IETF Logo Mail Archive

Re: [OPSAWG] Finding and Using Geofeed Data

Erik Kline <ek.ietf@gmail.com> Sat, 12 September 2020 23:44 UTC

Return-Path: <ek.ietf@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 628243A0BB3 for <opsawg@ietfa.amsl.com>; Sat, 12 Sep 2020 16:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.854
X-Spam-Level:
X-Spam-Status: No, score=-0.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s4FBvyCexNLN for <opsawg@ietfa.amsl.com>; Sat, 12 Sep 2020 16:44:52 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 010523A0BDF for <opsawg@ietf.org>; Sat, 12 Sep 2020 16:44:51 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id o8so3899338otl.4 for <opsawg@ietf.org>; Sat, 12 Sep 2020 16:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kSXJtgfUuoetyu7P+J26DB/rBiuzt8zPc3EcCyBKxeI=; b=LrM061Xvm9nrvaRXphdkX4S7J2FFINfXgFjem4sSF4LVB6dqE5hwasl1wRNbeqU77u gBv54avMj+ByjM/5Jbn00pckuBESo1xC9RsnaMZxfu9nygHxjX013Zas9dWVMMChjzFF fWxKRq2PxyHTCW2sDnq79+51cTLlXDOY/XCrH3YafdnY7kW1TIob0PkjiofL5nyExZCy DVTT3D81wVGZr1sgMnz30b/gHPAAXMyVczgU6v0pEnD1kunnM8r8CCs3Ncoe0csY7LiU IHgVMWMEfda9WOrwAfaeYfitA1lac2lmLglUA97KpN0k1PtWqYSR1nbso1/BTzd02wHZ 6kjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kSXJtgfUuoetyu7P+J26DB/rBiuzt8zPc3EcCyBKxeI=; b=KGA3dAxTME6jmBQk1RTd6vxf7bIN+EOexoErSC1xI3Ws7pXDhNse5fO3Wwd2rCn2pZ aEtHienxkBXKXwPWOvk1n1vERNix3Y9B9SUmp77nklE8C/7G4JBbgwF97ZI5W2hr8684 cCHx09lSf2/7KgTWfOZDdmVOEQcntJSMyyiGIPCKJEYDUHrpzRpTDWpKD6btCNCPz5NB FnNdSVyelHwbJh0ni/nRqlgEboKUH/Vb9QipHVL2UG/mNarLnnIW8gXjaOYw+Af8ysQv iaOfji9dbAU7wFsA/rlBsZ8ruF4Q67kWj8PQQF1iNGaUWy9EEQP+w9hZyfmPHs9DXxpe xAHw==
X-Gm-Message-State: AOAM533iMu0O+eZj0JDTv7qeVYKGLlW4JfJTCiQdQGoDDa6jChVqM61f j2ZhOdeEnNxsZeNZLtSIHmA/d9nSmyWDD6ueV2QkMSxS
X-Google-Smtp-Source: ABdhPJxlAi/x5wdxVsP4eO/4YeBOx9X3VVIhSXZPmA1sBVxLUnTwz1XabvDs5CtLhLZXP8G4wp+mJSL2H9RKb7x4wiE=
X-Received: by 2002:a05:6830:22f9:: with SMTP id t25mr5573900otc.155.1599954291157; Sat, 12 Sep 2020 16:44:51 -0700 (PDT)
MIME-Version: 1.0
References: <8450cc78-8c60-ff7a-19f5-ea7335d262cd@us.ntt.net> <m25z8kdoqb.wl-randy@psg.com> <CAMGpriXQ40z0secjMho1RCUcXWzbrL4u6CH5eK+YvugPtN4zLg@mail.gmail.com> <m2pn6rcz3e.wl-randy@psg.com>
In-Reply-To: <m2pn6rcz3e.wl-randy@psg.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Sat, 12 Sep 2020 16:44:40 -0700
Message-ID: <CAMGpriVfNX_oY-77vL4fHw_WpxpShW6FyfGKvxw4o98YUwxkQw@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Massimo Candela <massimo@us.ntt.net>, opsawg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002e6d1305af2663d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/fVfw90zoYjjDI3PgE-neoUBR1Po>
Subject: Re: [OPSAWG] Finding and Using Geofeed Data
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 23:44:55 -0000

On Fri, Sep 11, 2020 at 11:02 PM Randy Bush <randy@psg.com> wrote:

> thanks for review!  proposed diff attached.
>

Seems like a fair next step.  =)  I'll see about putting together a PR, too.

>   If the comments change, the signature changes?
>
> yep.  otherwise vast complexity lurks.  but is there a text change you
> want?  i may be naïve expecting that "a digest of the main body of the
> file" is sufficient.
>
> >     [a] the source of the geofeed claims is authoritative to make said
> >         claims for the contained prefixes, and
>
> iff you trust the rpki crypto chain
>
> >     [b] the correctness of the claims themselves (i.e. that the location
> of
> >         2001:db8::/32 really is "Shire, Middle Earth").
>
> above my pay grade
>
> do you have suggested text?
>

No, I don't and I don't think we need any.  I just wanted to highlight that
there're 2 different things that could be "authenticated" -- where geofeeds
are concerned -- and this draft (rightly) only deals with one of them.
Probably not worth text unless it turns out folks find it confusing.

Thanks

>   The text from section 4 provides a suggestion: perhaps replace
> >   "authenticate" with "verify the authority of", or some such
> >   formulation?
>
> hmmmm.  hacked a bit.
>
> > [ section 1 ]
> >
> > * Probably the intro should hint at the authentication awesomeness
> contained
> >   within.  I think, actually, the last paragraph of section 2 can just be
> >   relocated to the end of this section and it will flow well.
>
> ok
>
> > [[ nits ]]
>
> thanks!
>
> randy
>
>
> < <http:///rfcdiff?url2=draft-ymbk-opsawg-finding-geofeeds.txt>
> draft-ymbk-opsawg-finding-geofeeds.txt
> <https://tools.ietf.org/html/draft-ymbk-opsawg-finding-geofeeds.txt>
> draft-ymbk-opsawg-finding-geofeeds.txt
> <https://tools.ietf.org/html/draft-ymbk-opsawg-finding-geofeeds.txt> >
> <http:///rfcdiff?url1=draft-ymbk-opsawg-finding-geofeeds.txt>
> skipping to change at* page 2, line 11 ¶* <#m_7593764623018977219_part-1> skipping
> to change at* page 2, line 11 ¶* <#m_7593764623018977219_part-1>
> carefully, as they describe your rights and restrictions with respect carefully,
> as they describe your rights and restrictions with respect
> to this document. Code Components extracted from this document must to
> this document. Code Components extracted from this document must
> include Simplified BSD License text as described in Section 4.e of include
> Simplified BSD License text as described in Section 4.e of
> the Trust Legal Provisions and are provided without warranty as the Trust
> Legal Provisions and are provided without warranty as
> described in the Simplified BSD License. described in the Simplified BSD
> License.
> Table of Contents Table of Contents
> 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.
> Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
> 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.1.
> Requirements Language . . . . . . . . . . . . . . . . . . 2
> 2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 2 2.
> Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3
> 3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 3.
> inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3
> 4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 3 4.
> Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 3
> 5. Operational Considerations . . . . . . . . . . . . . . . . . 5 5.
> Operational Considerations . . . . . . . . . . . . . . . . . 5
> 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6.
> Security Considerations . . . . . . . . . . . . . . . . . . . 5
> 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7.
> IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
> 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 8.
> Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
> 9. Normative References . . . . . . . . . . . . . . . . . . . . 5 9.
> Normative References . . . . . . . . . . . . . . . . . . . . 6
> Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 7 Appendix
> A. Example . . . . . . . . . . . . . . . . . . . . . . 7
> Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors'
> Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
> 1. Introduction 1. Introduction
> Providers of Internet content and other services may wish to Providers of
> Internet content and other services may wish to
> customize those services based on the geographic location of the user customize
> those services based on the geographic location of the user
> of the service. This is often done using the source IP address used of
> the service. This is often done using the source IP address used
> to contact the service. Also, infrastructure and other services to
> contact the service. Also, infrastructure and other services
> might wish to publish the locale of their services. [RFC8805] might wish
> to publish the locale of their services. [RFC8805]
> defines geofeed, a syntax to associate geographic locales with IP defines
> geofeed, a syntax to associate geographic locales with IP
> addresses. But it does not specify how to find the relevant geofeed addresses.
> But it does not specify how to find the relevant geofeed
> data given an IP address. data given an IP address.
> This document specifies how to augment the Routing Policy This document
> specifies how to augment the Routing Policy
> Specification Language (RPSL) [RFC2622] inetnum: class [INETNUM] to Specification
> Language (RPSL) [RFC2622] inetnum: class [INETNUM] to
> refer to geofeed data, and how to prudently use them. In all places refer
> to geofeed data, and how to prudently use them. In all places
> inetnum: is used, inet6num: should also be assumed [INET6NUM]. inetnum:
> is used, inet6num: should also be assumed [INET6NUM].
> An optional, but utterly awesome, means for authenticating geofeed
> data is also defined.
> 1.1. Requirements Language 1.1. Requirements Language
> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The
> key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD",
> "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
> "OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL"
> in this document are to be interpreted as described in BCP
> 14 [RFC2119] [RFC8174] when, and only when, they appear in all 14
> [RFC2119] [RFC8174] when, and only when, they appear in all
> capitals, as shown here. capitals, as shown here.
> 2. Geofeed Files 2. Geofeed Files
> skipping to change at* page 3, line 45 ¶* <#m_7593764623018977219_part-2> skipping
> to change at* page 3, line 51 ¶* <#m_7593764623018977219_part-2>
> inetnum: object with a geofeed reference MUST be used. inetnum: object
> with a geofeed reference MUST be used.
> When geofeed references are provided by multiple inetnum: objects When
> geofeed references are provided by multiple inetnum: objects
> which have identical address ranges, then the geofeed reference on which
> have identical address ranges, then the geofeed reference on
> the inetnum: with the most recent last-modified: attribute SHOULD be the
> inetnum: with the most recent last-modified: attribute SHOULD be
> preferred. preferred.
> 4. Authenticating Geofeed Data 4. Authenticating Geofeed Data
> The question arises on whether a particular geofeed data set is The
> question arises on whether a particular geofeed data set is
> authentic, i.e. authorized by the 'owner' of the IP address space and
> valid, i.e. authorized by the 'owner' of the IP address space and is
> is authoritative in some sense. The inetnum: which points to the authoritative
> in some sense. The inetnum: which points to the
> geofeed file provides some authentication. Unfortunately the RPSL in geofeed
> file provides some assurance. Unfortunately the RPSL in many
> many repositories is weakly authenticated at best. repositories is weakly
> authenticated at best.
> An optional authenticator MAY be appended to a geofeed file. It An
> optional authenticator MAY be appended to a geofeed file. It
> would essentially be a digest of the main body of the file signed by would
> be essentially a digest of the main body of the file signed by
> the private key of the relevant RPKI certificate for the covering the
> private key of the relevant RPKI certificate for the covering
> address range. One needs a format that bundles the relevant RPKI address
> range. One needs a format that bundles the relevant RPKI
> certificate with the signature and the digest of the geofeed text. certificate
> with the signature and the digest of the geofeed text.
> Borrowing detached signatures from [RFC5485], after text file Borrowing
> detached signatures from [RFC5485], after text file
> canonicalization (Sec 2.2), the Cryptographic Message Syntax (CMS) canonicalization
> (Sec 2.2), the Cryptographic Message Syntax (CMS)
> [RFC3852] would be used to create a detached DER encoded signature [RFC3852]
> would be used to create a detached DER encoded signature
> which is then BASE64 encoded and line wrapped to 72 or fewer which is
> then BASE64 encoded and line wrapped to 72 or fewer
> characters. characters.
> skipping to change at* page 5, line 13 ¶* <#m_7593764623018977219_part-3> skipping
> to change at* page 5, line 23 ¶* <#m_7593764623018977219_part-3>
> # END Signature: 192.0.2.0/24 # END Signature: 192.0.2.0/24
> 5. Operational Considerations 5. Operational Considerations
> Geofeed data SHOULD be fetched using https [RFC2818]. Geofeed data SHOULD
> be fetched using https [RFC2818].
> When using data from a geofeed file, one MUST ignore data outside of When
> using data from a geofeed file, one MUST ignore data outside of
> the inetnum: object's inetnum: attribute's address range. the inetnum:
> object's inetnum: attribute's address range.
> Iff the geofeed file is not signed per Section 4, then multiple Iff the
> geofeed file is not signed per Section 4, then multiple
> inetnum: objectss MAY refer to the same geofeed file, and the inetnum:
> objects MAY refer to the same geofeed file, and the consumer
> consumer MUST use only geofeed lines where the prefix is covered by MUST
> use only geofeed lines where the prefix is covered by the
> the address range of the inetnum: object they have followed. address
> range of the inetnum: object they have followed.
> An entity fetching geofeed data through these mechanisms MUST NOT do An
> entity fetching geofeed data through these mechanisms MUST NOT do
> frequent real-time look-ups to prevent load on RPSL servers. And do frequent
> real-time look-ups to prevent load on RPSL servers. And do
> not fetch at midnight, because everyone else may. not fetch at midnight,
> because everyone else may.
> 6. Security Considerations 6. Security Considerations
> It would be generally prudent for a consumer of geofeed data to also It
> would be generally prudent for a consumer of geofeed data to also
> use other sources to cross-validate the data. All of the Security use
> other sources to cross-validate the data. All of the Security
> Considerations of [RFC8805] apply here as well. Considerations of
> [RFC8805] apply here as well.
> As mentioned in Section 4, many RPSL repositories have weak if any As
> mentioned in Section 4, many RPSL repositories have weak if any
> authentication. This would allow spoofing of inetnum: objects authentication.
> This would allow spoofing of inetnum: objects
> pointing to malicious geofeed files. Section 4 suggests an sadly pointing
> to malicious geofeed files. Section 4 suggests a sadly
> complex method for stronger authentication based on the RPKI. complex
> method for stronger authentication based on the RPKI.
> 7. IANA Considerations 7. IANA Considerations
> IANA is asked to register object identifiers for one content type in IANA
> is asked to register object identifiers for one content type in
> the "SMI Security for S/MIME CMS Content Type the "SMI Security for
> S/MIME CMS Content Type
> (1.2.840.113549.1.9.16.1)" registry as follows: (1.2.840.113549.1.9.16.1)"
> registry as follows:
> Description OID Specification Description OID Specification
> -----------------------------------------------------------------
> -----------------------------------------------------------------
>  End of changes. 7 change blocks.
> *12 lines changed or deleted* *15 lines changed or added*
>
> This html diff was produced by rfcdiff 1.48. The latest version is
> available from http://tools.ietf.org/tools/rfcdiff/
> <http://www.tools.ietf.org/tools/rfcdiff/>
>

v2.23.0 | Report a Bug | By Email