Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
Rick Taylor <rick@tropicalstormsoftware.com> Mon, 23 August 2021 19:38 UTC
Return-Path: <rick@tropicalstormsoftware.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA2F3A1005 for <dtn@ietfa.amsl.com>; Mon, 23 Aug 2021 12:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C49CanfQCu1q for <dtn@ietfa.amsl.com>; Mon, 23 Aug 2021 12:38:34 -0700 (PDT)
Received: from mail.tropicalstormsoftware.com (mail.tropicalstormsoftware.com [188.94.42.120]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6E993A100A for <dtn@ietf.org>; Mon, 23 Aug 2021 12:38:33 -0700 (PDT)
Received: from tss-server1.home.tropicalstormsoftware.com ([fe80::48e4:acbb:6065:8168]) by tss-server1.home.tropicalstormsoftware.com ([fe80::48e4:acbb:6065:8168%16]) with mapi id 14.03.0513.000; Mon, 23 Aug 2021 20:38:30 +0100
From: Rick Taylor <rick@tropicalstormsoftware.com>
To: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>, Brian Sipos <brian.sipos+ietf@gmail.com>, "R. Atkinson" <rja.lists@gmail.com>
CC: Brian Sipos <BSipos@rkf-eng.com>, "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
Thread-Index: AQHXmDmxBMS2BxeuCkCjhPEHGJ7/VquBeDLg
Date: Mon, 23 Aug 2021 19:38:29 +0000
Message-ID: <38A5475DE83986499AEACD2CFAFC3F9801F5AEDD25@tss-server1.home.tropicalstormsoftware.com>
References: <CH2PR13MB35583FF57B027B71BCE2FCAB9FE89@CH2PR13MB3558.namprd13.prod.outlook.com> <CD0FA713-E227-4C9B-A691-54E8127ABE41@gmail.com> <CAM1+-giHHM0-YC=QnO6t2nd0D25CVSfW9EP+p7XWefK2cVi10w@mail.gmail.com> <15d2c06ccd974f02a13098c0a19231d1@jhuapl.edu>
In-Reply-To: <15d2c06ccd974f02a13098c0a19231d1@jhuapl.edu>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2a02:1648:4000:120:d4eb:2f82:2905:aec]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/3No2UNgklSwfgtJ0i1afIVZYytU>
Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2021 19:38:41 -0000
Hi Brian, Ed, I personally agree with the ACME Sec review... I think subjectAltName is the wrong field to be using for Node-ID in the certificate, and using it definitely ties our hands with Naming and Addressing to only use Node-IDs (and by extension Endpoint IDs) that map to RFC3986 valid formats. @Brian, Can you suggest some replacement text for the 3rd paragraph of 4.4.1 that meet the ACME suggestion? Everyone else, do you consider the change to use a different field/type in the certificate to be a change that requires returning TCPCLv4 to the WG. Note that doing this will delay BPv7 and BPSec as they are all bound together. With my chair hat on, I would suggest that the current text specifies the wrong field to use, rather than specifying something functionally incorrect. Cheers, Rick From: dtn [mailto:dtn-bounces@ietf.org] On Behalf Of Birrane, Edward J. Sent: 23 August 2021 17:12 To: Brian Sipos; R. Atkinson Cc: Brian Sipos; dtn@ietf.org Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft Brian, If I am reading the TCPCLv4 document correctly (https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26) then the NODE-ID is optional, and instead a DNS-ID/IPADDR-ID may be used. If the bundle EID scheme (there may be more than dtn://) does not map cleanly to a fully qualified domain name or IP address, my intuition is that the DNS-ID/IPADDR-ID construct would need to be used instead. Since this is a TCP convergence layer, we already need to map a domain name or an IP Address anyway. If that is the correct interpretation, it may be useful to strengthen the wording in the draft, but I don’t think we need a technical change. Am I missing something here? -Ed --- Edward J. Birrane, III, Ph.D. (he/him/his) Embedded Applications Group Supervisor Space Exploration Sector Johns Hopkins Applied Physics Laboratory (W) 443-778-7423 / (F) 443-228-3839 From: dtn <dtn-bounces@ietf.org> On Behalf Of Brian Sipos Sent: Friday, August 20, 2021 3:36 PM To: R. Atkinson <rja.lists@gmail.com> Cc: Brian Sipos <BSipos@rkf-eng.com>; dtn@ietf.org Subject: [EXT] Re: [dtn] Important side issues from ACME Node ID Validation draft APL external email warning: Verify sender dtn-bounces@ietf.org before clicking links or attachments All, After further discussion in the ACME WG (security area), based on a need to avoid the requirements on DNS-name/IP-address and to avoid both valid and invalid assumptions made by tools/libraries about SAN URI contents, the strong recommendation is to avoid the SAN uniformResourceIdentifier entirely in favor of a new SAN otherName type-id OID which is used just for DTN EID (and thus Node ID) claims. Unfortunately, this would require editing of a portion of the TCPCLv4 draft now in the RFC editors queue, and a new IANA registration for the OID under the "SMI Security for PKIX Other Name Forms" IANA sub-registry [6]. Is this late edit an acceptable path for the document? It would avoid many potential interoperability issues that were brought up in the ACME discussion and require only slight change to a DTN implementation to use a different SAN type (but identically encoded value). [6] https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 On Wed, Aug 11, 2021 at 11:20 AM R. Atkinson <rja.lists@gmail.com> wrote: > On Jul 26, 2021, at 21:04, Brian Sipos <BSipos@rkf-eng.com> wrote: > > The second issue is unfortunately more technical; the "dtn" URI scheme has been set in stone and is already in use, but the PKIX profile in [4] specifically requires that when any SAN URI which includes an authority part (the "dtn" scheme does, it is the node name) that authority is either a DNS name or IP address. And we know that a Node ID is _not_ going to contain a network-level name but some other name. This technically breaks the profile in [5] as well as [2], which both use SAN URI as Node ID authentication. Because neither RFC5280 nor RFC6125 require to dereference the SAN URI and the DTN PKIX profiles explicitly avoid the URI-ID definition of RFC6125, the only risk is really that some application may inadvertently try to DNS probe the node name (or something like that). I don't yet know how much of a blocking issue this will be, and it's unfortunate that it wasn't noticed earlier. Brian, DNS Operations folks consider “noise” DNS queries (such as an application trying to use DNS to resolve the node name or something similar) to be a significant operational challenge — because the volume of “noise” DNS queries already is high. I imagine the DNS Operations folks would be greatly unhappy at the prospect of the DTN URI scheme being the cause of additional “noise” DNS queries. A prospective change would be to update the PKIX profile in [4] to make clear that a dtn URI is neither a DNS name nor an IP address - ever. In short, this looks like a real-world operational problem that will need _some_ form of solution, even if different from the prospective change I outlined just above. Yours, Ran _______________________________________________ dtn mailing list dtn@ietf.org https://www.ietf.org/mailman/listinfo/dtn
- [dtn] Important side issues from ACME Node ID Val… Brian Sipos
- Re: [dtn] Important side issues from ACME Node ID… R. Atkinson
- Re: [dtn] Important side issues from ACME Node ID… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… Rick Taylor
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Rick Taylor
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… sburleig.sb
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Roman Danyliw
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.