Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt

Oleg Muravskiy <> Mon, 11 July 2016 08:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 123B412B040 for <>; Mon, 11 Jul 2016 01:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pBWz3hWGIs1R for <>; Mon, 11 Jul 2016 01:36:39 -0700 (PDT)
Received: from ( [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DB6D8128874 for <>; Mon, 11 Jul 2016 01:36:38 -0700 (PDT)
Received: from ([]) by with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <>) id 1bMWhd-00085S-4d; Mon, 11 Jul 2016 10:36:34 +0200
Received: from ([] helo=[IPv6:::1]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <>) id 1bMWhb-0004qx-UH; Mon, 11 Jul 2016 10:36:31 +0200
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: text/plain; charset="utf-8"
From: Oleg Muravskiy <>
In-Reply-To: <>
Date: Mon, 11 Jul 2016 10:36:31 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Declan Ma <>
X-Mailer: Apple Mail (2.2104)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points: -8.8 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.0548]
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b743b8fcd24688ea844e1036ee5a6812a67
Archived-At: <>
Cc: sidr <>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Jul 2016 08:36:41 -0000


> On 10 Jul 2016, at 16:08, Declan Ma <> wrote:
> Oleg,
> I think this version is much better.
> Yet I still have a question with Section Security Considerations:
> "In contrast, objects whose content hash matches the hash listed in
>   the manifest, but that are not located in the publication directory
>   listed in their CA certificate, will be used in the validation
>   process (although a warning will be issued in that case).”
> Given these sorts of objects have been found somehow, in a different repository as described in Section 3.2.2. Manifest entries validation, your RP will take accept them anyway, using them in validation. 
> What if this manifest is a stale one when the latest MFT has been deleted maliciously or inadvertently? 
> A ROA found in a different repository may has been removed by the administrator and an attacker just replaces this ROA into that ‘different repository’  with poor management. 
> There could be many risks here. I wonder why you take this approach.
> Di

Let's look at this case in more detail.

What you describe is that there used to be a valid ROA properly described by a manifest with number X. Then the change happened and in the manifest version X+1 that ROA is not listed anymore, and a new CRL that revokes that ROA is listed. The ROA file is also removed from the repository directory, and new CRL and manifest files replaced their previous versions.

Now, the RP does a new fetch of the repository content, and somehow gets the old version of the manifest, but the new content of directory, so:

- with rsync repository, the rsync stream needs to be tempered with, so that the new manifest is replaced by the old one, but the rest of the stream remains the same;

- with RRDP repository, the content of a snapshot or a delta needs to be tempered with, so that it does not contain a replace for the manifest.

In this situation the validator on the RP side could detect a mismatch, but it needs to decide whom to trust more: the RPKI-signed content of the manifest, or not RPKI-signed (and in case of rsync, not signed at all) content of an RRDP snapshot/delta or an rsync directory.

If we would choose to trust the rsync or RRDP content, then an attacker could easily remove a valid ROA (or certificate) from the stream, which probably is the simplest sort of attack the MITM could implement in case of RPKI. 

So we chose to trust the RPKI-signed content. 


>> 在 2016年7月9日,07:04,Oleg Muravskiy <> 写道:
>> This is an update to the draft-ietf-sidr-rpki-tree-validation.
>> No major changes, mostly clarifications that address comments from Steve Kent, and additional information as requested at the previous WG session.  Hope this version is more clear and close to final.
>> Oleg
>>> On 09 Jul 2016, at 00:51, wrote:
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>> This draft is a work item of the Secure Inter-Domain Routing of the IETF.
>>>      Title           : RPKI Certificate Tree Validation by a Relying Party Tool
>>>      Authors         : Oleg Muravskiy
>>>                        Tim Bruijnzeels
>>> 	Filename        : draft-ietf-sidr-rpki-tree-validation-01.txt
>>> 	Pages           : 12
>>> 	Date            : 2016-07-08
>>> Abstract:
>>> This document describes the approach to validate the content of the
>>> RPKI certificate tree, as used by the RIPE NCC RPKI Validator.  This
>>> approach is independent of a particular object retrieval mechanism.
>>> This allows it to be used with repositories available over the rsync
>>> protocol, the RPKI Repository Delta Protocol, and repositories that
>>> use a mix of both.
>>> This algorithm does not rely on content of repository directories,
>>> but uses the Authority Key Identifier (AKI) field of a manifest and a
>>> certificate revocation list (CRL) objects to discover manifest and
>>> CRL objects issued by a particular Certificate Authority (CA).  It
>>> further uses the hashes of manifest entries to discover other objects
>>> issued by the CA.
>>> The IETF datatracker status page for this draft is:
>>> There's also a htmlized version available at:
>>> A diff from the previous version is available at:
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at
>>> Internet-Drafts are also available by anonymous FTP at:
>>> _______________________________________________
>>> sidr mailing list
>> _______________________________________________
>> sidr mailing list