Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard
Tom Harrison <tomh@apnic.net> Thu, 28 April 2016 22:54 UTC
Return-Path: <tomh@apnic.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA6512D5A9 for <ietf@ietfa.amsl.com>; Thu, 28 Apr 2016 15:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.787
X-Spam-Level:
X-Spam-Status: No, score=-7.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZneeGSBIPf_y for <ietf@ietfa.amsl.com>; Thu, 28 Apr 2016 15:54:57 -0700 (PDT)
Received: from ia-mailgw.apnic.net (ia-mailgw.apnic.net [IPv6:2001:dd8:a:851::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D186612D5A4 for <ietf@ietf.org>; Thu, 28 Apr 2016 15:54:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=R2D2; h=received:received:received:date:from:to:cc:subject:message-id: mail-followup-to:references:mime-version:content-type:content-disposition: in-reply-to:user-agent:return-path; bh=PCi41aMzEmmnYsILpOAtVHMiBQ9VIeMJPm8dlTApRZc=; b=gmAP9VAzQKQx7NHNi2W2SlltwB2mvCJeVVUZ+koAOknfz/Z2/3NQe9vhUxjWh/a443I4VWEn7v7SE tBmceQChOZ2oEKazQpHK9JiU9FpwBoEKTZzBwVVqXjohVcPxKGUUCEXzogl+GTiQXDB5BYwCn5dphm Te1YGvPs3OsgxdSs=
Received: from iamda3.org.apnic.net (unknown [IPv6:2001:dd8:9:2::101:249]) by ia-mailgw.apnic.net (Halon Mail Gateway) with ESMTPS; Fri, 29 Apr 2016 08:59:59 +1000 (AEST)
Received: from main (203.119.101.249) by iamda3.org.apnic.net (203.119.111.31) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 29 Apr 2016 08:54:51 +1000
Received: from tomh by main with local (Exim 4.87) (envelope-from <tomh@apnic.net>) id 1avupf-0000OY-JP; Fri, 29 Apr 2016 08:54:51 +1000
Date: Fri, 29 Apr 2016 08:54:51 +1000
From: Tom Harrison <tomh@apnic.net>
To: ietf@ietf.org
Subject: Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard
Message-ID: <20160428225451.GE123284@main>
Mail-Followup-To: ietf@ietf.org, sidr-chairs@ietf.org, draft-ietf-sidr-rpsl-sig@ietf.org, sidr@ietf.org
References: <20160425184508.30206.46648.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160425184508.30206.46648.idtracker@ietfa.amsl.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/n4gPJc4vuhe445GAnqRYa9A242g>
Cc: sidr-chairs@ietf.org, draft-ietf-sidr-rpsl-sig@ietf.org, sidr@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 22:54:59 -0000
Section 5 requires that an EE certificate be used for the signing of the RPSL object. An EE certificate must contain an SIA extension that points to an RPKI signed object (RFC 6487 [4.8.8.2]). The draft does not define a profile for a new type of object, or specify an existing one that may be used instead. There are a number of ways to deal with this: for example, by defining a new profile and changing the signature URL to suit, or by amending RFC 6487 such that object pointers in EE certificates are optional. Section 4 specifies sets of attributes that must be signed. 'org' is included as one of these attributes for the as-block, inet[6]num, and route[6] object types. However, 'org' is not defined in either of the principal RPSL RFCs (2622 and 4012), and there are current implementations (e.g. APNIC's) that do not support it. I think the references to 'org' should be omitted. Section 4 specifies 'signature' as an attribute that must be signed. 'signature' can appear multiple times in a single object, where e.g. two different resource holders sign a route[6] object. Given that the text doesn't explicitly state that only the newest 'signature' must be signed, it would appear to require that any extant 'signature' attributes be signed as well. That in turn would prevent previous signers from re-signing the object independently of the subsequent signers. I think the text should be changed so that only the new signature attribute need be signed. Section 2.4 requires that "the Internet number resources present in [RFC3779] extensions of the certificate referred to in the "c" field of the signature must cover the resources in the primary key of the object". This means that it's not possible to sign a route[6] object for a route where one resource holder has the ASN and another the prefix. In revision 8 (and earlier), the possibility of there being multiple signatures, each with a certificate covering a subset of the primary key resources, was explicitly permitted. I think that the previous text here should be restored. (The above points were the product of much discussion of this draft with Tim and Oleg from RIPE, not that I'm speaking for them. We were able to write interoperable prototype signer/validator implementations, so the document is in pretty good shape on the whole.) -Tom
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Tom Harrison
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Brian Haberman
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Randy Bush
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Brian Haberman
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Sandra Murphy
- Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-1… Sandra Murphy