the Abstract. > > > > Appendix A is in RelaxNG; I would like a reference for that language. > > > > Is Appendix A Normative? i.e. in the event of a mismatch between the > > body of the I-D and Appendix A, which wins? If Appendix A, then that > > reference should be Normative. > > Thanks for the review! I agree with all of the above, will post > revisions post-LC unless there is reason to update sooner. > > Yes, I think the RelaxNG schema had best be normative. We already > found and fixed one minor disagreement between text and schema; > unsurprisingly, running code in that case agreed with the schema. > > ___ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
Re: [sidr] Last Call: (An Out-Of-Band Setup Protocol For RPKI Production Services) to Proposed Standard
At Fri, 6 Jan 2017 17:15:04 +, t.petch wrote: > > Looking some more at this, I would not want to try and troubleshoot this > protocol with such a limited range of error messages. > > Not something I am likely to be doing but were I to, I would like to see > an indication of the nature of the error (eg in attribute, element, > certificate) and where the error was found (the relevant name) and for > authentication errors, well, look at the certificate related TLS Alerts > which suggest to me the level of detail that has found to be needed in > at least some quarters. And bear in mind that you are making no > recommendation about most of the certificate options, just that you > expect them to be the usual ones:-) > > As it is, I would not know where to place most errors into the three > possibilities provided. Sort of agree, but The PDU is optional, and in practice has not been used much to date. In practice, diagnosing errors generally involves looking in some server log file, and errors to date have usually been reported via email or voice. We included the PDU because an earlier reviewer insisted, but we don't have enough experience using with it to know what kind of detail would really be useful. That being the case, my preference would be to leave the schema alone for now and wait for experience, after which we can revise the protocol if we see an opportunity for serious improvement. YMMV. FWIW, the three current error codes translate, roughly, to: * "I don't understand what you want me to do"; * "I think I understand what you want me to do and am willing but I hit an authorization problem while trying to do it"; and * "I don't feel like playing this game". I don't see all that much ambiguity between these three very broad categories, but I'm also not all that worried about it, because I don't expect the current simplistic version of the PDU to replace two human being having some kind of conversation after looking at log files. Again, YMMV. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
