IETF Logo Mail Archive

Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11

Tim Bruijnzeels <tim@ripe.net> Thu, 30 April 2015 09:43 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43EF1ACD8B; Thu, 30 Apr 2015 02:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIzt6cmYK2nw; Thu, 30 Apr 2015 02:43:05 -0700 (PDT)
Received: from koko.ripe.net (koko.ripe.net [IPv6:2001:67c:2e8:11::c100:1348]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC5A1A90B0; Thu, 30 Apr 2015 02:43:05 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by koko.ripe.net with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1Ynkzm-0004Cb-4X; Thu, 30 Apr 2015 11:43:03 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:5009::151]) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from <tim@ripe.net>) id 1Ynkzl-0005bH-Vp; Thu, 30 Apr 2015 11:43:02 +0200
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: text/plain; charset="us-ascii"
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <m2d22mfrqp.wl%randy@psg.com>
Date: Thu, 30 Apr 2015 11:43:01 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <8271CC14-248D-4F65-852E-6436E8DBC935@ripe.net>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <EF4348D391D0334996EE9681630C83F02D173BEB@xmb-rcd-x02.cisco.com> <B1EDF7B6-1E42-440E-BD3F-29723AD7E4A4@muada.com> <986c7f50a5300c46ad05afb643be3a1d@mail.mandelberg.org> <4C80F9CE-06F9-4FB7-852B-BF1B205738FC@muada.com> <CY1PR09MB079302CC52C7791F3C0C512984D70@CY1PR09MB0793.namprd09.prod.outlook.com> <CF9FE7BA-C934-401C-B2F4-0CE4AF062ECC@muada.com> <CY1PR09MB079352552ED82496B5A4513D84D70@CY1PR09MB0793.namprd09.prod.outlook.com> <m2d22mfrqp.wl%randy@psg.com>
To: Randy Bush <randy@psg.com>
X-Mailer: Apple Mail (2.2098)
X-RIPE-Spam-Level: --
X-RIPE-Spam-Report: Spam Total Points: -2.9 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719a20cc706ea76f97e44c3a294f72fb301
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/TmZE-3DkmZ2qMhkjwcZZhrljWXU>
Cc: "sidr@ietf.org" <sidr@ietf.org>, "idr@ietf.org" <idr@ietf.org>, Iljitsch van Beijnum <iljitsch@muada.com>, "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>, David Mandelberg <david@mandelberg.org>
Subject: Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2015 09:43:09 -0000

Hi,

> On 30 Apr 2015, at 01:18, Randy Bush <randy@psg.com> wrote:
> 
>> First:
>> There should be operational BCP recommendation based on the principle of make-before-break
>> ( in doc like https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-ops-05 ):
>> 1. Certificate should be renewed and pre-published in advance of expiry of the current certificate; 
>> There should be overlapping validity period bridging the two (current and new certs).
>> (See https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-03  and
>> https://www.ietf.org/proceedings/92/slides/slides-92-sidr-5.pdf  ) 
>> 2. The update for the prefix should be re-originated (by origin AS) or re-propagated (by a transit AS).
>> Basically, whoever got a new certificate should do this refresh within the above overlap period. 
>> 
>> The above two BCP steps, if followed, will help prevent "couldn't validate because of certificate lifetime".
>> 
>> Second:
>> The operational BCP can also say:
>> Allow a certain grace period before you act on the update that became 'Not Valid' due to cert expiry.
>> (Earlier Sandy also mentioned this.)  
>> 
>> Your other scenario "validation failed because of a bad signature or bad certificate chain" is fine. 
>> In this scenario, the update is labeled 'Not Valid' for good reason.
> 
> 
> From: Randy Bush <randy@psg.com>
> Subject: Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
> To: Roque Gagliano <rogaglia@cisco.com>
> Cc: idr wg <idr@ietf.org>, sidr wg <sidr@ietf.org>
> Date: Wed, 29 Apr 2015 12:07:02 +0900
> 
> ca software should warn the user of upcoming expiration of certs, ee
> certs, roas, crls, drivers' licenses, ...
> 
> but what is the user gonna do?  they're gonna renew.  so maybe renew
> automagically and tell the user?

For the record in the RIPE NCC software we automagically re-issue CA certificates to members 6 months before they expire (and log errors in case of problems, so we have time to respond). Our system currently only supports non-hosted setups where a member runs their own remote CA in our pilot environment, but there too we pro-actively re-issue.. we don't tell the CA because in the provisioning protocol model the child CA can contact us, but we can't contact them. We do tell them about the new certificate when the CA queries, as they do regularly. We believe that this is safe to do. The new certificate is equivalent in every way to the last requested and issued certificate except that the validity time is longer, so we don't see any scenario where the child would not agree to this - i.e. we can be pro-active.

For hosted member CAs we also re-issue ROAs 6 months before the expire, and we re-issue MFTs 16 hours before their 'next update time' and 6 days and 16 hours before their EE certificate expiration.


> 
> randy
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr

v2.23.0 | Report a Bug | By Email