Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

Sam Hartman <hartmans-ietf@mit.edu> Thu, 10 March 2011 20:52 UTC

Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F2B1A3A6A1C; Thu, 10 Mar 2011 12:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.084
X-Spam-Level:
X-Spam-Status: No, score=-102.084 tagged_above=-999 required=5 tests=[AWL=-1.359, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, SARE_LWHUGE=1.54, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxI1v174R9M3; Thu, 10 Mar 2011 12:52:58 -0800 (PST)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id EC3113A67F8; Thu, 10 Mar 2011 12:52:57 -0800 (PST)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 9A2CB2010F; Thu, 10 Mar 2011 15:51:31 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 8A242432D; Thu, 10 Mar 2011 15:53:44 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <tslhbbag9m1.fsf@mit.edu> <4D791B26.8020001@vpnc.org> <tsl4o7ag5fw.fsf@mit.edu> <4D79271E.6080707@vpnc.org>
Date: Thu, 10 Mar 2011 15:53:44 -0500
In-Reply-To: <4D79271E.6080707@vpnc.org> (Paul Hoffman's message of "Thu, 10 Mar 2011 11:31:42 -0800")
Message-ID: <tslzkp2elyf.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: draft-ietf-sidr-res-certs@tools.ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 20:53:00 -0000

>>>>> "Paul" == Paul Hoffman <paul.hoffman@vpnc.org> writes:


    Paul> I don't think either of us is missing something, we just
    Paul> disagree about what needs to happen if a fix that changes the
    Paul> semantics of the certs needs to be made to the system as a
    Paul> whole. For changes that don't change the semantics, you change
    Paul> an existing extension or other part of the certificate; for
    Paul> changes that need to change the system's semantics, you change
    Paul> the certificates in a way that relying parties that don't
    Paul> understand the change won't accept the certificate.

    Paul> Maybe you and I are envisioning different choices being made
    Paul> about those changes. I trust the IETF not to make a change
    Paul> that will cause a lot of relying parties to fail unless the
    Paul> IETF really thinks that is necessary; you may have less faith
    Paul> than I do. (You were on the IESG, so you get to be in the
    Paul> sausage-making more than I have...)


I do trust the IETF, which is why I think the current document is very
broken.  I want to give the IETF the *future* opportunity to balance
breaking RPs against confusing behavior.

I hate to get into a specific example, because it's very easy to attack
the example without the general point. However in the interests of
trying to explore our difference, I'd like to come up with a specific
example. I may drop the discussion if I feel that we're focusing on the
example rather than the general point.

So let's pretend that we'd been much more efficient about SIDR and that
the RPKI was done prior to 32-bit ASes being a significant issue.  Let's
pretend that RFC 3779 managed to specify the AS constraint in such a way
that 32-bit ASes were excluded. Perhaps there is an ASN.1 constraint on
the size of the AS that happens to be rigorously enforced by widely
deployed RPs.
Regardless of how it happened, assume that we cannot encode 32-bit ASes
in the existing extension.

In the current model, we have to come up with a new extension.
I think this means you need a new independent CA hierarchy for the
32-bit AS certificates. New RPs can use that hierarchy for 32-bit
ASes, all RPs use the old hierarchy for the 16-bit AS certs and to
the extent they are combined IP certs.
In theory we could some day combine these hierarchies when all the RPs
support 32-bit ASes. In practice we probably wouldn't because someone
out there would implement an RP that broke when the hierarchies were
combined and even though it would simplify things the risk of breakage
would not justify combining the hierarchies.

I'm not sure if this model works: I'd need to analyze whether you can
have multiple signatures on an RPKI object, whether you need to claim
both an AS and an IP address in signing a route, etc etc.  If we're
going to go forward with the current model we need at least convince
ourselves that even if we did have to duplicate the RPKI to deploy some
feature we could do so and not also duplicate the instances of the
protocols signing RPKI objects.

However, if we had a relaxed model, we'd give the IETF another option.
The IETF could also provide a new version of the AS extension for 32-bit
ASes.  There are huge tradeoffs here.  Only new RPs will validate the
32-bit ASes. So you can get into a situation where an RP who is unaware
of 32-bit ASes accepts a certificate that a newer RP would
reject. However, the 16-bit ASes in that certificate would validate. The
IP addresses in that certificate would validate.  An appropriately
authorized trust anchor would need to create a certificate with a valid
certification path that passed all the checks in the old profile.  Such
a certificate could only be used by an old-profile RP to validate
objects permitted under the old profile. An RP that understood 32-bit
ASes would be required to understand the 32-bit AS validation.

I don't know what the right choice would be in this situation.
However in similar situations I'd prefer to make that choice in the
future when the IETF is in a position to evaluate the tradeoffs rather
than forcing our hand now.

Similarly you could imagine a desire to add information to a certificate
for auditing, debugging or the like, where validation rules were not
changed. Again, I'd prefer to allow the IETF to decide whether breaking
RPs should be required to make such changes in the future rather than
now.  

Again, because of extension criticality, we always have the option to
force RPs to reject new things they don't understand. The question is
whether we want options beyond that.