IETF Logo Mail Archive

Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard

Tom Harrison <tomh@apnic.net> Thu, 28 April 2016 22:54 UTC

Return-Path: <tomh@apnic.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA6512D5A9 for <ietf@ietfa.amsl.com>; Thu, 28 Apr 2016 15:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.787
X-Spam-Level:
X-Spam-Status: No, score=-7.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZneeGSBIPf_y for <ietf@ietfa.amsl.com>; Thu, 28 Apr 2016 15:54:57 -0700 (PDT)
Received: from ia-mailgw.apnic.net (ia-mailgw.apnic.net [IPv6:2001:dd8:a:851::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D186612D5A4 for <ietf@ietf.org>; Thu, 28 Apr 2016 15:54:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=R2D2; h=received:received:received:date:from:to:cc:subject:message-id: mail-followup-to:references:mime-version:content-type:content-disposition: in-reply-to:user-agent:return-path; bh=PCi41aMzEmmnYsILpOAtVHMiBQ9VIeMJPm8dlTApRZc=; b=gmAP9VAzQKQx7NHNi2W2SlltwB2mvCJeVVUZ+koAOknfz/Z2/3NQe9vhUxjWh/a443I4VWEn7v7SE tBmceQChOZ2oEKazQpHK9JiU9FpwBoEKTZzBwVVqXjohVcPxKGUUCEXzogl+GTiQXDB5BYwCn5dphm Te1YGvPs3OsgxdSs=
Received: from iamda3.org.apnic.net (unknown [IPv6:2001:dd8:9:2::101:249]) by ia-mailgw.apnic.net (Halon Mail Gateway) with ESMTPS; Fri, 29 Apr 2016 08:59:59 +1000 (AEST)
Received: from main (203.119.101.249) by iamda3.org.apnic.net (203.119.111.31) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 29 Apr 2016 08:54:51 +1000
Received: from tomh by main with local (Exim 4.87) (envelope-from <tomh@apnic.net>) id 1avupf-0000OY-JP; Fri, 29 Apr 2016 08:54:51 +1000
Date: Fri, 29 Apr 2016 08:54:51 +1000
From: Tom Harrison <tomh@apnic.net>
To: ietf@ietf.org
Subject: Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard
Message-ID: <20160428225451.GE123284@main>
Mail-Followup-To: ietf@ietf.org, sidr-chairs@ietf.org, draft-ietf-sidr-rpsl-sig@ietf.org, sidr@ietf.org
References: <20160425184508.30206.46648.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160425184508.30206.46648.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/n4gPJc4vuhe445GAnqRYa9A242g>
Cc: sidr-chairs@ietf.org, draft-ietf-sidr-rpsl-sig@ietf.org, sidr@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 22:54:59 -0000

Section 5 requires that an EE certificate be used for the signing of
the RPSL object.  An EE certificate must contain an SIA extension that
points to an RPKI signed object (RFC 6487 [4.8.8.2]).  The draft does
not define a profile for a new type of object, or specify an existing
one that may be used instead.  There are a number of ways to deal with
this: for example, by defining a new profile and changing the
signature URL to suit, or by amending RFC 6487 such that object
pointers in EE certificates are optional.

Section 4 specifies sets of attributes that must be signed.  'org' is
included as one of these attributes for the as-block, inet[6]num, and
route[6] object types.  However, 'org' is not defined in either of the
principal RPSL RFCs (2622 and 4012), and there are current
implementations (e.g. APNIC's) that do not support it.  I think the
references to 'org' should be omitted.

Section 4 specifies 'signature' as an attribute that must be signed.
'signature' can appear multiple times in a single object, where e.g.
two different resource holders sign a route[6] object.  Given that the
text doesn't explicitly state that only the newest 'signature' must be
signed, it would appear to require that any extant 'signature'
attributes be signed as well.  That in turn would prevent previous
signers from re-signing the object independently of the subsequent
signers.  I think the text should be changed so that only the new
signature attribute need be signed.

Section 2.4 requires that "the Internet number resources present in
[RFC3779] extensions of the certificate referred to in the "c" field
of the signature must cover the resources in the primary key of the
object".  This means that it's not possible to sign a route[6] object
for a route where one resource holder has the ASN and another the
prefix.  In revision 8 (and earlier), the possibility of there being
multiple signatures, each with a certificate covering a subset of the
primary key resources, was explicitly permitted.  I think that the
previous text here should be restored.

(The above points were the product of much discussion of this draft
with Tim and Oleg from RIPE, not that I'm speaking for them.  We were
able to write interoperable prototype signer/validator
implementations, so the document is in pretty good shape on the
whole.)

-Tom

v2.23.0 | Report a Bug | By Email