Re: [OPSAWG] Finding and Using Geofeed Data
Erik Kline <ek.ietf@gmail.com> Sat, 12 September 2020 23:44 UTC
Return-Path: <ek.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 628243A0BB3 for <opsawg@ietfa.amsl.com>; Sat, 12 Sep 2020 16:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.854
X-Spam-Level:
X-Spam-Status: No, score=-0.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s4FBvyCexNLN for <opsawg@ietfa.amsl.com>; Sat, 12 Sep 2020 16:44:52 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 010523A0BDF for <opsawg@ietf.org>; Sat, 12 Sep 2020 16:44:51 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id o8so3899338otl.4 for <opsawg@ietf.org>; Sat, 12 Sep 2020 16:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kSXJtgfUuoetyu7P+J26DB/rBiuzt8zPc3EcCyBKxeI=; b=LrM061Xvm9nrvaRXphdkX4S7J2FFINfXgFjem4sSF4LVB6dqE5hwasl1wRNbeqU77u gBv54avMj+ByjM/5Jbn00pckuBESo1xC9RsnaMZxfu9nygHxjX013Zas9dWVMMChjzFF fWxKRq2PxyHTCW2sDnq79+51cTLlXDOY/XCrH3YafdnY7kW1TIob0PkjiofL5nyExZCy DVTT3D81wVGZr1sgMnz30b/gHPAAXMyVczgU6v0pEnD1kunnM8r8CCs3Ncoe0csY7LiU IHgVMWMEfda9WOrwAfaeYfitA1lac2lmLglUA97KpN0k1PtWqYSR1nbso1/BTzd02wHZ 6kjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kSXJtgfUuoetyu7P+J26DB/rBiuzt8zPc3EcCyBKxeI=; b=KGA3dAxTME6jmBQk1RTd6vxf7bIN+EOexoErSC1xI3Ws7pXDhNse5fO3Wwd2rCn2pZ aEtHienxkBXKXwPWOvk1n1vERNix3Y9B9SUmp77nklE8C/7G4JBbgwF97ZI5W2hr8684 cCHx09lSf2/7KgTWfOZDdmVOEQcntJSMyyiGIPCKJEYDUHrpzRpTDWpKD6btCNCPz5NB FnNdSVyelHwbJh0ni/nRqlgEboKUH/Vb9QipHVL2UG/mNarLnnIW8gXjaOYw+Af8ysQv iaOfji9dbAU7wFsA/rlBsZ8ruF4Q67kWj8PQQF1iNGaUWy9EEQP+w9hZyfmPHs9DXxpe xAHw==
X-Gm-Message-State: AOAM533iMu0O+eZj0JDTv7qeVYKGLlW4JfJTCiQdQGoDDa6jChVqM61f j2ZhOdeEnNxsZeNZLtSIHmA/d9nSmyWDD6ueV2QkMSxS
X-Google-Smtp-Source: ABdhPJxlAi/x5wdxVsP4eO/4YeBOx9X3VVIhSXZPmA1sBVxLUnTwz1XabvDs5CtLhLZXP8G4wp+mJSL2H9RKb7x4wiE=
X-Received: by 2002:a05:6830:22f9:: with SMTP id t25mr5573900otc.155.1599954291157; Sat, 12 Sep 2020 16:44:51 -0700 (PDT)
MIME-Version: 1.0
References: <8450cc78-8c60-ff7a-19f5-ea7335d262cd@us.ntt.net> <m25z8kdoqb.wl-randy@psg.com> <CAMGpriXQ40z0secjMho1RCUcXWzbrL4u6CH5eK+YvugPtN4zLg@mail.gmail.com> <m2pn6rcz3e.wl-randy@psg.com>
In-Reply-To: <m2pn6rcz3e.wl-randy@psg.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Sat, 12 Sep 2020 16:44:40 -0700
Message-ID: <CAMGpriVfNX_oY-77vL4fHw_WpxpShW6FyfGKvxw4o98YUwxkQw@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Massimo Candela <massimo@us.ntt.net>, opsawg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002e6d1305af2663d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/fVfw90zoYjjDI3PgE-neoUBR1Po>
Subject: Re: [OPSAWG] Finding and Using Geofeed Data
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 23:44:55 -0000
On Fri, Sep 11, 2020 at 11:02 PM Randy Bush <randy@psg.com> wrote: > thanks for review! proposed diff attached. > Seems like a fair next step. =) I'll see about putting together a PR, too. > If the comments change, the signature changes? > > yep. otherwise vast complexity lurks. but is there a text change you > want? i may be naïve expecting that "a digest of the main body of the > file" is sufficient. > > > [a] the source of the geofeed claims is authoritative to make said > > claims for the contained prefixes, and > > iff you trust the rpki crypto chain > > > [b] the correctness of the claims themselves (i.e. that the location > of > > 2001:db8::/32 really is "Shire, Middle Earth"). > > above my pay grade > > do you have suggested text? > No, I don't and I don't think we need any. I just wanted to highlight that there're 2 different things that could be "authenticated" -- where geofeeds are concerned -- and this draft (rightly) only deals with one of them. Probably not worth text unless it turns out folks find it confusing. Thanks > The text from section 4 provides a suggestion: perhaps replace > > "authenticate" with "verify the authority of", or some such > > formulation? > > hmmmm. hacked a bit. > > > [ section 1 ] > > > > * Probably the intro should hint at the authentication awesomeness > contained > > within. I think, actually, the last paragraph of section 2 can just be > > relocated to the end of this section and it will flow well. > > ok > > > [[ nits ]] > > thanks! > > randy > > > < <http:///rfcdiff?url2=draft-ymbk-opsawg-finding-geofeeds.txt> > draft-ymbk-opsawg-finding-geofeeds.txt > <https://tools.ietf.org/html/draft-ymbk-opsawg-finding-geofeeds.txt> > draft-ymbk-opsawg-finding-geofeeds.txt > <https://tools.ietf.org/html/draft-ymbk-opsawg-finding-geofeeds.txt> > > <http:///rfcdiff?url1=draft-ymbk-opsawg-finding-geofeeds.txt> > skipping to change at* page 2, line 11 ¶* <#m_7593764623018977219_part-1> skipping > to change at* page 2, line 11 ¶* <#m_7593764623018977219_part-1> > carefully, as they describe your rights and restrictions with respect carefully, > as they describe your rights and restrictions with respect > to this document. Code Components extracted from this document must to > this document. Code Components extracted from this document must > include Simplified BSD License text as described in Section 4.e of include > Simplified BSD License text as described in Section 4.e of > the Trust Legal Provisions and are provided without warranty as the Trust > Legal Provisions and are provided without warranty as > described in the Simplified BSD License. described in the Simplified BSD > License. > Table of Contents Table of Contents > 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. > Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 > 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.1. > Requirements Language . . . . . . . . . . . . . . . . . . 2 > 2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 2 2. > Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3 > 3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 3. > inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 > 4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 3 4. > Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 3 > 5. Operational Considerations . . . . . . . . . . . . . . . . . 5 5. > Operational Considerations . . . . . . . . . . . . . . . . . 5 > 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. > Security Considerations . . . . . . . . . . . . . . . . . . . 5 > 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. > IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 > 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 8. > Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 > 9. Normative References . . . . . . . . . . . . . . . . . . . . 5 9. > Normative References . . . . . . . . . . . . . . . . . . . . 6 > Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 7 Appendix > A. Example . . . . . . . . . . . . . . . . . . . . . . 7 > Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' > Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 > 1. Introduction 1. Introduction > Providers of Internet content and other services may wish to Providers of > Internet content and other services may wish to > customize those services based on the geographic location of the user customize > those services based on the geographic location of the user > of the service. This is often done using the source IP address used of > the service. This is often done using the source IP address used > to contact the service. Also, infrastructure and other services to > contact the service. Also, infrastructure and other services > might wish to publish the locale of their services. [RFC8805] might wish > to publish the locale of their services. [RFC8805] > defines geofeed, a syntax to associate geographic locales with IP defines > geofeed, a syntax to associate geographic locales with IP > addresses. But it does not specify how to find the relevant geofeed addresses. > But it does not specify how to find the relevant geofeed > data given an IP address. data given an IP address. > This document specifies how to augment the Routing Policy This document > specifies how to augment the Routing Policy > Specification Language (RPSL) [RFC2622] inetnum: class [INETNUM] to Specification > Language (RPSL) [RFC2622] inetnum: class [INETNUM] to > refer to geofeed data, and how to prudently use them. In all places refer > to geofeed data, and how to prudently use them. In all places > inetnum: is used, inet6num: should also be assumed [INET6NUM]. inetnum: > is used, inet6num: should also be assumed [INET6NUM]. > An optional, but utterly awesome, means for authenticating geofeed > data is also defined. > 1.1. Requirements Language 1.1. Requirements Language > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The > key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", > "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > "OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" > in this document are to be interpreted as described in BCP > 14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 > [RFC2119] [RFC8174] when, and only when, they appear in all > capitals, as shown here. capitals, as shown here. > 2. Geofeed Files 2. Geofeed Files > skipping to change at* page 3, line 45 ¶* <#m_7593764623018977219_part-2> skipping > to change at* page 3, line 51 ¶* <#m_7593764623018977219_part-2> > inetnum: object with a geofeed reference MUST be used. inetnum: object > with a geofeed reference MUST be used. > When geofeed references are provided by multiple inetnum: objects When > geofeed references are provided by multiple inetnum: objects > which have identical address ranges, then the geofeed reference on which > have identical address ranges, then the geofeed reference on > the inetnum: with the most recent last-modified: attribute SHOULD be the > inetnum: with the most recent last-modified: attribute SHOULD be > preferred. preferred. > 4. Authenticating Geofeed Data 4. Authenticating Geofeed Data > The question arises on whether a particular geofeed data set is The > question arises on whether a particular geofeed data set is > authentic, i.e. authorized by the 'owner' of the IP address space and > valid, i.e. authorized by the 'owner' of the IP address space and is > is authoritative in some sense. The inetnum: which points to the authoritative > in some sense. The inetnum: which points to the > geofeed file provides some authentication. Unfortunately the RPSL in geofeed > file provides some assurance. Unfortunately the RPSL in many > many repositories is weakly authenticated at best. repositories is weakly > authenticated at best. > An optional authenticator MAY be appended to a geofeed file. It An > optional authenticator MAY be appended to a geofeed file. It > would essentially be a digest of the main body of the file signed by would > be essentially a digest of the main body of the file signed by > the private key of the relevant RPKI certificate for the covering the > private key of the relevant RPKI certificate for the covering > address range. One needs a format that bundles the relevant RPKI address > range. One needs a format that bundles the relevant RPKI > certificate with the signature and the digest of the geofeed text. certificate > with the signature and the digest of the geofeed text. > Borrowing detached signatures from [RFC5485], after text file Borrowing > detached signatures from [RFC5485], after text file > canonicalization (Sec 2.2), the Cryptographic Message Syntax (CMS) canonicalization > (Sec 2.2), the Cryptographic Message Syntax (CMS) > [RFC3852] would be used to create a detached DER encoded signature [RFC3852] > would be used to create a detached DER encoded signature > which is then BASE64 encoded and line wrapped to 72 or fewer which is > then BASE64 encoded and line wrapped to 72 or fewer > characters. characters. > skipping to change at* page 5, line 13 ¶* <#m_7593764623018977219_part-3> skipping > to change at* page 5, line 23 ¶* <#m_7593764623018977219_part-3> > # END Signature: 192.0.2.0/24 # END Signature: 192.0.2.0/24 > 5. Operational Considerations 5. Operational Considerations > Geofeed data SHOULD be fetched using https [RFC2818]. Geofeed data SHOULD > be fetched using https [RFC2818]. > When using data from a geofeed file, one MUST ignore data outside of When > using data from a geofeed file, one MUST ignore data outside of > the inetnum: object's inetnum: attribute's address range. the inetnum: > object's inetnum: attribute's address range. > Iff the geofeed file is not signed per Section 4, then multiple Iff the > geofeed file is not signed per Section 4, then multiple > inetnum: objectss MAY refer to the same geofeed file, and the inetnum: > objects MAY refer to the same geofeed file, and the consumer > consumer MUST use only geofeed lines where the prefix is covered by MUST > use only geofeed lines where the prefix is covered by the > the address range of the inetnum: object they have followed. address > range of the inetnum: object they have followed. > An entity fetching geofeed data through these mechanisms MUST NOT do An > entity fetching geofeed data through these mechanisms MUST NOT do > frequent real-time look-ups to prevent load on RPSL servers. And do frequent > real-time look-ups to prevent load on RPSL servers. And do > not fetch at midnight, because everyone else may. not fetch at midnight, > because everyone else may. > 6. Security Considerations 6. Security Considerations > It would be generally prudent for a consumer of geofeed data to also It > would be generally prudent for a consumer of geofeed data to also > use other sources to cross-validate the data. All of the Security use > other sources to cross-validate the data. All of the Security > Considerations of [RFC8805] apply here as well. Considerations of > [RFC8805] apply here as well. > As mentioned in Section 4, many RPSL repositories have weak if any As > mentioned in Section 4, many RPSL repositories have weak if any > authentication. This would allow spoofing of inetnum: objects authentication. > This would allow spoofing of inetnum: objects > pointing to malicious geofeed files. Section 4 suggests an sadly pointing > to malicious geofeed files. Section 4 suggests a sadly > complex method for stronger authentication based on the RPKI. complex > method for stronger authentication based on the RPKI. > 7. IANA Considerations 7. IANA Considerations > IANA is asked to register object identifiers for one content type in IANA > is asked to register object identifiers for one content type in > the "SMI Security for S/MIME CMS Content Type the "SMI Security for > S/MIME CMS Content Type > (1.2.840.113549.1.9.16.1)" registry as follows: (1.2.840.113549.1.9.16.1)" > registry as follows: > Description OID Specification Description OID Specification > ----------------------------------------------------------------- > ----------------------------------------------------------------- > End of changes. 7 change blocks. > *12 lines changed or deleted* *15 lines changed or added* > > This html diff was produced by rfcdiff 1.48. The latest version is > available from http://tools.ietf.org/tools/rfcdiff/ > <http://www.tools.ietf.org/tools/rfcdiff/> >
- [OPSAWG] Finding and Using Geofeed Data Massimo Candela
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Erik Kline
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Michael Richardson
- Re: [OPSAWG] Finding and Using Geofeed Data Erik Kline
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Joe Clarke (jclarke)
- Re: [OPSAWG] Finding and Using Geofeed Data Massimo Candela
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Michael Richardson
- Re: [OPSAWG] Finding and Using Geofeed Data Erik Kline
- Re: [OPSAWG] Finding and Using Geofeed Data Joe Clarke (jclarke)
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Joe Clarke (jclarke)
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Owen DeLong