IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-sidr-delta-protocol-05

Oleg Muravskiy <oleg@ripe.net> Wed, 08 February 2017 11:04 UTC

Return-Path: <oleg@ripe.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6170B126CD8; Wed, 8 Feb 2017 03:04:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hxzof1fl-7Pb; Wed, 8 Feb 2017 03:04:54 -0800 (PST)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61A57126579; Wed, 8 Feb 2017 03:04:54 -0800 (PST)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <oleg@ripe.net>) id 1cbQ3P-0009B2-My; Wed, 08 Feb 2017 12:04:53 +0100
Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <oleg@ripe.net>) id 1cbQ3O-0001Et-ET; Wed, 08 Feb 2017 12:04:50 +0100
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_F07CAB92-5F5C-4D4C-A861-A5AE561197F7"; protocol="application/pgp-signature"; micalg="pgp-sha256"
From: Oleg Muravskiy <oleg@ripe.net>
In-Reply-To: <7f56ecd6-1753-ad26-0ff3-1cde6e3fe63d@mandelberg.org>
Date: Wed, 08 Feb 2017 12:04:49 +0100
Message-Id: <8048CCD5-0D86-4C33-8F8A-C74728FE8B67@ripe.net>
References: <8bee5b64-8b54-99f4-3e86-f6450f664fd6@mandelberg.org> <D43B1FF6-8A8A-42B5-BDF5-0DBA7E39344F@ripe.net> <7f56ecd6-1753-ad26-0ff3-1cde6e3fe63d@mandelberg.org>
To: David Mandelberg <david@mandelberg.org>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ---------
X-RIPE-Spam-Report: Spam Total Points: -9.4 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b74b9f924d4ac838e63fb7605785a1ccb2c
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Tg_9hS46VlYHCg3ulVB-6KH3oPM>
Cc: draft-ietf-sidr-delta-protocol.all@ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-sidr-delta-protocol-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 11:04:55 -0000

Hi everybody,

> On 05 Feb 2017, at 18:23, David Mandelberg <david@mandelberg.org> wrote:
> 
> On 02/05/2017 07:44 AM, Oleg Muravskiy wrote:
>>> On 28 Jan 2017, at 22:29, David Mandelberg <david@mandelberg.org> wrote:
>>> 3.5.1.2: I think the last paragraph might make it harder for the server
>>> to recover from a temporary overload, since it can't tell clients to
>>> wait longer than 1 minute before re-fetching. It seems to me that
>>> letting the clients get a few minutes out of date until the server
>>> operator can provision more capacity is better than accidentally DoSing
>>> the server.
>> 
>> I think what we want to say here is that [for security reasons] RPs should not trust the HTTP caching headers for notification files, if they specify caching for longer than 1 minute, because those headers could be overwritten by the (CDN) distribution servers which might be out of control of the publication server operator.
>> 
>> One minute should be enough for a CDN to overcome DDoS anyway. Additionally, the If-Modified-Since: request header is mandatory, which also lowers the load on the server. And specifying 1 minute cache expiration on notification file does not mean an RP *will* come back for a new file after a minute.
>> 
>> So do you want a longer text in that paragraph?
> 
> No, I think the existing text adequately explains what you're saying. I
> still think it's excessive to poll every 1 minute without honoring
> headers that say to wait longer*. But I don't think it's a security
> issue, and I don't think my opinion on this should delay publication.
> 
> * I was aware of the issue you described where RPs should not trust
> unverified headers, so I'm not advocating for unconditional trust of the
> headers. I just think the RPs should trust the caching headers up to,
> maybe, 1 hour instead of 1 minute. But even 5 minutes would give CDN
> operators a lot more leeway to shed load.

Reading the paragraph in question again:

   Relying Parties SHOULD NOT cache the notification file for longer
   than 1 minute, regardless of the headers set by the repository server
   or CDN.

I think it could be misinterpreted in a way that RP should re-fetch notification file even if being in a middle of a validation run, which is wrong. So I propose a new text:

  In case of a high load on a repository server or its distribution
  network, the Cache-Control HTTP header, or a similar mechanism, MAY
  be used to suggest an optimal (for the repository server) poll
  interval for Relying Parties. However, setting it to an interval
  longer than 1 hour is NOT RECOMMENDED. Relying parties SHOULD align
  the suggested interval with their operational practices and the
  expected update frequency of RPKI repository data, and MAY discard
  suggested value.

What do you think?


Oleg

v2.23.0 | Report a Bug | By Email