IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Mon, 11 August 2014 13:02 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF10F1A03C5 for <sidr@ietfa.amsl.com>; Mon, 11 Aug 2014 06:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.269
X-Spam-Level:
X-Spam-Status: No, score=-13.269 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYZPetX1eLr3 for <sidr@ietfa.amsl.com>; Mon, 11 Aug 2014 06:01:57 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7906F1A0176 for <sidr@ietf.org>; Mon, 11 Aug 2014 06:01:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15571; q=dns/txt; s=iport; t=1407762117; x=1408971717; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=sdBH6mahdSY0c71354lP82/xHMhcbW40B30nBp20Pgg=; b=PbLqSLHarCamRrMvZM2w4q4tig7ga45bjWgUtlM8f8TFP5mWcaI//Kmm ns2Z1lMuSFnUsd3NCMke1eVr4+b6yU+KygQzsKko+BNpHJRWk/ZU/N7AW +TuEEM3cURrMZwL+aXnQTFdRYmbsLKxmQLZqZXqn1FyshdZ2Zbn+afEVO A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjQFAOW96FOtJA2M/2dsb2JhbABbgw1SVwTMegEJh0gBgRcWd4QEAQEEAQEBaAMEBxACAQg/BycLFBECBAoEBRuIJw3BPBePA0kHgy+BHQWPBoIThCWCOYQ4gVeTJINcbAEBgQMBAR4CAgIc
X-IronPort-AV: E=Sophos;i="5.01,841,1400025600"; d="scan'208,217";a="346395986"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-1.cisco.com with ESMTP; 11 Aug 2014 13:01:56 +0000
Received: from xhc-rcd-x11.cisco.com (xhc-rcd-x11.cisco.com [173.37.183.85]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id s7BD1u7Q002340 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 11 Aug 2014 13:01:56 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.73]) by xhc-rcd-x11.cisco.com ([173.37.183.85]) with mapi id 14.03.0195.001; Mon, 11 Aug 2014 08:01:56 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: "George, Wes" <wesley.george@twcable.com>
Thread-Topic: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt
Thread-Index: AQHPtWRtLqS7oCnR5UW98EhW5WcMMA==
Date: Mon, 11 Aug 2014 13:01:55 +0000
Message-ID: <D4797FBC-79D7-4478-8BBB-2CD38E2AD2D7@cisco.com>
References: <20140702012717.18291.24295.idtracker@ietfa.amsl.com> <415BB336-1A6C-48DD-BD0F-BC9EB0C3506F@ripe.net> <53CFFF3C.2040406@bbn.com> <BB01407F-A226-4531-9FDD-50E1B0A238F0@ripe.net> <53D151F0.80808@bbn.com> <C838412C-D16C-4C88-B022-85484789444A@ripe.net> <53D178A6.7060502@bbn.com> <CFF7CDF2.4AB4B%bje@apnic.net> <65886423-144A-48B5-A0EF-D35D4A4FE890@ripe.net> <CA+z-_EUXA0TWDqHV-9sFbgS2vyXiKE9EKBae6K0eihuhKTsm2A@mail.gmail.com> <53DAA101.8020305@bbn.com> <D00562F3.2A8A4%wesley.george@twcable.com> <BEF3BAD0-7180-4433-B0FB-75CD83853D82@tislabs.com> <D0065AE9.2A969%wesley.george@twcable.com>
In-Reply-To: <D0065AE9.2A969%wesley.george@twcable.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.147.19.37]
Content-Type: multipart/alternative; boundary="_000_D4797FBC79D744788BBB2CD38E2AD2D7ciscocom_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/MelwtWHEpOoO-7E2fHrDlrwdrTA
Cc: "sidr@ietf.org" <sidr@ietf.org>, Sandra Murphy <sandy@tislabs.com>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 13:02:01 -0000

Hi Wes,

Thanks for your message, I think it is always great to have a fresh view when we are looking at new problems.

I have some comments inline.

Cheers!
Roque

On Aug 5, 2014, at 5:51 PM, "George, Wes" <wesley.george@twcable.com<mailto:wesley.george@twcable.com>> wrote:


On 8/4/14, 5:47 PM, "Sandra Murphy" <sandy@tislabs.com<mailto:sandy@tislabs.com>> wrote:

An invalid ROA does not necessarily mean an invalid route.

If there is no other covering ROA, then a BGP route for that prefix
becomes unknown, as Terry pointed out.

If there is another ROA which covers the same prefix, then a route may be
invalid -- if no covering ROA authorizes the ASN that the invalidated ROA
mentions.

WG] I'm once again bitten by an incomplete understanding of the way that
the PKI interacts with the routing side. Sigh. That makes more sense, but
since I have often volunteered to be "new guy who's not an RPKI expert"
thus serving as the canary in the coal mine for finding the hidden gotchas
like this, we have a very important detail here that may or may not be
properly covered in our existing documents.

I went poking through 6907, and it contains a useful definition for a
covering ROA that seems to imply that an invalid ROA could technically
still be considered a covering ROA, but for this:
"For all of the use cases in this document, it is assumed that RPKI
  objects (e.g., resource certificates, ROAs) validate in accordance
  with [RFC6487] and [RFC6480].  In other words, we assume that
  corrupted RPKI objects, if any, have been detected and eliminated."
So that text explicitly declares this case of invalid ROA and how to
handle it out of scope for the scenarios discussed.

Restating the combination of this text and your answer above, is it
accurate to say that invalid ROAs are removed before the RP ever gets to
the step where it checks to see if they are covering or matching, thus it
is impossible for an invalid ROA to invalidate a route? Is that required
by the standard, or simply an implementation convention that some or all
of the existing RP software follows?

(Roque)
The answer resides in the definitions of VRPs-Validated ROA payloads which is the information received by the BGP speakers. As its name states, the validator server only sends VRPs that correspond to valid ROAs. So, you are right that in the transition from ROAs to VRPs, the router has not knowledge that there were some signed objects (not just ROAs) that failed the validation process. This behaviour is document on RFC 6811:

"The BGP speaker loads validated objects from the cache into local

   storage.  The objects loaded have the content (IP address, prefix
   length, maximum length, origin AS number).  We refer to such a
   locally stored object as a "Validated ROA Payload" or "VRP"."

Terry's point is that as VRPs always correspond to valid ROAs, the problem under discussion will, in the worse case, take you to a "not-found" state.


I think that begs some further questions: Is there ever a case where we
*want* an invalid ROA to translate to an invalid route, or do we *always*
want to simply punt those from the system so that the routes they would
have covered are tested only against any remaining valid ROAs?

(Roque) There is the case of AS 0 (section 7.1.6<http://tools.ietf.org/html/rfc6907#section-7.1.6> in RFC6907 and also in RFC 6483 BUT  both Informational documents).

AS0 was thought as a solution to bogon prefixes or networks that are not meant to be public (military, banks, etc.)

Do we ever
see a need to treat an invalid ROA as a revoke?

(Roque) I believe the current process of allowing to take the union of valid ROAs for a given prefix is the right strategy. It is consistent with the "make before break" principle.
Some examples are:
- changing network ASes
- networks with multiple origin ASes
- ROA's EE certification roll-overs

Is the behavior any
different if the ROA was previously valid and unexpired, and suddenly
becomes invalid vs if it was previously unknown and the first ROA that
shows up is invalid?

(Roque) You only send VRPs to the routers, which correspond to valid ROAs. You notify the router of changes, including removals

I'm quite sure that diving into this will also
generate a bunch of unpleasant questions about tiebreaker behavior when
both valid and invalid ROAs match or cover prefixes, so it may be simpler
to just make it clear that this is the intended behavior, but I figured
I'd pose the questions since that's what we seem to be having a
fundamental misunderstanding about.

(Roque) VRPs are always referring to valid ROAs. There is not "matching" with invalid ROAs. The problem under discussion, IMO, is that in some specific "corner cases" where ROAs may be invalidated due to some issues up in the allocation hierarchy.


I think that there are probably still cases during a transfer where if you
get the order of operations wrong, in addition to the invalid ROA, you
will have a second valid covering ROA that might not match what's being
announced and thus a potentially invalid route.
That's probably what needs
to be enumerated in the validation-reconsidered draft as the problem with
the biggest potential impact, even if it's secondary to the main failure
mode where a bunch of routes just go to unknown status and temporarily
lose the protection that origin validation is supposed to provide.

(Roque) Agree to add to the document a "before" and "after" process for transfer as example.


Thanks
Wes George


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
_______________________________________________
sidr mailing list
sidr@ietf.org<mailto:sidr@ietf.org>
https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email