IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

Tim Bruijnzeels <tim@ripe.net> Thu, 17 April 2014 15:35 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CD2A1A01DE for <sidr@ietfa.amsl.com>; Thu, 17 Apr 2014 08:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.528
X-Spam-Level:
X-Spam-Status: No, score=0.528 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UAjq1sy3Gvl for <sidr@ietfa.amsl.com>; Thu, 17 Apr 2014 08:35:29 -0700 (PDT)
Received: from kaka.ripe.net (kaka.ripe.net [IPv6:2001:67c:2e8:11::c100:1347]) by ietfa.amsl.com (Postfix) with ESMTP id 0D13F1A01C0 for <sidr@ietf.org>; Thu, 17 Apr 2014 08:35:29 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by kaka.ripe.net with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1WaoLT-000649-1x; Thu, 17 Apr 2014 17:35:25 +0200
Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-110.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1WaoLS-0005pS-SY; Thu, 17 Apr 2014 17:35:22 +0200
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com>
Date: Thu, 17 Apr 2014 17:35:29 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <FB4FB863-1AE0-41DB-97B1-FB022150D29E@ripe.net>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>, <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com>, <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net> <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com> <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net> <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.1510)
X-RIPE-Spam-Level: ---
X-RIPE-Spam-Report: Spam Total Points: -3.6 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07197e3c99fee0dee5764e531ddfe035fd19
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/JlzQeOl8sP2FJBjdkfbZy65LXso
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 15:35:33 -0000

Hi,

Sorry for the late reply, I have been very busy with other work.

On Mar 18, 2014, at 9:09 PM, "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> wrote:

>>> 
>>> That is good. But what I meant was (in your I-D under discussion) does
>>> the alternate validation algorithm for a ROA need slightly different
>>> wording (as compared to that for certificates)?
>> 
>> I think not.  RFC6482 did not define how the EE certificate is to be validated.
>> It simply states that the IP addresses listed in the ROA must also be found in the
>> resource extensions of the signing EE cert. This still holds.
>> 
>> i.e. no change is required there.
>> 
> 
> I think you are saying that a ROA is "valid" for all prefixes listed in it, if the signing EE cert is 
> "valid" for each of those prefixes (in accordance with the alternate validation method).
> I.e., there is no such thing as 'the ROA is (partially) valid for some of the listed prefixes'.
> Does not harm to include some statement this effect in your I-D.

I agree with the original observation made by Geoff and George about brittleness wrt ROA validation and resources in the chain that are irrelevant.

If I could paraphrase the method B how I see it from a top-down perspective, using a modified example where 'Certificate 2' has a mixup of an AS resource:
Certificate 1: {10.0.0.0/12, AS64501, AS64505, AS64509}  (TA certificate)
Certificate 2: {10.0.0.0/22, AS64501, AS64505, AS64511}
Certificate 3: {10.0.0.0/20, AS64501, AS64509}

Currently we reject certificate 2 and everything under it.. 

But, the way I see it in the RPKI world is that these CA certificates just tie a bunch of resources to a key pair. They don't actually try to make any other authoritative statements over these resources. So in other words I would be perfectly happy to take change the semantics and *warn* about any over-claiming resources, and accept only the *union* of resources between a certificate and its parent. In this case that would result in:

Certificate 1: {10.0.0.0/12, AS64501, AS64505, AS64509}  (TA certificate)
Certificate 2: {10.0.0.0/22, AS64501, AS64505}  (discard: AS64511)
Certificate 3: {10.0.0.0/20, AS64501} (discard: AS64509)

In the RPKI the more meaningful statements about resources are all done with EE certificates. Signed objects like ROAs and Ghostbusters have a corresponding EE certificate, and BGPSec certificates are also EE certificates. These are the things that actually make the interesting statements like "valid holder of resource X proclaims that.. etc".

So, summarising I think the simplest approach here could be just accept the union of resources for CA certificates, but insist that EE certificates are not over-claiming.

So this would then be perfectly valid:
EE Certificate: {10.0.0.0/20} 
For ROA: listing prefix 10.0.0.0/20 only

Others can speak for themselves (Rob?, David?), but my impression was that they were actually also open to this general idea although it needs maturing. (as opposed to the joins below)

> We discussed the possibility of ROA over-claiming earlier. 
> The above is not accommodative of that. And I think that is also OK for now.
> We can revisit if robustness to ROA over-claiming is something 
> that interests anyone else on this list.

We are currently fate sharing authorisations for different prefixes and the same ASN on ROAs. We have an average of about 3 prefixes per ROA, so this allows us to reduce the number of ROAs we publish to about 1/3rd of what we would need otherwise.

There is a lot of complexity and controversy in partially accepting ROAs, or even having splits and joins and accepting part here, part there, or (more complicated) having to join validation paths. It becomes difficult to troubleshoot issues and report meaningfully about errors. I see some possibilities here, but I am not convinced. I think it would mainly save in the number of certificates and objects needed, but in the end this is all handled by tools. I don't think they (should) care too much about these numbers (a factor of 3 or something) relative to the other costs.

So all in all, I think we're probably better off keeping things simpler and in our case create more ROAs: i.e. one for each prefix.

Tim




> Thanks.
> Sriram  
> 
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email