Re: [sidr] come on people Re: The question about https certificates and frequency of mft/crl re-issuance

Tim Bruijnzeels <tim@ripe.net> Sat, 25 June 2016 11:35 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF7D12D743 for <sidr@ietfa.amsl.com>; Sat, 25 Jun 2016 04:35:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.326
X-Spam-Level:
X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUhpu7Yv6CdY for <sidr@ietfa.amsl.com>; Sat, 25 Jun 2016 04:35:15 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FADA12D09B for <sidr@ietf.org>; Sat, 25 Jun 2016 04:35:14 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <tim@ripe.net>) id 1bGlrg-000295-HT; Sat, 25 Jun 2016 13:35:10 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-173.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1bGlrg-0002VB-Be; Sat, 25 Jun 2016 13:35:08 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=us-ascii
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <m2mvm9vi3b.wl%randy@psg.com>
Date: Sat, 25 Jun 2016 13:35:07 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <55B266B3-4D9D-4675-9952-24614CAD83AF@ripe.net>
References: <1CD27ACC-F5D2-4F11-8DD5-2B1F42544406@ripe.net> <6B1254FF-8A81-4923-BBE6-12536C6001C9@tislabs.com> <64FD7445-B2DD-4780-AD85-401104D12A82@tislabs.com> <m2mvm9vi3b.wl%randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points: -8.1 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07196446a674f9d76cfbd1993928e978e413
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/Q4l2V-X2qWAqO9U4KsmjMwjMi8w>
Cc: sidr <sidr@ietf.org>, Sandra Murphy <sandy@tislabs.com>
Subject: Re: [sidr] come on people Re: The question about https certificates and frequency of mft/crl re-issuance
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2016 11:35:17 -0000

Hi,

> On 25 Jun 2016, at 09:32, Randy Bush <randy@psg.com> wrote:
> 
>> Look, if no one can summon the energy to respond, Tim has no way to
>> decide on a change.
> 
> i believe that rob laid this out clearly many months ago.  and no, i
> will not look it up for folk; the epicycles have become too painful.

I remember the comments, and I have been in contact with Rob and the other RRDP authors about this. I think we can move forward.

It is useful to separate the issues regarding 1) https certificate verification, and 2) mft/crl re-issuance.

On 1) .. 

In short, we seem to converge on using HTTPS certificate validation to alert about possible problems, but since RPKI objects are signed and can be validated even if the source is untrusted, let's always try to get the latest regardless. We are still working on the text, but the gist of what we would like to put in a -05 doc before the cut-off date:

4.  HTTPS considerations

  It is RECOMMENDED that Relying Parties and Publication Servers follow
  the Best Current Practices outlined in [RFC7525] on the use of HTTP
  over TLS (https).

  Note that a Man-in-the-Middle (MITM) cannot produce validly signed
  RPKI data, but they can perform withhold or replay attacks targeting
  an RP, and keep the RP from learning about changes in the RPKI.
  Because of this RPs SHOULD do TLS certificate and host name
  validation when they fetch from an RRDP Publication Server

  However, such validation issues are often due to configuration
  errors, or a lack of a common TLS trust anchor.  In these cases it
  would be better that the RP retrieves the signed RPKI data
  regardless, and performs validation on it.

  Therefore RPs SHOULD log any TLS certificate or host name validation
  issues they find, so that an operator can investigate the cause.  But
  the RP SHOULD continue to retrieve the data.  The RP MAY choose to
  log this issue only when fetching the notification update file, but
  not when it subsequently fetches snapshot or delta files from the
  same host.  Furthermore the RP MAY provide a way for operators to
  accept untrusted connections for a given host, after the cause has
  been identified.


On 2) CRL/MFT re-issuance

First of all. TL;DR on the below: There are operational considerations that I am happy to share with the group, but if they need to be documented it's not in the RRDP document.

I brought it up because there is some mention of using nextUpdate in CRLs and MFTs as a protection against replays, and I believe the above (under 1) provides a better way to detect this. The 24 hours that is now frequently used is probably way too long anyway to be useful w.r.t. MITM. So I don't think that changing it to 7 days, or even 1 month makes much difference in this regard.

The discussion that we may want to have is whether nextUpdate should be used as an indication of when to fetch data again. This keeps coming up. Steve Kent also suggested having a long default nextUpdate time, and a shorter one when we know that there are changes.

Problem is that the common case for change is unpredictable: a change in routing requires ROAs or BGPSec certificates to be re-issued, and there is a desire that RPs learn about this fast. There was a lot of discussion a few years ago about how fast.. especially Danny McPherson was vocal on this. There is no clear indication of what is fast enough though. My impression is that if changes in RPKI can propagate to RPs (and connected routers) in 10-30 minutes we are in a good spot.

Both rcynic and the RIPE NCC RPKI Validator* will re-fetch at regular intervals regardless of the nextUpdate time. With RRDP I believe we have the scaling to support refetching every 5-10 mins by any RP that wants it. But if we do, we need to lower the churn resulting from MFT/CRL updates.

So, I believe that it's safe to lower the nextUpdate frequency to something in the order of a week, or even a month. Chris Morrow brought up a concern about keeping the cogs in the machine well greased. I hear you, but in our case we have over 3000 hosted CAs, if we re-issue MFTs/CRLs every month we still smear the cogs with a 100 CAs every day.

Finally I also had another thought how we can lower the signal-to-noise ratio of MFT/CRLs vs ROAs in our operations. Currently we re-issue CRLs/MFTs for our 3000+ CAs every X hours, or whenever there is a change in ROAs (no BGPSec yet). We optimised to spread the load on our CPU and HSM. But if we want to optimise for RPs fetching instead, we can change our implementation to do the background CRLs/MFTs updates in large batches (say once per X days), and only do the ROA related updates as soon as they happen. This would allow RPs to aggressively do a cheap fetch for our update notification file every X minutes, and they would only find that they need to do an expensive when there are important changes - and okay once per X days because of the nextUpdates are re-newed.

Anyway, I believe that all of the above is in the space of local operational considerations. There may be merit in discussing, and we may find there is merit in documenting as Informational or BCP, but in my opinion not in the current RRDP document.


Cheers
Tim





*: off-topic.. yes, we need a cool name, ideas welcome ;)




> 
> randy
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr