Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00

Tim Bruijnzeels <tim@ripe.net> Sun, 17 July 2016 09:48 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB5C12D580 for <sidr@ietfa.amsl.com>; Sun, 17 Jul 2016 02:48:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivp1FeY1TEn1 for <sidr@ietfa.amsl.com>; Sun, 17 Jul 2016 02:47:59 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) by ietfa.amsl.com (Postfix) with ESMTP id 1A51912D552 for <sidr@ietf.org>; Sun, 17 Jul 2016 02:47:59 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <tim@ripe.net>) id 1bOifk-0001XJ-Ad; Sun, 17 Jul 2016 11:47:41 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-216.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1bOifk-0007Mk-3N; Sun, 17 Jul 2016 11:47:40 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=windows-1252
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com>
Date: Sun, 17 Jul 2016 11:47:39 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DC08C8ED-E611-4D95-A557-3EE74633F9A4@ripe.net>
References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com>
To: Sandra Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points: -8.0 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4941]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719669cc6a267ce5d223b844a3829e52b90
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/BtKc3xJtMuWUwcPUsxLwgIyyzr4>
Cc: sidr <sidr@ietf.org>
Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jul 2016 09:48:01 -0000

Hi,

I have a number of late comments (unfortunately no time to read this in detail earlier)

First of all, I believe that the structure of the document, where analysis is done without going into details of solutions, is useful.

That said I have some substantial comments. I think the order of the analysis of the various objects in section 2 is not logical. This may sound like a trivial thing, but actually I think a re-ordering will help to think about the context and different vectors for each.

Comments on each case:

- CA certificates (section 2.5)

I suggest that section 2 should start with this. CA certificates are issued by parent CAs. So the sections on modification, revocation and injections make more sense to me here - they are all done by the parent of the CA that is affected by these actions.

@A-5.4.1: A shrink may be seen as adverse by the INR holder, but there may be reasons (e.g. transfers, temporary assignments, closure) why an RIR may have to reclaim certain resources. In our case these practices are based on community consensus in our address policy working group. So.. a specific INR holder may not be happy to see resources removed, but in some cases this is a feature, not a bug.

@A-5.4.2: I think this is being addressed by validation-reconsidered

@A-5.4.5: It may be hard to detect this case because of normal key rolls.

- Manifests (section 2.2) and CRLs (section 2.4)

These objects are part of the 'boilerplate' objects that a CA uses. To me they seem related. At least in our RP software we typically find the 'current' MFT and CRL for a validated CA certificate and then we use this to find and validate all other objects issued by this CA. So it would make sense to me to look at these next (as 2.2 and 2.3 after CA certificates)

In any case I don't think that the analysis of modification, revocation and injections are very useful here. For these to work an adverse agent needs to have access to the CA certificate's private key *and* repository. Bets are then just off.

I understand that you don't want to go in solution space here, but.. I believe that with RRDP we can now actually get multiple objects as a single delta. That means that a CA can publish a new MFT and CRL, and all its objects together.

This in turn means that an RP can find a MFT and CRL, check the thisUpdate/nextUpdate time to detect a withhold. And it can find all the objects enumerated on the MFT by hash. So it can detect withhold, replay or modification of other objects.

Ultimately the adverse actions by a repository (deletion, suppression, corruption) cannot be prevented, but they can be *detected*. And I believe this is relevant to the analysis of those adverse actions.


- Ghostbusters

No comment

- ROAs

Similarly to manifests I don't think that the analysis of modification, revocation and injections are very useful here. Bets are off if an adversary has the key and the repo.

I think it would be more useful to analyse what the general problem is w.r.t. outsourcing CA functions - as is done later in the doc. People do it because it's convenient, but obviously this means that you have to *trust* that the organisation you outsource to will do any of those M/R/I type adverse actions.

- Router Certs

Same concerns as ROAs

 












> On 30 Jun 2016, at 23:11, Sandra Murphy <sandy@tislabs.com> wrote:
> 
> The authors of draft-ietf-sidr-adverse-actions-00, "Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)”,  believe that the document is ready for a working group last call.
> 
> This starts a two week wglc which will end on 14 July 2016.
> 
> Please review the draft and send comments and your opinion of whether it is worthy of publication to the list.  Remember that support for publication is needed, and comments can improve quality, so lack of comments is not sufficient.
> 
> You can reach the document at https://tools.ietf.org/html/draft-ietf-sidr-adverse-actions-00 and https://datatracker.ietf.org/doc/draft-ietf-sidr-adverse-actions.
> 
> —Sandy, speaking as one of the wg co-chairs.
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr