Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-finding-geofeeds-10: (with DISCUSS and COMMENT)
Russ Housley <housley@vigilsec.com> Wed, 19 May 2021 22:19 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 887863A2150 for <opsawg@ietfa.amsl.com>; Wed, 19 May 2021 15:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IM20nahX279N for <opsawg@ietfa.amsl.com>; Wed, 19 May 2021 15:19:35 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0EF03A214C for <opsawg@ietf.org>; Wed, 19 May 2021 15:19:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id BB1B9300BEB for <opsawg@ietf.org>; Wed, 19 May 2021 18:11:30 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KYfrSripnpL7 for <opsawg@ietf.org>; Wed, 19 May 2021 18:11:21 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 836EA300B9A; Wed, 19 May 2021 18:11:21 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <4a5113cbdd134cc6ab64f0c8cd505887@cert.org>
Date: Wed, 19 May 2021 18:11:20 -0400
Cc: IESG <iesg@ietf.org>, "draft-ietf-opsawg-finding-geofeeds@ietf.org" <draft-ietf-opsawg-finding-geofeeds@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, Ops Area WG <opsawg@ietf.org>, George Michaelson <ggm@algebras.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <249549DE-1316-4B01-8416-DE115E82FDE0@vigilsec.com>
References: <162137200225.19763.15610320941214951948@ietfa.amsl.com> <8CDA1FF9-1C6B-4FD8-9764-E3029949AEFB@vigilsec.com> <4a5113cbdd134cc6ab64f0c8cd505887@cert.org>
To: "Roman D. Danyliw" <rdd@cert.org>
X-Mailer: Apple Mail (2.3445.104.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/zYwS9OHWhzkXrfXVUu4ZG16-2GI>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-finding-geofeeds-10: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 22:19:40 -0000
Thanks Roman. Two follow-up comments in line. Russ > On May 19, 2021, at 5:59 PM, Roman Danyliw <rdd@cert.org> wrote: > > Hi Russ! > > Inline ... > >> -----Original Message----- >> From: Russ Housley <housley@vigilsec.com> >> Sent: Wednesday, May 19, 2021 11:27 AM >> To: Roman Danyliw <rdd@cert.org> >> Cc: IESG <iesg@ietf.org>; draft-ietf-opsawg-finding-geofeeds@ietf.org; >> opsawg-chairs@ietf.org; Ops Area WG <opsawg@ietf.org>; George Michaelson >> <ggm@algebras.org> >> Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-finding-geofeeds- >> 10: (with DISCUSS and COMMENT) >> >> Roman: >> >> Addressing some of your comments below. I'm leaving others to my co- >> authors. >> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> The validation process for the signature computed in Section 4 seems >>> underspecified. >>> >>> For example, let’s consider the example in Appendix A. Through a whois >> query >>> for 192.0.2.0 one finds a “remarks: Geofeed <https url>” field which >>> leads to a geofeed file which had the detached CMS signature blob “# >>> RPKI >>> Signature: 192.0.2.0/24” depicted at the end of Appendix A. What >>> reference or text guides how to validate that signature in the RPKI >>> (akin to the level of detail in Section 3.3 of RFC7909 or RFC6125)? >>> >>> I’m inferring that the steps would roughly be: >>> >>> ** Download the end-entity certificate identified by the >>> subjectKeyIdentifier field via the pointer/URI in the >>> “subjectInfoAccess” field extracted from the CMS signature blob >>> >>> ** Download the intermediate certificate identified by the >>> authorityKeyIdentifier field via the pointer/URI in the “caIssuer” >>> field extracted from the CMS signature blob >>> >>> ** Based on the RIR identified in the whois query, download the RPKI >>> trust anchor of the RIR >>> >>> ** Validate the certificate chain from the RPKI trust anchor down to >>> the end-entity certificate. Check that all of the basicConstraints, >>> certificatePolicies, etc. are accurate. Check the CRL. >>> >>> ** Verify that the end-entity certificate contains the IP address of >>> interest >>> (192.0.2.0) in the sbgp-ipAddrBlock field >>> >>> ** Validate the signature using the algorithm identified in the CMS >>> signature blog using the end-entity certificate >>> >>> Is that the process? Is that stated somewhere in the document or >>> available via reference? >> >> I suggest the following changes in Section 4: >> >> OLD: >> >> Validation of the signing certificate needs to ensure that it is part >> of the current manifest and that the resources are covered by the >> RPKI certificate. >> >> As the signer specifies the covered RPKI resources relevant to the >> signature, the RPKI certificate covering the inetnum: object's >> address range is included in the [RFC5652] CMS SignedData >> certificates field. >> >> Identifying the private key associated with the certificate, and >> getting the department with the Hardware Security Module (HSM) to >> sign the CMS blob is left as an exercise for the implementor. On the >> other hand, verifying the signature requires no complexity; the >> certificate, which can be validated in the public RPKI, has the >> needed public key. >> >> NEW: >> >> As the signer specifies the covered RPKI resources relevant to the >> signature, the RPKI certificate covering the inetnum: object's >> address range is included in the [RFC5652] CMS SignedData >> certificates field. >> >> Identifying the private key associated with the certificate, and >> getting the department with the Hardware Security Module (HSM) to >> sign the CMS blob is left as an exercise for the implementor. On the >> other hand, verifying the signature requires no complexity; the >> certificate, which can be validated in the public RPKI, has the >> needed public key. >> >> The trust anchors for the RIRs are expected to already be available >> to the party performing signature validation. Validation of the CMS >> signature on the geofeed file involves: >> >> 1. Obtain the signer's certificate from an RPKI Repository. The certificate >> SubjectKeyIdentifier extension [RFC5280] MUST match the >> SubjectKeyIdentifier in the CMS SignerInfo SignerIdentifier [RFC5652]. >> If the key identifiers do not match, then validation MUST fail. >> >> 2. Construct the certification path for the signer's certificate. All of >> the needed certificates are expected to be readily available in the >> RPKI Repository. The certification path MUST be valid according to >> the validation algorithm in [RFC5280] and the additional checks >> specified in [RFC3779] associated with the IP Address Delegation >> certificate extension and the Autonomous System Identifier Delegation >> certificate extension. If certification path validation is unsuccessful, then >> validation MUST fail. >> >> 3. Validate the CMS SignedData as specified in [RFC5652] using the >> public key from the validated signer's certificate. If the signature >> validation is unsuccessful, then validation MUST fail. >> >> 4. Verify that the IP Address Delegation certificate extension [RFC3779] >> covers the address range of the geofeed file. If the address range is >> not covered, then validation MUST fail. >> >> If all of these steps MUST be successful to consider the geofeed file >> signature as valid. > > Works for me. Thanks for precisely stating the CMS field names which would not have been recognizable from my above short hand notation. > >>> >>> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> Thank you to Kyle Rose for the SECDIR review. >>> >>> ** Section 3. "It is only used to authenticate a pointer to the >>> geofeed file and transport integrity of the data." >>> >>> To separate the notion of the transport security provided with TLS and >>> the object security provided by the RPKI signature, it might be cleaner to say: >>> >>> TLS and the web PKI authenticate the domain name in the URL and >>> provides confidentiality and integrity for the geofeed file in transit. >> >> The RPKI signature ought to be sufficient to consider the signature valid. The >> WebPKI is providing authentication and integrity of the fetched data, but if any >> of the data is modified at any point in the process, the RPKI signature will catch >> it. >> >>> ** Section 4. Per “Borrowing detached signatures from [RFC5485] …”, >>> I’m having trouble following which concept is being borrowed to >>> elevate this to a normative reference. >> >> With the changes to address your DISCUSS, this can probably be an >> informational reference. > > Agreed. > >>> ** Section 4. Per “the RPKI certificate covering the inetnum: >>> object's address range is included in the [RFC5652] CMS SignedData >>> certificates field”, can a more specific statement be made to say that >>> it would be the sbgp-ipAddrBlock field in the certificate? >> >> I think this is already explained in the definition of 'covers'. Am I missing >> something? > > With the precision you provided in the response to the DISCUSS, I would have rephrased my original comment to: > > NEW > ... the RPKI certificate covering the inetnum: object's address range is included in the IP Address Delegation certificate extension [RFC3779] field. I think this is resolved by the 4th item in the checking process. That said, it would not be bad to highlight that earlier in the section. > > >>> object's address range is included in the [RFC5652] CMS SignedData >>> certificates field > >>> ** Section 4. Per the format of the signature appended to the geofeed file: >>> # RPKI Signature: 192.0.2.0/24 >>> # >> MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKo >> Z >>> # >> IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7h >> Zu >>> ... >>> # >> imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa >>> # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= >>> # End Signature: 192.0.2.0/24 >>> >>> -- Are the header “# RPKI Signature: 192.0.2.0/24” and footer “# End >> Signature: >>> 192.0.2.0/24” syntactically required? If would seem so, but that’s >>> never explicitly stated and can only be inferred via the example. It >>> would be helpful to explicitly clarify that. >> >> Yes, they are required. Randy, can you suggest a MUST statement? > > I figured. I'm thinking it just needs a sentence to say that. > >>> ** Appendix A. >>> >>> Section 4 says: “As the signer specifies the covered RPKI resources >>> relevant to the signature, the RPKI certificate covering the inetnum: object's >> address >>> range is included in the [RFC5652] CMS SignedData certificates field.” I was >>> expecting the end-entity certificate to encode “192.0.2.0/24” in the >>> sbgp-ipAddrBlock field. The CA certificate has this IP block, but the >>> end-entity certificate decodes the sbgp-ipAddBlock field to “IPv4: >>> inherit >>> IPv6: inherit”. Is that expected -- to have both an ipv4 and ipv6 >>> annotation (since the previous certificate in the chain only mentioned >>> IPv4), and not explicitly repeat the IPv4 value? >> >> This will be done when the CA is issuing a subordinate certificate explicitly for >> geofeed signing. This is good key hygene to use a given key for only one >> purpose. > > There was a CMS structure subtlety that I didn't understand. The CA cert made no reference to v6, but the end-point one did. Since the geofeed file in Appendix A only has an IPv4 address block, I should probably drop the IPv6:inherit. Russ
- [OPSAWG] Roman Danyliw's Discuss on draft-ietf-op… Roman Danyliw via Datatracker
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Russ Housley
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Russ Housley