IETF Logo Mail Archive

Re: [sidr] WGLC for draft-ietf-sidr-pfx-validate-06

Tim Bruijnzeels <tim@ripe.net> Mon, 18 June 2012 11:09 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E006B21F85A2 for <sidr@ietfa.amsl.com>; Mon, 18 Jun 2012 04:09:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bwi975-YQ8Cz for <sidr@ietfa.amsl.com>; Mon, 18 Jun 2012 04:09:49 -0700 (PDT)
Received: from postlady.ripe.net (postlady.ipv6.ripe.net [IPv6:2001:67c:2e8:11::c100:1341]) by ietfa.amsl.com (Postfix) with ESMTP id 08E6821F8593 for <sidr@ietf.org>; Mon, 18 Jun 2012 04:09:49 -0700 (PDT)
Received: from ayeaye.ripe.net ([193.0.23.5]) by postlady.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1SgZq5-0008AZ-0e; Mon, 18 Jun 2012 13:09:46 +0200
Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-10.ripe.net) by ayeaye.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1SgZq4-0005o6-HK; Mon, 18 Jun 2012 13:09:44 +0200
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <FE0B25DE-6166-4A46-9435-3A58DAA51BC2@cisco.com>
Date: Mon, 18 Jun 2012 13:09:43 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A13B6A1C-188D-4EE3-A182-8F0CD7A1A0FF@ripe.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F1340A@Hermes.columbia.ads.sparta.com> <AFAF174A-F3D0-4D5C-A375-D7C8D283E5CE@ripe.net> <27839AC4-30E4-4C02-A64E-EAAC6F8B58D4@ripe.net> <FE0B25DE-6166-4A46-9435-3A58DAA51BC2@cisco.com>
To: Pradosh Mohapatra <pmohapat@cisco.com>
X-Mailer: Apple Mail (2.1084)
X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.48/RELEASE, bases: 20120425 #7816066, check: 20120618 clean
X-RIPE-Spam-Level: --
X-RIPE-Spam-Report: Spam Total Points: -2.9 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719eb8cb072e993f2cb524815bbd50229a3
Cc: "Murphy, Sandra" <Sandra.Murphy@sparta.com>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] WGLC for draft-ietf-sidr-pfx-validate-06
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2012 11:09:50 -0000

On 16 Jun 2012, at 22:59, Pradosh Mohapatra wrote:

> Hi Tim,
> 
> 
>>> Prefix validate assumes full knowledge of all applicable ROAs (or other sources of information if they are used) and I believe this should be stated more strongly.
>>> 
>>> The security considerations section addresses the possibility of a malicious attacker tampering with the database that is used for validation. It does not address the possibility of a database becoming incomplete for other reasons.
>> 
>> This is the main point I wanted to make. I believe this can be easily addressed by just stating the requirement in this document. Perhaps something along these lines at the end of the first paragraph in the security consideration section:
>> 
>> "Additional or missing records resulting from retrieval and/or validation errors can lead to the same problems."
>> 
>> The following was just a discussion on how RPs can mitigate these problems. But.. perhaps this is better addressed in a separate BCP, or future work on specifications related to the repository and retrieval/validation by RPs.
>> 
>> If the WG can agree with this then I can support last call..
> 
> 
> I do not agree this is a "security" issue. I am guessing you meant permanent/eventual inconsistencies between the local and global repositories (since transient inconsistencies will always be there). That kind of inconsistency is most certainly a (protocol) implementation error and has to be dealt with at that layer.
> 

I see your point about security, I don't really mind which section addresses this.

With inconsistencies I did not mean that the validated cache is out of date, which I agree, will always be there even if it could be minimised.

The inconsistencies I refer to are different in nature. It's that the snapshot that the RP tool got when it validated is in itself inconsistent: surplus or missing ROAs, or the hash of 1 or more ROAs doesn't match. Longer discussion omitted, but at this point the RP just doesn't know for certain what to do and guidance is needed. This is where *explicitly* stating a strong requirement, rather than leaving it implicit, in pfx-validate comes in..

Having this will help to either come up with best practices for RP tools, or preferably improvements to the repository related standards.

Anyway, I get the feeling that I am the only one here who sees this as a problem, so I guess the rough consensus is there..



Tim

v2.23.0 | Report a Bug | By Email