[secdir] SecDir review of draft-ietf-sidr-repos-struct-08

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 03 July 2011 19:14 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA6D11E80A2; Sun, 3 Jul 2011 12:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QkvMSAX5F902; Sun, 3 Jul 2011 12:14:21 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id B1B7C11E80A1; Sun, 3 Jul 2011 12:14:20 -0700 (PDT)
Received: by wwe5 with SMTP id 5so3036888wwe.13 for <multiple recipients>; Sun, 03 Jul 2011 12:14:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=1DQMgXc+OBiLMnEka7Z87guAA2v/4FRNrMjo7ANm7N0=; b=BegAuR3T2iSA+RP/sph+wMSCpwnjkhLHT8idT/91tW4xmRzCpKCCb6GukTsSOXawKc s3X982JGu231sIi+dtkNhS9Wiw8AUJRj/96B3LQx4laa4V47hS6QTvxl1U3Dz0h5GCCB BpDdrTul32KUB07oquzTmLOM5ag4NtecNeT5U=
Received: by 10.227.148.220 with SMTP id q28mr4820350wbv.29.1309720458573; Sun, 03 Jul 2011 12:14:18 -0700 (PDT)
Received: from [10.0.0.4] (bzq-79-177-192-201.red.bezeqint.net [79.177.192.201]) by mx.google.com with ESMTPS id d19sm3898721wbh.8.2011.07.03.12.14.16 (version=SSLv3 cipher=OTHER); Sun, 03 Jul 2011 12:14:17 -0700 (PDT)
Message-ID: <4E10BF86.6010003@gmail.com>
Date: Sun, 03 Jul 2011 22:14:14 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110627 Thunderbird/5.0
MIME-Version: 1.0
To: Security Area Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-sidr-repos-struct.all@tools.ietf.org
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Subject: [secdir] SecDir review of draft-ietf-sidr-repos-struct-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jul 2011 19:14:22 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments


This draft describes the structure of the RPKI repositories. This is a 
dedicated, even more complex than usual PKI deployment.


The security considerations are short, considering that the entire 
document is about the security underpinnings of a critical 
infrastructure. However they do make sense to me. I do have two comments:

• The mandatory use or Rsync (vs. e.g. simple HTTP) in a one-way content 
retrieval context seems like a questionable security vs. operational 
cost trade-off. Rsync is complex and has seen various security 
vulnerabilities over the years: 
http://secunia.com/advisories/search/?search=rsync. BTW, the reference 
"to rsync" only defines the URI format. As to a formal specification of 
the protocol, guess what? 
http://lists.samba.org/archive/rsync/2008-October/021927.html.
• The following sentence seems to require clarification, and hints at 
possible risks/mitigations: "However, even the use of manifests and CRLs 
will not allow a relying party to detect all forms of substitution 
attacks based on older (but not expired) valid objects."

Thanks,
Yaron