Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds

Job Snijders <job@fastly.com> Mon, 01 February 2021 19:16 UTC

Return-Path: <job@fastly.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 199943A13F1 for <opsawg@ietfa.amsl.com>; Mon, 1 Feb 2021 11:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwXQ8f4nJat3 for <opsawg@ietfa.amsl.com>; Mon, 1 Feb 2021 11:16:45 -0800 (PST)
Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B98623A13EF for <opsawg@ietf.org>; Mon, 1 Feb 2021 11:16:44 -0800 (PST)
Received: by mail-wm1-x344.google.com with SMTP id i9so270306wmq.1 for <opsawg@ietf.org>; Mon, 01 Feb 2021 11:16:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=HG1fDfXC3Y/HR7swCc7g7hYhFi0rfHUSCvDJ7TueZE4=; b=gU1oMNdZfL8tlJbzgJJ2cu0M6X5dfg4GydFBPgBmOly+WeDVss5aqU7PyGmO8AOBJs 0qSbhaufBr6oc9yLVaTXgsa/0SnqMAc+qNHLyU+/2rS+qWegFsS/2QrmlGHmN+dqdTx2 bbRDA/nJWpVcFbc/4wCabS5DZNYg4aToXkrqU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=HG1fDfXC3Y/HR7swCc7g7hYhFi0rfHUSCvDJ7TueZE4=; b=fGYguZR3U+CoeE5Awb4VlTgGNzEX3+VDJVFojsBroq/KIO3Ve0C87IPEZtvxXJyYiM sP675/4gry3jFUXqUign5951Q13Op1lDSHuLs+xoYNwioWr+X2t+cgNcYYaQyeuF6+5j QUk8ZWDJyBxZecL/nlUabfa1B4YFVtp8XOZr7gkY0dOvXrsaUAqM15k2URNySy2HMahV zSP33veaQIbzO80E7K6vUsquRP163F8Cu375abDkXFp9igcUTDw9gvxJ3skmjSVsqAse cJDY3ymj+FRTdgp5B50TewQNo0oIcKRp2E8aon/z/MnpU3iulLCoK4GSmnV6J4RzFC8d jTWQ==
X-Gm-Message-State: AOAM530FCUZXuSUQ/FrxfS6eC4ueyXCuMWwZ7olWSlGqLZ8JNLV7F4uE N4EaUiwaxThuMEVdxJFM8F6l+08KJuzULlw24Bs17Zwvk1DQGpU8zCV/dhR1uqbk8rEaPVDSh7A rF5pV4+uzlKfPtokUhlR1qe0pX45LYrNEiNTTZ3ZSTFDSxL8kUEub3OAX
X-Google-Smtp-Source: ABdhPJygvvqUQVRR/Kcp5l87B0KJ8t7GmmV02kzn6a2/9Ow206QsEVTdKUxyLx897iPTolgOLMzNDw==
X-Received: by 2002:a1c:9c01:: with SMTP id f1mr290155wme.159.1612207002493; Mon, 01 Feb 2021 11:16:42 -0800 (PST)
Received: from snel (mieli.sobornost.net. [45.138.228.4]) by smtp.gmail.com with ESMTPSA id x81sm223091wmg.40.2021.02.01.11.16.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Feb 2021 11:16:41 -0800 (PST)
Date: Mon, 1 Feb 2021 20:16:40 +0100
From: Job Snijders <job@fastly.com>
To: opsawg@ietf.org
Message-ID: <YBhTmPpaH7d/w9L+@snel>
References: <BN6PR11MB1667D4EB91373CCB7F7A3F5AB8A09@BN6PR11MB1667.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BN6PR11MB1667D4EB91373CCB7F7A3F5AB8A09@BN6PR11MB1667.namprd11.prod.outlook.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FoRMmqkdNU6MOaTgNQs9sa-Tn9Q>
Subject: Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 19:16:47 -0000

Dear working group,

On Fri, Jan 22, 2021 at 09:43:26PM +0000, Joe Clarke (jclarke) wrote:
> Happy new year, opsawg.  The draft-ietf-opsawg-finding-geofeeds draft
> has undergone some discussion and with the recent -01 revision of the WG
> version of the document, the authors have made all pending changes based
> on feedback.
> 
> We would like to conduct a two-week working group last call on this
> document (ending February 5, 2021).  George Michaelson has agreed to
> shepherd this document through the last-call and IESG processes.
> 
> Please reply with your comments by Feb 5, 2021.  Thanks.

I've read the draft and labored to the implement various moving parts
described in the draft in the real world. I'll summarize the various
implementation aspects and provide POSIX-y CLI examples.

TL;DR: READY FOR PUBLICATION

Finding the Geofeed
===================

mechanism #1: 'native attribute'

Internet Routing Registry daemon (IRRd) version 4 supports 'geofeed:'
RPSL attributes natively: https://github.com/irrdnet/irrd/pull/404/files

mechanism #2: 'overloading remarks: field'

As the RIPE NCC WHOIS Server does not yet support the 'geofeed:', I
opted to use the "remarks: Geofeed ${URI}" workaround, gotta love
permission-less innovation! :-).

One can query the RIPE NCC database using WHOIS to find the reference
(or plow through https://ftp.ripe.net/ripe/dbase/split/ripe.db.inet6num.gz)

    $ whois -h whois.ripe.net -- '-rBGTinet6num 2001:67c:208c::/48' \
        | grep Geofeed
    remarks:        Geofeed https://sobornost.net/geofeed.csv

One can download the linked Geofeed file for inspection:

    $ ftp -MV https://sobornost.net/geofeed.csv
    $ ls -al geofeed.csv
    -rw-r--r--  1 job  wheel  2120 Feb  1 17:31 geofeed.csv

Authenticating the Geofeed data
===============================

The uncommented section of the file conforms to RFC 8805:

    $ head -1 geofeed.csv | tee geofeed_tbs
    2001:67c:208c::/48,NL,NL-NH,Amsterdam

The commented out section of the geofeed.csv file contains a base64
encoded detached CMS signature (DER) using the 'id-ct-geofeedCSVwithCRLF'
content type, a sha256 message digest, and can be verified against a
public CA. The CA can be reached through the RIPE NCC RPKI Trust Anchor
and has 2001:67c:208c::/48 as subordinate resource.

Extract DER encoded signature:

    $ cat geofeed.csv | sed '1,2d;$d' | base64 -d > signature.der

Extract the EE certificate (in PEM format) from the CMS envelope:

    $ openssl cms -verify -noverify -in signature.der -inform DER \
          -certsout ee.pem 2>/dev/zero

Inspect the EE certificate to see which authority signed it:

    $ openssl x509 -in ee.pem -noout -ext sbgp-ipAddrBlock,authorityInfoAccess
    sbgp-ipAddrBlock: critical
        IPv6:
          2001:67c:208c::/48

     Authority Information Access:
         CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/LMq8Kl3LkWGqticaaLl6IAGSsJ4.cer

A validated RPKI cache on the local filesystem can be constructed using
a utility like OpenBSD's rpki-client (https://www.rpki-client.org). Copy
the CA certificate from the validated cache, and convert it to PEM format:

    $ openssl x509 \
        -in /var/cache/rpki-client/rpki.ripe.net/repository/DEFAULT/LMq8Kl3LkWGqticaaLl6IAGSsJ4.cer \
        -inform DER -out ca.pem 

Finally, verify the signature over the Geofeed content against the
authority:

    $ openssl cms -verify -content geofeed_tbs \
        -in signature.der -inform DER -CAfile ca.pem
    2001:67c:208c::/48,NL,NL-NH,Amsterdam
    Verification successful

Conclusion
==========

I believe with the above I've independently implemented all aspects of
draft-ietf-opsawg-finding-geofeeds in one way or another, demonstrating
the described procedures are correct, verifyable, and somewhat
understandable.

The prefix I used is a real-world example, allowing others to inspect
the referenced inet6num RPSL object, the associated Geofeed file,
including the authentication aspect. Appendix A was very helpful.

Kind regards,

Job