REKEY moved here

2019-04-18 13:12:22 -07:00 · 2019-04-18 13:12:22 -07:00 · 257569c8be
commit 257569c8be
parent 38e89f3543
1 changed files with 33 additions and 22 deletions
--- a/draft-ymbk-lsvr-l3dl-signing.xml
+++ b/draft-ymbk-lsvr-l3dl-signing.xml
@ -15,7 +15,7 @@

 <front>

-  <title>Layer 3 Discovery and Liveness TOFU Security</title>
+  <title>Layer 3 Discovery and Liveness Signing</title>

    <author fullname="Randy Bush" initials="R." surname="Bush">
      <organization>Arrcus &amp; IIJ</organization>
@ -59,8 +59,8 @@
    <t>The Layer 3 Discovery and Liveness protocol provides for the OPEN
    PDU to contain a key which can be used to verify signatures on
    subsequent PDUs.  This document describes two methods of key
-    generation and signing for use by L3DL when 'trust on first use'
-    authentication and integrity are sufficient.</t>
+    generation and signing for use by L3DL, Trust On First Use, AKA
+    TOFU, and PKI-based.</t>

  </abstract>

@ -82,25 +82,35 @@

    <t>The Layer 3 Discovery and Liveness protocol [old ref because new
    draft not yet pushed] <xref target="I-D.ietf-lsvr-lsoe"/> provides
-    for the OPEN PDU to contain a key which can be used to verify
-    signatures on subsequent PDUs.  This document describes two methods
-    of key generation and signing for use by L3DL when 'trust on first
-    use,' TOFU, authentication and integrity are sufficient.</t>
+    for the OPEN PDU to contain an algorithm specifier and a key which
+    can be used to verify signatures on subsequent PDUs.  This document
+    describes two methods of key generation and signing for use by L3DL,
+    Trust On First Use, AKA TOFU, and a PKI-based mechanism.</t>

    <t>To the receiver, the two methods are indistinguishable, the key
    provided in the OPEN PDU is used to verify the signatures on the
    subsequent PDUs.  The difference is how that key is generated.</t>

-    <t>The simple method is that the OPEN key is a 64-bit random.  The
-    device sending the OPEN may use one key for all links, a different
-    key for each link, or some aggregation(s) thereof.</t>
+    <t>In the TOFU  method the OPEN key is believed without question and
+    is used to verify all subsequent PDUs with the same Key Type.</t>

-    <t>If one is concerned about a Monkey In The Middle, then the OPEN
-    key can be the public half of an asymmetric key pair.  The sender
-    signs with the private key, of course.  To reduce key generation
-    load on the sending device, the key pair could be generated once per
-    device.</t>
+    <t>In the PKI method the OPEN key MUST be verified against the trust
+    anchor for the operational domain.  It is then used to verify all
+    subsequent PDUs with the same Key Type.</t>

+    <t>The Key in the OPEN PDU SHOULD be the public half of an
+    asymmetric key pair.  The sender signs with the private key, of
+    course.  The device sending the OPEN may use one key for all links,
+    a different key for each link, or some aggregation(s) thereof.</t>
+
+    </section>
+
+  <section anchor="tofu" title="Trust On First Use Method">
+  
+    </section>
+
+  <section anchor="pki" title="Public Key Infrastructure Method">
+      
    </section>

  <section anchor="roll" title="NEWKEY, Key Roll">
@ -112,7 +122,7 @@
    encapsulations.  Therefore, a gentler rekeying is needed.</t>

 <!--
-    protocol "Type = 8:8,Payload Length:16,New Auth Type:8,New Key Length:16,New Key ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
+    protocol "Type = 8:8,Payload Length:16,New Key Type:8,New Key Length:16,New Key ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
 -->

      <figure>
@ -120,7 +130,7 @@
 0                   1                   2                   3  
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-|    Type = 8   |         Payload Length        | New Auth Type |
+|    Type = 8   |         Payload Length        |  New Key Type |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         New Key Length        |                               ~
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+
@ -133,7 +143,7 @@
         </artwork>
      </figure>

-    <t>The New Auth Type, New Key Length, and New Key fields declare the
+    <t>The New Key Type, New Key Length, and New Key fields declare the
    replacement algorithm suite and key.</t>

    <t>The NEWKEY PDU is signed using the current (soon to be old)
@ -170,12 +180,12 @@
        <figure>
          <artwork>
        PDU
-        Code    PDU Name
-        ----    -------------------
-        8        NEWKEY
+        Code      PDU Name
+        ----      -------------------
+          8       NEWKEY
           </artwork>
         </figure>
-	
+        
  <t>This document requests the IANA add a registry entry for "TOFU -
  Trust On Frst Use" to the L3DL-Signature-Type registry as follows:</t>
        <figure>
@ -183,6 +193,7 @@
        Number      Name
        ------      -------------------
            1       TOFU - Trust On First Use
+            2       PKI
           </artwork>
         </figure>