Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds

Randy Bush <randy@psg.com> Tue, 02 February 2021 18:26 UTC

Return-Path: <randy@psg.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F0A3A0E09 for <opsawg@ietfa.amsl.com>; Tue, 2 Feb 2021 10:26:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCVbGde4_K3Q for <opsawg@ietfa.amsl.com>; Tue, 2 Feb 2021 10:26:55 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F3133A0DCC for <opsawg@ietf.org>; Tue, 2 Feb 2021 10:26:55 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1l70O5-0007LN-M9; Tue, 02 Feb 2021 18:26:53 +0000
Date: Tue, 02 Feb 2021 10:26:53 -0800
Message-ID: <m2zh0mba1e.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Job Snijders <job@fastly.com>
Cc: Ops Area WG <opsawg@ietf.org>
In-Reply-To: <YBhTmPpaH7d/w9L+@snel>
References: <BN6PR11MB1667D4EB91373CCB7F7A3F5AB8A09@BN6PR11MB1667.namprd11.prod.outlook.com> <YBhTmPpaH7d/w9L+@snel>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/XwCupmGIjug6QkCQ-kG5eldehbE>
Subject: Re: [OPSAWG] WG LC: draft-ietf-opsawg-finding-geofeeds
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 18:27:03 -0000

> Authenticating the Geofeed data
> ===============================
> 
> The uncommented section of the file conforms to RFC 8805:
> 
>     $ head -1 geofeed.csv | tee geofeed_tbs
>     2001:67c:208c::/48,NL,NL-NH,Amsterdam
> 
> The commented out section of the geofeed.csv file contains a base64
> encoded detached CMS signature (DER) using the 'id-ct-geofeedCSVwithCRLF'
> content type, a sha256 message digest, and can be verified against a
> public CA. The CA can be reached through the RIPE NCC RPKI Trust Anchor
> and has 2001:67c:208c::/48 as subordinate resource.
> 
> Extract DER encoded signature:
> 
>     $ cat geofeed.csv | sed '1,2d;$d' | base64 -d > signature.der
> 
> Extract the EE certificate (in PEM format) from the CMS envelope:
> 
>     $ openssl cms -verify -noverify -in signature.der -inform DER \
>           -certsout ee.pem 2>/dev/zero
> 
> Inspect the EE certificate to see which authority signed it:
> 
>     $ openssl x509 -in ee.pem -noout -ext sbgp-ipAddrBlock,authorityInfoAccess
>     sbgp-ipAddrBlock: critical
>         IPv6:
>           2001:67c:208c::/48
> 
>      Authority Information Access:
>          CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/LMq8Kl3LkWGqticaaLl6IAGSsJ4.cer
> 
> A validated RPKI cache on the local filesystem can be constructed using
> a utility like OpenBSD's rpki-client (https://www.rpki-client.org). Copy
> the CA certificate from the validated cache, and convert it to PEM format:
> 
>     $ openssl x509 \
>         -in /var/cache/rpki-client/rpki.ripe.net/repository/DEFAULT/LMq8Kl3LkWGqticaaLl6IAGSsJ4.cer \
>         -inform DER -out ca.pem 
> 
> Finally, verify the signature over the Geofeed content against the
> authority:
> 
>     $ openssl cms -verify -content geofeed_tbs \
>         -in signature.der -inform DER -CAfile ca.pem
>     2001:67c:208c::/48,NL,NL-NH,Amsterdam
>     Verification successful
> 
> Conclusion
> ==========
> 
> I believe with the above I've independently implemented all aspects of
> draft-ietf-opsawg-finding-geofeeds in one way or another, demonstrating
> the described procedures are correct, verifyable, and somewhat
> understandable.
> 
> The prefix I used is a real-world example, allowing others to inspect
> the referenced inet6num RPSL object, the associated Geofeed file,
> including the authentication aspect. Appendix A was very helpful.

folk trying to verify this are whining about some missing code

randy