IETF Logo Mail Archive

Re: [sidr] Validation Reconsidered (again/again) question

Geoff Huston <gih902@gmail.com> Wed, 02 December 2015 10:23 UTC

Return-Path: <gih902@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2B41A86FF for <sidr@ietfa.amsl.com>; Wed, 2 Dec 2015 02:23:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lcSI9O9tr9A for <sidr@ietfa.amsl.com>; Wed, 2 Dec 2015 02:23:42 -0800 (PST)
Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97CCE1A8701 for <sidr@ietf.org>; Wed, 2 Dec 2015 02:23:42 -0800 (PST)
Received: by pacdm15 with SMTP id dm15so36945509pac.3 for <sidr@ietf.org>; Wed, 02 Dec 2015 02:23:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UnB9q8SiYFUgs2y28foA5gGWIREH21ZRsVRYzc9x6+o=; b=diB7tovldiXArlS4QNOp9f+3TXww5eGXsleKSWyUi+6XWN8aCBUEsbiiiPHQV60qIa JN91yAqe+/auXlv2HGDYojB0748Y6OtTjtTvZHsJaKSY/5s+5kYGcynJcZxQqXukozpV QGTxwsbkyC0GQyMJkyntTBy/nhss2+oPCRjjVoVMVvXGYkq6wr5PJl9V4N6/J5ftIbbh 1hjJaarrzHuRn9AlOf2QVnJMN4gQJoIPSaH5VYPfA+2mzujdP+u9ZVtq2LmKDNuMr0Pb 84flgYJG7n6odxBZRzdjmN0Uq3CwkhBXfcw5+qYFGf4xEqfVoRTJX6Pm9pIlhhtYctje F79g==
X-Received: by 10.98.13.200 with SMTP id 69mr3370666pfn.165.1449051822173; Wed, 02 Dec 2015 02:23:42 -0800 (PST)
Received: from 2001-44b8-1121-1a00-dca1-44d5-50a7-5569.static.ipv6.internode.on.net (2001-44b8-1121-1a00-dca1-44d5-50a7-5569.static.ipv6.internode.on.net. [2001:44b8:1121:1a00:dca1:44d5:50a7:5569]) by smtp.gmail.com with ESMTPSA id 25sm3379309pfp.62.2015.12.02.02.23.39 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 Dec 2015 02:23:41 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
From: Geoff Huston <gih902@gmail.com>
In-Reply-To: <7C1B79AF-ED56-42AC-9D4F-240F243F779E@tislabs.com>
Date: Wed, 02 Dec 2015 21:23:37 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <29702B8D-B96A-4361-AB45-A1649B0CD3C2@gmail.com>
References: <565617E8.4070005@bbn.com> <8FB9C3A7-0799-4CF7-80A5-7669070B3C91@ripe.net> <565D7EB9.9090902@gmail.com> <81F085EE-8B51-493B-997D-A8D6147105B1@ripe.net> <565DB1C5.8050802@gmail.com> <7C1B79AF-ED56-42AC-9D4F-240F243F779E@tislabs.com>
To: Sandra Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.3096.5)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/_VzWvkdJ0ADz5oPO_-4u4gzgm34>
Cc: sidr <sidr@ietf.org>
Subject: Re: [sidr] Validation Reconsidered (again/again) question
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 10:23:44 -0000

> On 2 Dec 2015, at 11:32 AM, Sandra Murphy <sandy@tislabs.com> wrote:
> 
> Speaking as regular ol’ member:
> 
> On Dec 1, 2015, at 9:42 AM, Andrei Robachevsky <andrei.robachevsky@gmail.com> wrote:
> 
>> Tim Bruijnzeels wrote on 01/12/15 14:55:
>>>> 
>>>> Tim, I am not sure I understand this. If the parent of the EE cert has a
>>>> shrunken set of resources, will it invalidate the EE or only the
>>>> non-overlapping subset?
>>> 
>>> If the parent has a shrunken resource set this would lead to the EE certificate being accepted only for the intersection of its resources, and the parent. Because there is a requirement that all prefixes on a ROA are included (and accepted in reconsidered) in the resource set of the EE certificate the ROA will be considered invalid.
>>> 
>> 
>> Thank you Tim, this makes sense. Otherwise we will be changing the
>> semantics of ROA, which is tricky. Could you please point me to the
>> place where the requirement is specified?
> 
> In RFC6483, page 5, section 4.  ROA Validation:
> 
>   o  The IP address delegation extension [RFC3779] is present in the
>      end-entity (EE) certificate (contained within the ROA), and each
>      IP address prefix(es) in the ROA is contained within the set of IP
>      addresses specified by the EE certificate's IP address delegation
>      extension.
> 
> Quibble.

RFC6482, section 4

> 
> In the current algorithm, the EE cert that mentioned some of the removed resources will be invalid.  That makes the ROA that mentioned some of the removed resources be invalid.
> 
> Under validation reconsidered, the EE cert will be valid, but not all the resources contained in it will be valid.  However, the EE cert still "contains" the removed resources, so the ROA “contained within” test would still succeed. So a ROA that mentioned some of the removed resources would still be considered valid. (I would say that’s bad.)


I’d say thats bad too.

So how about an example or two:

Example 1:

A CA Cert: 1.0.0.0/24, 2.0.0.0/24

issues:

B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24

issues:

C EE Cert: 1.0.0.0/24

and signs

ROA: 1.0.0.0/24 AS1

all good (assuming that A is a trust anchor)

Example 2:

A CA Cert: 1.0.0.0/24, 2.0.0.0/24

issues:

B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24

issues:

C EE Cert: 1.0.0.0/24, 2.0.0.0/24

and signs

ROA: 1.0.0.0/24 AS1

still all good (assuming that A is a trust anchor)

Example 3:

A CA Cert: 1.0.0.0/24, 2.0.0.0/24

issues:

B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24

issues:

C EE Cert: 1.0.0.0/24, 3.0.0.0/24

and signs

ROA: 1.0.0.0/24 AS1

still all good (assuming that A is a trust anchor)

Example 4:

A CA Cert: 1.0.0.0/24, 2.0.0.0/24

issues:

B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24

issues:

C EE Cert: 1.0.0.0/24, 3.0.0.0/24

and signs

ROA: 1.0.0.0/24, 3.0.0.0/24 AS1

invalid ROA

(or at least that’s my opinion of what should happen. My assumption here is that the ROA IS intentionally a collection of resources where the entirety of the collection is important, so if all elements of the collection cannot be validated via the ROA’s EE certificate then its a dud ROA.)



> 
> Under validation-reconsidered, we would need to make sure this section said something about the validity of the resources in the valid EE cert.


I don’t think its a question of the EE cert, but the question of section 4 of RFC6482 and what validation of the ROA means.

> 
> Just in case it is not obvious:
> 
> Suppose the EE cert always contained more resources than the ROA mentioned.


which is ok today under RFC6482

> 
> Suppose the ROA did not mention the resources that were removed.  In that case the shrinking of the parent causes a shrinking of the set of resources that are contained in the EE cert that are considered valid under validation-reconsidered.  The valid subset of the resources contained in the valid EE cert (i.e., the shrunken resources) would still cover the resources mentioned in the ROA.  So a ROA whose resources were contained exclusively within the retained resources would be valid.  (I would say that’s good.)


i.e. thats like my example 3 above, so I agree thats good from where I sit as well.

> 
> —Sandy, speaking as regular ol’ member
> 
> (We’ve overloaded “Valid” a couple of different ways valid certs, valid ROAs, valid origins, valid Signature_Blocks, …) - it might be nice to readers and users to come up with a different adjective here for the subset of the resources that are contained within the certificate, rather than yet another use of “valid”.   Before we have to talk about valid certs with invalid resources.)
>

v2.37.1 | Report a Bug | By Email | System Status