[sidr] comments on validation reconsidered -03
Stephen Kent <kent@bbn.com> Fri, 08 April 2016 15:16 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F4012D1A2 for <sidr@ietfa.amsl.com>; Fri, 8 Apr 2016 08:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.811
X-Spam-Level:
X-Spam-Status: No, score=-1.811 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MANY_SPAN_IN_TEXT=2.399, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhkKrQ5xJV0g for <sidr@ietfa.amsl.com>; Fri, 8 Apr 2016 08:15:59 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4C5F12D94B for <sidr@ietf.org>; Fri, 8 Apr 2016 08:15:52 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:43874 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1aoY8U-0000FT-Rx for sidr@ietf.org; Fri, 08 Apr 2016 11:15:51 -0400
To: sidr <sidr@ietf.org>
From: Stephen Kent <kent@bbn.com>
Message-ID: <5707CB26.5060706@bbn.com>
Date: Fri, 08 Apr 2016 11:15:50 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------010408080306000907070407"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/TgifO0umkBIzVuRJtcmq-H4ldIE>
Subject: [sidr] comments on validation reconsidered -03
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 15:16:05 -0000
First, let me say this this version of the document is much improved relative to previous versions. I do have a few observations about this version, and some suggested changes. Abstract: There are 2 typos, and I think you want to assert that the revisions don’t undermine security, right? This document proposes an alternative to the certificate validation procedure specified in RFC 6487 that reduces aspects of operational fragility in the management of certificates in the RPKI, while retaining essential security features. Also, presumably, this is not really "an alternative" but a proposal to UPDATE 6487 so that all RPs use the new pat validation algorithm, right? Section 2: The final sentence here says: The roa "ROA1" is also considered valid here in this regard - the prefix is encompassed by the embedded EE certificate. The example ROA is valid, but the final check on ROA validation is specified in RFC 6482, not in 6488. Thus the text might say: The ROA “ROA1” is valid because the specified prefix is encompassed by the embedded EE certificate, as required by RFC 6487. Similar wording shouldbe used when discussing the validity of ROAs in other examples throughout the document. Section 3: The motivation cited here “resource allocations can change in the RPKI” is so terse as to be not very persuasive. Previous versions of the draft mentioned resource transfers, for example. We have no standard for how to perform a transfer, however one could state that the proposed changewould reduce the constraints imposed on the order in which the CAs involved in a transfer re-issue certificates. Also, if you believe that the proposed change will help minimize the impact of some types of operational errors, then that too could be said. For example: The allocations recorded in the RPKI change as a result of resource transfers and some types of operational errors. For example, the CAs involved in transfer might choose to modify CA certificates in an order that causes some of these certificates to “over-claim” temporarily. Some types of operational errors that may occur during management of RPKI databases also may create CA certificates that, temporarily, no longer encompass all of the resources in subordinate certificates. The proposed changes (Section 4) to the validation procedure in [RFC6487] are intended to avoid causing CA certificates to be treated as invalid during transfers and as the result of some types of operational errors. However, these changes are designed to not degrade the security offered by the RPKI. Specifically, no ROAs or router certificates will be treated as valid if they contain resources that are not encompassed by all superior certificates along a path to a trust anchor. If you believe this text matches your intent, I think it provides a better rationale for making the proposed changes. The text at the top of page 4 says: It should be noted that CA2 is not claiming any resources on ROA1 that it cannot receive on a new Certificate 3. I expected you to say that the EE certificate in ROA1 does not make use of any of the address resources that were removed from CA1’s certificate, and thus it would be desirable if ROA1 could still be viewed as valid. This motivates the goal of the proposedchanges, i.e., to avoid having a ROA become “collateral damage” due to over-claiming by a superior CA certificate. Saying that a new Cert3 can be issued to fix this problem is true, but fails to focus on the goal of minimizing the impact of an operational error of this sort. The paragraph that discusses how one might modify the text in 6492 to avoid over-claiming by subordinate CAs, when resources are removed from a CA certificate is problematic. Nothing prevents a CA from unilaterally re-issuing a certificate to subordinate CAs with reduced resource sets, when the CA itself requests (or is given) a certificate with a reduced resource set. The next paragraph seems to say that, indirectly, but it’s confusing (at least to me). The final paragraph of this section introduces the notion that the reason for the reduction in scope of CA1’s certificate is a dispute between the TA and that CA. This is pretty late in the section to suggest that this is why the CA certificate was reissued with reduced resources. And it doesn’t align with the rationale you provided or that I suggested above. I suggest these paragraphs need to be revised. Section 4: I don’t feel the revised text here is precise enough to provide clear guidance to implementers. RFC 6487 does not mention the term intersection in discussing path validation, so introducing that term in one sentence seems too terse. The text I provided a few months ago provided a more thorough discussion of the revised algorithm. For example, it noted the need to maintain two sets of resource data as part of the algorithm (one for addresses and one for ASNs), something not specified here. Also, the paragraph describing how to interpret the inherit flag is true, but I think it belongs as the beginning of the description of the revised procedure, with the introduction of the two working resource sets. In the current description its location of the two paragraphs below is very confusing. For any of the resource extensions that use the "inherit" element as described in sections 2.2.3.5 and 3.2.3.3 of [RFC3779], the corresponding resources of this type should be taken from the parent certificate, where this issuer is the subject. For any other resources the intersection of the quoted resources on this certificate and the parent certificate is kept.If any resources were found on this certificate that were not present on the parent certificate a warning SHOULD be issued to help operators rectify this situation. The second paragraph exempts the resources specified by an inherit flag from the intersection operation. Do you really want that to happen? Also, the term “quoted” isn’t well-defined in this context. Do you mean the resources specified in the certificate? The last sentence/paragraph in the revised path validation description says: If the the [sic] set of verified resources obtained this way is empty, then the certificate MUST be considered invalid. It’s unclear frothis statement whether a certificate is invalid if either the address or ASN extensions yield an empty intersection, or only if both intersections are empty, or what. This is another example of why I think the proposed path validation algorithm needs to include additional details. Overall, I think you need to expand the description of the validationalgorithmrevisions. The revised text should establish the fact that there are two working sets and say that these sets are to be used in lieu of the 3779 extensions in a certificate (after performing the intersection operation). If you don’t want to also revise RFC 6482, thenyou need to state that the working set is to be used in lieu of the 3779 extensions when performing further validation operations, and cite 6482 as an example. Section 5: It’s nice to begin with a note stating that the concerns that motivate the proposed revision to 6487 have not yet surfaced. However, referring to over-claiming as an “inconsistency” seems needless indirect. You refer to over-claiming as the problem throughout the document, so why not here? The next paragraph again refers to the over-claimed resources as being “under dispute.” I think this is too narrow a characterization of the circumstance that might result in a over-claiming certificate being issued. Please revise this sentence to better characterize the range of situations that might result in over-claiming, or provide a back pointer to a section of the document where that topic is discussed. I find the opening sentence of the last paragraph here to be a bit confusing: It should be noted that although this is a problem with a low probability today this is largely due to the fact that most current RPKI systems use their own Trust Anchor and do not support any large number of delegated CAs. … By “RPKI systems” do you the RIRs as high-tier CAs? Relying parties select Trust Anchors, so this sentence is not quite consistent with usual PKI terminology. How about this phrasing: Although the concerns that motivates this revision to RPKI path validation has not yet been observed in practice, this may be largely due to the fact that most of the certificates have been issued directly by the RIRs. Each RIR operates its own Trust Anchor (or set of Trust Anchors) and there are few (non-RIR) CAs that have established subordinate CAs with distinct resource holdings. When more CAs receive certificates from non-RIR parents, and when more transfers of resources involve more than three CAs (source, target, and common ancestor), the authors anticipate that these concerns will become more commonplace.
- [sidr] comments on validation reconsidered -03 Stephen Kent
- Re: [sidr] comments on validation reconsidered -03 Tim Bruijnzeels