Re: [sidr] LTAM Discussion and questions

Christopher Morrow <christopher.morrow@gmail.com> Fri, 23 August 2013 22:06 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0F6311E8127 for <sidr@ietfa.amsl.com>; Fri, 23 Aug 2013 15:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdLtxjnndE+0 for <sidr@ietfa.amsl.com>; Fri, 23 Aug 2013 15:06:05 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 828E811E8124 for <sidr@ietf.org>; Fri, 23 Aug 2013 15:06:04 -0700 (PDT)
Received: by mail-la0-f46.google.com with SMTP id eh20so918594lab.33 for <sidr@ietf.org>; Fri, 23 Aug 2013 15:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=NtbH6Grt7HTZfbG00nZ39j0xqR8q9w7V8W6Exsph0TE=; b=m162WWc1yglcrn0d7xEijDB9ndqSZpU17L1L9HxDocer73IAOMLB7eAI7BVAvpqYmO tNNF+5IDJi0yMMQELzQnqkgQIghWCVQu3Kg5jeDk5UAgZ8N93vJuxXgQNbuqihhsto4f VaDIa7x9kAn+ywPAlyhf+zyQXR2Zsc48g4HNw7ONIqkXeuMOJ0XZF37veszA1IdsdvSY EQJlaB9YbJYxgl1xwqX2i2pZ/PqUSdH1EQ06wIvtOR9p0wan06V9c8o2RJapaYYFhmaH 8nqzvE6TWodIw29Yk/18sh/izyUI9yBovBR1SGacaNEYplVdt9AT+8OAxQOlj1HfOa52 s96Q==
MIME-Version: 1.0
X-Received: by 10.152.116.7 with SMTP id js7mr1245526lab.11.1377295561224; Fri, 23 Aug 2013 15:06:01 -0700 (PDT)
Received: by 10.152.6.3 with HTTP; Fri, 23 Aug 2013 15:06:01 -0700 (PDT)
In-Reply-To: <520D4A3B.2010006@bbn.com>
References: <CAL9jLabdbzWs3UHdVOYksQU+vy2WBOEwf9Y4qz2Y=nWxrBEE_w@mail.gmail.com> <52B306E0-3C7B-4283-B683-F6EAD8BA4189@apnic.net> <CAL9jLabkdppnZk8pL95fdufzMJB6q_40On07xxWVqrx9rApucQ@mail.gmail.com> <520D4A3B.2010006@bbn.com>
Date: Fri, 23 Aug 2013 18:06:01 -0400
Message-ID: <CAL9jLaZzXj9_d2BbF7Zr6dtwtHk1cH7zxeHY80KcxN5w9MPYFg@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: sidr <sidr@ietf.org>
Subject: Re: [sidr] LTAM Discussion and questions
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 22:06:06 -0000

On Thu, Aug 15, 2013 at 5:38 PM, Stephen Kent <kent@bbn.com> wrote:
>
> Chris,
>
>
> I agree with several of the folks who commented about the LTAMv2
> presentation and your call for comments.
>
> We need to provide an updated description of the problems we are trying to
> address, and details of how we propose to address these problems. The slide
> presentation at the meeting was intended to provide a preview, but it is not
> a substitute for detailed text.
>

ok... there seem to be several calls for 'please document what you mean to say'.

> So, let's begin the revised problem discussion, starting with text from the
> most recent version of the LTAM doc (v8). BTW, this text has not changed
> since the 00 version, dated November, 2010.
>
> The abstract from the I-D(s) says:
>
>    The primary motivation for the facility described in this
>
>    document is to enable an RP to ensure that INR information
>
>    that it has acquired via some trusted channel is not
>
>    overridden by the information acquired from the RPKI
>
>    repository system or by the putative TAs that the RP imports.
>
> This is still the primary motivation for LTAMv2, but I think it’s worth
> expanding on the rationale behind this mechanistic description of the
> motivation. The concerns we are addressing are twofold:
>
> -   Local use of private (RFC 1918) address space in conjunction with RPKI
> validation mechanisms
>
> -   Ways to recover from errors, or malicious actions, by CAs in the RPKI
> hierarchy
>
>
>
> In SIDR WG presentations we discussed the first rationale extensively. The
> second concern was discussed more extensively in RIR meetings, where the
> specter of law enforcement orders issued to RIRs was cited as a significant
> concern by some folks.
>
>
>
> As I mentioned in my presentation two weeks ago, we noticed that the
> mechanism that we documented was probably fine for dealing with allocations
> performed at the IANA and RIR tiers of the RPKI. So, for example, if an RP
> wants to employ RFC 1918 private address space with RPKI controls, the local
> TA mechanism, which makes use of “re-parenting” and “hole punching” would
> work. However, if we use these mechanism to "protect" address space for
> ISP-1, who received an allocation from ISP-2 (vs. from an RIR), problems
> could arise. Specifically, ROAs issued by ISP-2 could be rejected by an RP
> using LTAM, due to hole-punching. This was an unintended side-effect of the
> mechanism, one we would like to avoid.
>

this gets to some of the problem(s) that danny (and I think terry)
were concerned with... across administrative domains this all becomes
very dicey :( (or at least very undefined)

> The abstract also says:
>
>    This mechanism is designed for local use by an RP,
>    but any entity that is accorded administrative control over a
>
>    set of RPs may use this mechanism to convey its view of the
>
>    RPKI to RPs within its jurisdiction. The means by which this
>
>    latter use case is effected is outside the scope of this
>
>    document.
>
>
>
> The lack of a description of how to securely distribute the LTAM constraints
> file was viewed by some folks as a shortcoming. Moreover, we were approached
> by an NIR that wanted to extend the capability noted above. Their desire was
> to be able to publish resource allocation data for folks in their country,
> for consumption both internally and externally, in a way that would be
> immune to errors or malicious actions by actors within the RPKI hierarchy
> (but outside of their country). (This data needed to be valid as per the
> RPKI hierarchy, prior to any errors or malicious actions, to limit the
> ability of a country to make assertions about address space that was not
> allocated to entities within the country.)  No RPs outside of the country
> would have to pay attention to this data, but they could make use of it if
> they wished (if there were standards for how to make it available in a
> secure fashion). While an NIR raised this issue, the concern is generally
> applicable, irrespective of the presence of NIRs within a region.
>

sounds like 'crazy talk' (technical term), but sure.

>
> We revisited the LTAM design to see if we could address the cited
> motivation(s) via a mechanism that would not have the problem we noted
> above, and if we could also address the concerns raised by the NIR.  We also
> received some comments on the document noting that the mechanisms seemed
> complex, even after we revised the text to try to better explain what was
> happening. So, a simpler design was also a goal. Finally, we wanted to make
> the design a bit more flexible, to accommodate other objects that might be
> added to the RPKI system in the future.

ok... so at the end of the day you are going to spin a draft to talk
about this in more detail, or that's what it sounds like you're
planning on doing :) If there were a draft out in the next say 4 weeks
we could have a better discussion about this on-list and then a longer
(and probably more fun) talk at the next meeting in Vancouver? Is 4wks
doable for this?

-chris