Re: [sidr] looking at repository withholding attacks.
Stephen Kent <kent@bbn.com> Wed, 20 July 2011 17:23 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A196421F8AE4 for <sidr@ietfa.amsl.com>; Wed, 20 Jul 2011 10:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.901
X-Spam-Level:
X-Spam-Status: No, score=-105.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03PYA+mVedVe for <sidr@ietfa.amsl.com>; Wed, 20 Jul 2011 10:23:11 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 1138921F8AD6 for <sidr@ietf.org>; Wed, 20 Jul 2011 10:23:10 -0700 (PDT)
Received: from dhcp89-089-043.bbn.com ([128.89.89.43]:49165) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1QjaTz-000PYP-BC; Wed, 20 Jul 2011 13:22:51 -0400
Mime-Version: 1.0
Message-Id: <p0624080aca4cbbea9b65@[128.89.89.43]>
In-Reply-To: <CA4CA858.17FE2%terry.manderson@icann.org>
References: <CA4CA858.17FE2%terry.manderson@icann.org>
Date: Wed, 20 Jul 2011 13:22:36 -0400
To: Terry Manderson <terry.manderson@icann.org>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] looking at repository withholding attacks.
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 17:23:11 -0000
Terry, The repository document mandates that each CA issue a manifest and maintain it in an up-to-date fashion; that's pretty clear. For example, 4.2.1 says "If the authority alters any of the items that it has published in the repository publication point, then the authority MUST issue a new manifest before the nextUpdate time." Section 5.1 says "For a CA publication point in the RPKI repository system, a CA MUST perform the following steps to generate a manifest:" Yes, I admit that it does not say that a CA MUST generate a manifest, and here is how the CA MUST do it, but I see that as a nit that could easily be clarified during editing, unless the WG feels otherwise. Section 5.2 says "A new manifest MUST be issued on or before the nextUpdate time." It also says "An authority MUST issue a new manifest in conjunction with the finalization of changes made to objects in the publication point." Both of these statements seem like pretty clear direction to each CA to create a publish manifests. Section 4.4. says "To determine whether a manifest is valid, the RP MUST perform the following checks in addition to those specified in [ID.sidr-signed-object]." This seems like pretty clear direction to an RP. Section 6 of the manifest document also says: " , in the following sections, we describe a sequence of tests that the RP SHOULD perform to determine the manifest state of the given publication point. We then discuss the risks associated with using signed objects in the publication point, given the manifest state; we also provide suitable warning text that SHOULD be placed in a user-accessible log file. It is the responsibility of the RP to weigh these risks against the risk of routing failure that could occur if valid data is rejected, and to implement a suitable local policy." So the manifest document explains what an RP SHOULD do with respect to using manifests. Later subsections note that an RP SHOULD view as "suspect" signed objects that appear at a publication point when there is no manifest available, but that does not mean that an RP ought not retrieve and process those objects. So in such cases, the file name extension is the only top-level demuxing type indicator available to an RP. The text also says that an RP can (probably ought) to use signed objects that validate but are not on a manifest, because this probably indicates an error by the maintainer of the pub point, to maintain sync between the manifest and the pub point content. As for your example: I agree that if the content of a pub point in a repository is modified to remove the manifest for that pub point (or it a MITM attacks achieves the same effect), and if one or more ROAs for more specific prefixes are removed, while leaving the encompassing ROA, then RPs may reach the wrong conclusion about the route authorization info expressed by the prefix holder. This is not an ideal situation. RPs have flexibility in dealing with this sort of situation. For example, an RP that had previously acquired all three ROAs, and a matching manifest, might choose to stick with that data, in light of the absence of a manifest for the objects retrieved this time. Manifests do two things well: if they are perfect and the pub point perfectly matches what the manifest says, an RP gets a very warm fuzzy feeling. If a manifest is perfect, and a named object is missing, or is present but the hash does not match, an RP should be suspicious, e.g., contact the CA to see what's wrong (e.g., using the GhostBusters record info). But, for most (all?) of the other cases of a mismatch between a manifest and pub point content, the manifest can't tell the RP what is wrong. Steve
- [sidr] looking at repository withholding attacks. Terry Manderson
- Re: [sidr] looking at repository withholding atta… Stephen Kent
- Re: [sidr] looking at repository withholding atta… Sandra Murphy
- Re: [sidr] looking at repository withholding atta… Terry Manderson
- Re: [sidr] looking at repository withholding atta… Randy Bush
- Re: [sidr] looking at repository withholding atta… Terry Manderson
- Re: [sidr] looking at repository withholding atta… Randy Bush
- Re: [sidr] looking at repository withholding atta… Terry Manderson
- Re: [sidr] looking at repository withholding atta… Andrew Chi
- Re: [sidr] looking at repository withholding atta… Terry Manderson