Re: [sidr] Origin Ops, TALs and Local TAs

Stephen Kent <kent@bbn.com> Wed, 16 November 2011 07:51 UTC

Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF5611E8138 for <sidr@ietfa.amsl.com>; Tue, 15 Nov 2011 23:51:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.532
X-Spam-Level:
X-Spam-Status: No, score=-106.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9Pdk2OKYKKK for <sidr@ietfa.amsl.com>; Tue, 15 Nov 2011 23:50:59 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id ABDD411E80F9 for <sidr@ietf.org>; Tue, 15 Nov 2011 23:50:59 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:58531 helo=[130.129.18.170]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1RQaGn-000AwU-KU; Wed, 16 Nov 2011 02:50:58 -0500
Mime-Version: 1.0
Message-Id: <p06240801cae79ccfa546@[172.20.1.65]>
In-Reply-To: <80D9C12A-354E-4A90-8E97-946519E499D0@tcb.net>
References: <80D9C12A-354E-4A90-8E97-946519E499D0@tcb.net>
Date: Wed, 16 Nov 2011 02:50:53 -0500
To: Danny McPherson <danny@tcb.net>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: sidr@ietf.org
Subject: Re: [sidr] Origin Ops, TALs and Local TAs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2011 07:51:00 -0000

Danny,

>Rob/Steve, et al.,
>Relative to the SIDR Origin Ops draft and local trust anchor (LTA)
>configuration, I'm trying to understand how one would actualize
>trust anchor locators (TALs) and LTAs in a deployment scenario and
>was hoping you could help me here.

A TAL points to a self-signed RPKI cert, which contains a 3779 extension that
describes all of the address space under that cert. It also has an 
SIA extension that points to the repository publication point where 
one begins retrieval of other RPKI certs, etc.

>I think it's probably safe to assume everyone is going to have a
>"Constraints" file for some things.

The local TA mechanism specifies that capability, but we've been told 
that most folks will find it too hard to manage that capability 
correctly.

>Because the TALs don't actually specify the list of resources covered by
>the referenced self-signed CA certificates the relying party must consult
>each trust anchor (e.g., RIR) to determine the INR extension(s) within this
>certificate, and the onus is on the RP to resolve conflicts, is this correct?

the TAL doesn't but the cert to which it points does. If one uses a 
TAL for IANA (consistent with the IAB recommendation that you helped 
author), then 3779 processing will catch conflicts.

>  For example, currently, in the experimental pilot RPKI system many of the
>INRs are asserting 0.0.0.0/0 and 0::/0, which opens the opportunity for
>conflicts that must be resolved by the RP, when they likely have no real
>capability to do this (hence the IAB statement on this topic).

Agreed that an RIR claiming 0/0 is bad. I think this is holdover from 
the pre-TAL TA model. Hopefully this will go away.

>Here's my primary question.  If I wanted to form a 'federation' of sorts for
>resiliency would I have to use additional TALs in conjunction with my
>LTA and paracertificate hierarchy?  If so, can an RP include some sort of
>filter to constrain what a TA can assert as within their resource holdings?

not sure what a federation is, but, yes, an RP can constrain what a TA
is allowed to assert, via a constraints file.

>That is, because for LTA to work every relying party in the transaction
>path (i.e., source and destination networks, as well as intermediate RPs)
>would need to override the putative [global] TA RPKI for every other
>operators resources and generate a paracertificate hierarchy therein,
>is that right?

I don't understand all of the words above.

>And if that's the case, wouldn't it be simpler for RPs to be able to
>associate resources with each trust anchor rather than trusting them to
>convey to the RP what resources they are authoritative for?

LTA management allows this, but it becomes very complex to do well if 
there are too many data items to manage.

Steve