[sidr] draft-huston-sidr-validity-00
Stephen Kent <kent@bbn.com> Fri, 30 October 2015 20:24 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6AD31B3BBC for <sidr@ietfa.amsl.com>; Fri, 30 Oct 2015 13:24:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpHNfIJe34Pe for <sidr@ietfa.amsl.com>; Fri, 30 Oct 2015 13:24:38 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B73C41B30E3 for <sidr@ietf.org>; Fri, 30 Oct 2015 13:24:37 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:43641 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1ZsGE0-000B7R-72 for sidr@ietf.org; Fri, 30 Oct 2015 16:24:36 -0400
To: sidr <sidr@ietf.org>
From: Stephen Kent <kent@bbn.com>
Message-ID: <5633D203.1010803@bbn.com>
Date: Fri, 30 Oct 2015 16:24:35 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------080408000705040703010004"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/Ovg7oAygJdCaKQ2_oYtNwjGNF6U>
Subject: [sidr] draft-huston-sidr-validity-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2015 20:24:41 -0000
Geoff, I have a major concern about the proposed change to the RPKI certificate validation algorithm as described in draft-huston-sidr-validity-00, and some detailed technical comments on that draft. The major concern is that the proposed mechanism, even if modified to address the problems I note below, seems to focus only on a few sub-types of modification or injection actions targeting ROAs, CA certificates, or router certificates. That’s a total of at most 6 adverse actions out of the 36 that Di Ma and I describe in draft-kent-sidr-adverse-actions-01. I believe the WG should be pursuing mechanisms that address a much larger set of the actions identified in that I-D. I welcome your feedback on that draft; let us know if we’re missing some actions or if you disagree with the characterization of the impact of any of the actions. With regard to the current draft, I agree with Sam and several other folks who noted that draft-huston-sidr-validity-00 lacks an clear background discussion. If there were detailed (but generic) examples of the problems being addressed, a reader would be better able to understand the motivations for the proposed change. A reader would be able to evaluate whether he/she believes the change addresses the problems. I suggest using the terms introduced in draft-kent-sidr-adverse-actions-01 when discussing the problems. The discussion of the proposed validation algorithm can be shortened considerably, and made clearer at the same time. Specifically, since the only change to the validation procedure from 6487 appears to be step 6, it would seem preferable to state that, and describe the new step 6 (rather than reproducing all of the text from Section 7.2 of 6487 with this one change). The text in step 6 isn't clear to me. It refers to a “resource set” but that phrase is not defined in this document. Looking at 6487, the phrase appears twice, in Sections 4.8.10 and 4.8.11. In those sections it is referring to the set of resources acquired from a parent when the inherit bit is set. If the intent is to use this phrase to refer to the set of resources extracted from an RPKI certificate, irrespective of whether the inherit bit is set, the I-D should say so. The security considerations section says “… the validation path encompass the resources that are included in the validation query.” One might read this and infer that a set of INRs is an input to the validation algorithm. But 6487 does not say INRs are a separate input to validation. A certificate to be validated is an input to this algorithm, and I assume that was what is implied in step 6, and in the text quoted above. If my assumption is correct, this should be stated clearly in both places. Thinking about this in more detail, I fear that the results from the modified algorithm will not yield what you seem to want, at least not in all cases. If one validates only router certificates and EE certificates for (non-PKI) signed objects, e.g., for ROAs or Manifests, then the outcome will yield what I think you want. However, when validating a CA certificate that “over claims” the certificate will be considered invalid by the revised step 6, just as with the current validation algorithm. (The over claiming could result from some types of CA errors or attacks, or during a resource transfer.) RP software may validate each CA certificate that it initially acquires, before fetching subordinate signed products. This is a reasonable strategy to avoid DoS attacks based on returning bogus certificates to an RP. Also, when a cached CA certificate is discovered to have changed, an RP probably will validate it before adding the certificate to the cache. In these cases, the revised step 6 will treat this certificate as invalid, if it contains resources not present in all parent certificates. Thus all certificates and signed products below it will become invalid. So, I don’t believe the change to step 6, as described in your I-D, and as interpreted above, will accommodate the motivations described in the I-D that you plan to replace with this one. If I have misunderstood the proposed change to step 6, or the set of problems that it is intended to address, please let me know. Steve
- [sidr] draft-huston-sidr-validity-00 Stephen Kent
- Re: [sidr] draft-huston-sidr-validity-00 Geoff Huston