Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Fri, 08 June 2012 13:10 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 502F821F881B for <sidr@ietfa.amsl.com>; Fri, 8 Jun 2012 06:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fSYbVA9UKQiX for <sidr@ietfa.amsl.com>; Fri, 8 Jun 2012 06:10:24 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 48E1321F8809 for <sidr@ietf.org>; Fri, 8 Jun 2012 06:10:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=13105; q=dns/txt; s=iport; t=1339161022; x=1340370622; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kUJ55q1TkGivf87Puxg1WRFvOB+kodoFv9ZwnYZB6uY=; b=hkof86d7hzysSSkn42aOcJ0k398k6t2iVH4HqFXPvNMXrUEnI1BjKTDs fG4d/KGf235qPgB/HDabc828sFUz3lsv+l2qj3KUQwVuQZnUgjKyBkZ4w hEuxW+VxCNDPEPWjQVYCu/3F/2rWJmGXeZ/SIT++CsvOWLkPZJiiN37RO w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EALb40U+tJV2Z/2dsb2JhbABFtE6BB4IZAQEEEgFfBxACAQg/BzIUEQIEDgUZCYdpmTmfbYVwhTaFIGADlR6OFYFmgmCBVgIfBA
X-IronPort-AV: E=Sophos; i="4.75,738,1330905600"; d="scan'208,217"; a="90728102"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-5.cisco.com with ESMTP; 08 Jun 2012 13:10:21 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q58DALV1005574 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 8 Jun 2012 13:10:21 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.99]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0298.004; Fri, 8 Jun 2012 08:10:21 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Terry Manderson <terry.manderson@icann.org>
Thread-Topic: [sidr] draft-ymbk-rpki-grandparenting-00.txt
Thread-Index: AQHNRXgOmeMHLOI6skGjzaABNoC0Kw==
Date: Fri, 8 Jun 2012 13:10:20 +0000
Message-ID: <2F3884FD-D52F-4C3C-8920-292DDFA11C65@cisco.com>
References: <CBF784C5.267EC%terry.manderson@icann.org>
In-Reply-To: <CBF784C5.267EC%terry.manderson@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.147.19.47]
x-tm-as-product-ver: SMEX-10.2.0.1135-6.800.1017-18954.006
x-tm-as-result: No--43.153200-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_2F3884FDD52F4C3C8920292DDFA11C65ciscocom_"
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 13:10:25 -0000

Terry,

On Jun 8, 2012, at 2:30 AM, Terry Manderson wrote:

Hey Roque,

On 7/06/12 5:53 PM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com<mailto:rogaglia@cisco.com>> wrote:

On Jun 7, 2012, at 7:54 AM, Terry Manderson wrote:


I had the same reaction as you. I looked at the CP document and the Cert.
Profile. The best reference to this use-case is the second paragraph of the
Security Section on RFC 6487:
"   A resource certificate PKI cannot in and of itself resolve any forms
  of ambiguity relating to uniqueness of assertions of rights of use in
  the event that two or more valid certificates encompass the same
  resource.  If the issuance of resource certificates is aligned to the
  status of resource allocations and assignments, then the information
  conveyed in a certificate is no better than the information in the
  allocation and assignment databases."

Thanks for that. But aren't we ultimately talking about _who_ issues the
ROAs and what their contents are in relation to the intent of the resource
user?

This is more a question for Randy.

IMHO, his text says both:
"A may certify G's resources, or issue one or more EE certificates and ROAs for G's resources. Which is done is a local matter between A and G."

BTW, My understanding of that paragraph was about situations where you have
trust anchors that overlap.

Your english is definitely better than mine, but I do not find any reference to trust anchors. I think it applies generally to any registry database.


My understanding of Randy's proposal is that both C and G will have for a
period of time the "right of use" for the 10.42.2.0/23 address space.

The idealistic stance might be that the RPKI and associated drafts should
not recommend a situation of ambiguity. Being able to have two different
ROAs (with different ASNs) for the same prefix issued by EE certs from
different res certs (thus different private keys) seems like it is making
life tough for the relying party.

How would a RP check this? (think particularly on bottom-up fetch + validation)
What the RFC 6487 security section is basically saying is that you should be at least as good as your registration back-end.


Your
proposal on the first paragraph is an alternative but I would say that it will
be much harder to "make before break".

Is it?

So step wise since G is moving ISPs from C to A (and they originate the
route on G's behalf):

1) "C" has the 10.42.0.0/16, presumably ROA issued for 10.42.2.0/23, AS-'C'
(10.42.2.0/23 AS-"C" route VALID)
1.5) Worst case of "A" is slow between revoking/reissuing C's cert (all
routes UNKNOWN, but still routable)

Here you break. UNKNOWN/NOT FOUND may have a different policy (loc. pref. ,etc.).

2) "C" gets new cert from "A" for
10.42.0.0/23,10.42.4.0/22,10.42.8.0/21,10.42.16.0/20,10.42.32.0/19,10.42.64.
0/18,10.42.128.0/17. And recreates it's own ROAs (10.42.2.0/23 AS-"A" route
UNKNOWN)
3) "A" (on G's behalf) issues ROA for 10.42.2.0/23, AS-'A' (10.42.2.0/23
route VALID)

I think this is a very easy for a relying party to interpret, and 'get it
right'

If a recommendation comes forth that says:

step wise:
1) "C" has the 10.42.0.0/16, presumably ROA issued for 10.42.2.0/23, AS-'C'
(10.42.2.0/23 route VALID)
2) "A" on behalf of "G" issues ROA for 10.42.2.0/23, AS-'A' while ROA issued
for 10.42.2.0/23, AS-'C' exists (10.42.2.0/23 originated by both AS-"C" and
AS-"A" valid)
3) C removes the ROA 10.42.2.0/23, AS-'C' (10.42.2.0/23 originated by
AS-"G")

Keeping in mind that the example highlights that "C" is moving away from
provider "A", but keeping its address space. So at the point 2 is it clear
what is the intention of the IP address user "G"? Who it seems has no skin
in the game as "G" doesn't have a RPKI private key nor certificate.
I'm not sure (right now) that allowing multiple 'resource holders' to create
valid MOAS scenarios is a good idea. I accept MOAS do naturally exist, but
generally at the desire of one single resource holder or at least one would
hope.
Is my interpretation wrong here? Is this really just harmless? or does this
also then tease out political[*] aspects where an RIR can or might
'responsibly' issue RPKI objects from their own resource cert?

I have not written RP software, but I believe it will be harmless as it would validate.  I do not believe iit breaks the CP document as the only reference to "unique holder" that I found was in the abstract section.

All in all, I think it is good that Randy raised this issue. I wonder if we need another document or add it to the "Use Case" document as it has not yet been ship to the IESG.

Roque


[*] yes, yes, the IETF is not a politically focused organisation. ;)

Terry