IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-sidr-delta-protocol-05

Oleg Muravskiy <oleg@ripe.net> Sun, 05 February 2017 12:44 UTC

Return-Path: <oleg@ripe.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBE3212956A; Sun, 5 Feb 2017 04:44:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kr8nRlNsO-FE; Sun, 5 Feb 2017 04:44:28 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67684129563; Sun, 5 Feb 2017 04:44:28 -0800 (PST)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <oleg@ripe.net>) id 1caMB7-000AKz-EC; Sun, 05 Feb 2017 13:44:26 +0100
Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <oleg@ripe.net>) id 1caMB6-0004sj-3W; Sun, 05 Feb 2017 13:44:24 +0100
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_859A04C5-E554-4AB3-BDAE-FF178A6BBC7C"; protocol="application/pgp-signature"; micalg="pgp-sha256"
From: Oleg Muravskiy <oleg@ripe.net>
In-Reply-To: <8bee5b64-8b54-99f4-3e86-f6450f664fd6@mandelberg.org>
Date: Sun, 05 Feb 2017 13:44:22 +0100
Message-Id: <D43B1FF6-8A8A-42B5-BDF5-0DBA7E39344F@ripe.net>
References: <8bee5b64-8b54-99f4-3e86-f6450f664fd6@mandelberg.org>
To: David Mandelberg <david@mandelberg.org>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ------
X-RIPE-Spam-Report: Spam Total Points: -6.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4923]
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b74c156e9b0dc169faf27788eb1e6a5aa80
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Cgo6quTPeB2oerHyH9Q9sqqU7fk>
Cc: draft-ietf-sidr-delta-protocol.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-sidr-delta-protocol-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Feb 2017 12:44:29 -0000

Hi David,

Thanks for your review and comments, I'll try to address them below in the text:

> On 28 Jan 2017, at 22:29, David Mandelberg <david@mandelberg.org> wrote:
> 
> Hi,
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document provides a new way for RPKI Relying Parties to download
> RPKI objects. As mentioned in the Security Considerations, those objects
> are already cryptographically signed. The RRDP protocol provides some
> additional security to the download process, with no changes to the
> security properties of the RPKI objects themselves.
> 
> I think this document is Ready with nits.
> 
> 
> 3.3.2: It seems strange to me that you use MUST when talking about the
> timing/performance of the repository server. Is this relevant to
> security? Or is there another reason for a MUST?

I do not think this time interval (less than 1 minute to publish updates for any CA) has a direct impact on the security. However, it'a also not about the performance of the publication server, but to guarantee the expectations on the staleness of the data in the repository, both from CA's and RP's point of view.
So I'd like to keep it a "MUST".

> 3.4.2: I think "update its last processed serial number to the serial
> number of this snapshot file" should say "delta file" instead.

Correct. Fixed in -06.

> 3.4.5: I'd recommend changing "in case of network issues" to "in case of
> network issues, or temporary failures of the repository server(s) or
> caching infrastructure".

I agree that "network issues" is only one possible cause. I'm not sure we could/should mention all of them in that paragraph, so I'll leave it with "Relying Parties may wish to employ re-try strategies while fetching RRDP files".

> 3.5.1.2: I think the last paragraph might make it harder for the server
> to recover from a temporary overload, since it can't tell clients to
> wait longer than 1 minute before re-fetching. It seems to me that
> letting the clients get a few minutes out of date until the server
> operator can provision more capacity is better than accidentally DoSing
> the server.

I think what we want to say here is that [for security reasons] RPs should not trust the HTTP caching headers for notification files, if they specify caching for longer than 1 minute, because those headers could be overwritten by the (CDN) distribution servers which might be out of control of the publication server operator.

One minute should be enough for a CDN to overcome DDoS anyway. Additionally, the If-Modified-Since: request header is mandatory, which also lowers the load on the server. And specifying 1 minute cache expiration on notification file does not mean an RP *will* come back for a new file after a minute.

So do you want a longer text in that paragraph?

> 3.5.4: Why is serial not an xsd:positiveInteger? Section 3.3.1 says that
> serials start at 1.

Correct. Fixed in -06.

Cheers,
Oleg

v2.23.0 | Report a Bug | By Email