Re: [sidr] Terry Manderson's No Objection on draft-ietf-sidr-rpki-validation-reconsidered-10: (with COMMENT)
Tim Bruijnzeels <tim@ripe.net> Mon, 22 January 2018 09:36 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993A2124B17; Mon, 22 Jan 2018 01:36:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cu0HaD_cvpXa; Mon, 22 Jan 2018 01:36:34 -0800 (PST)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 725211243F6; Mon, 22 Jan 2018 01:36:34 -0800 (PST)
Received: from nene.ripe.net ([193.0.23.10]) by molamola.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <tim@ripe.net>) id 1edYWi-0003wb-A8; Mon, 22 Jan 2018 10:36:29 +0100
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-180.ripe.net) by nene.ripe.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <tim@ripe.net>) id 1edYWh-0000Yl-3P; Mon, 22 Jan 2018 10:36:27 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <151658444250.8179.6286711798902606717.idtracker@ietfa.amsl.com>
Date: Mon, 22 Jan 2018 10:36:26 +0100
Cc: The IESG <iesg@ietf.org>, draft-ietf-sidr-rpki-validation-reconsidered@ietf.org, Chris Morrow <morrowc@ops-netman.net>, aretana.ietf@gmail.com, sidr-chairs@ietf.org, sidr@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B10581B-4F2F-45D7-964C-8385EF0B29EA@ripe.net>
References: <151658444250.8179.6286711798902606717.idtracker@ietfa.amsl.com>
To: Terry Manderson <terry.manderson@icann.org>
X-Mailer: Apple Mail (2.3445.5.20)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: -------
X-RIPE-Spam-Report: Spam Total Points: -7.5 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071984d38c1e99ecd88560ad62c961cf1d7c
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/fIRnepgSLSesa0uAJD1tzcSBg-c>
Subject: Re: [sidr] Terry Manderson's No Objection on draft-ietf-sidr-rpki-validation-reconsidered-10: (with COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2018 09:36:37 -0000
Dear Terry, all, Terry thank you for very much for reviewing. I have two comments to your remaining concerns: > On 22 Jan 2018, at 02:27, Terry Manderson <terry.manderson@icann.org> wrote: > > Terry Manderson has entered the following ballot position for > draft-ietf-sidr-rpki-validation-reconsidered-10: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for adding text into the document that placates my DISCUSS concerns > until others look to implement (and use in anger) this in the wild. > > I'm going to leave a part of my original thoughts on this document here for > future reflection: "I get the sense that many of the ramifications for this > validation change are yet to be discovered. It worries me that from the > shepherd writeup "The existing CA/RP code implementations will support this > once published." What experiments have been done to identify any gaps and > assumptions?” As I mentioned in this message: https://www.ietf.org/mail-archive/web/sidr/current/msg08596.html The RIPE NCC RPKI Validator has been using the new algorithm since version 2.17, released 3 July 2014. With one difference: in the RIPE NCC validator the decision to accept the intersection of validated resources, rather than reject, is a global configuration setting, rather than a per CA certificate decision. Changing this code is trivial though once we know which OID to use to drive the if statement. In terms of analysis: we have done interop testing between our validator (with the setting turned on) and the other validators and we find no differences that can be traced back to this. First of all because we have not yet caught any persistent overclaims in the wild, and secondly the algorithm we use where we track “Validated Resource Sets” is not semantically different in cases where no actual overclaims are found. The experiment we have NOT done is to create an actual in-the-wild over-claiming parent certificate and compare validation notes. This is not trivial for us because our CA implementation has built-in checks to prevent this kind of thing. Thanks to your insisting, the document now describes better what will happen in this case. But in a nutshell: I am happy to invest time in doing this experiment when we get to the point of discussing the deployment of validation-reconsidered. > And further add that the RPKI is starting to appear, in my eyes, exceptionally > fragile when faced with operational realities and also quasi-political issues > surrounding trust anchors. Without doubt the underpinnings of routing security > and integrity is hard, no surprise that this effort (as one of many that has > preceded it) also struggles. This document addresses potential operational issues, that we haven’t actually seen in the wild. Similarly we invested time and effort to develop the delta protocol (RRDP) to prevent big issues with rsync scaling (before they actually become problematic). And recently I have been asking for the adoption of a working group item (Signed TALs) to address the issue of TA key rolls - before they become problematic. So, in my opinion, the RPKI standards did not get everything right from the start, but we can (and do) fix things. In that regard I am also very happy to see that the SIDROPS WG has an explicit mandate to look at the operational side of the RPKI and apply lessons learned. Kind regards, Tim
- [sidr] Terry Manderson's No Objection on draft-ie… Terry Manderson
- Re: [sidr] Terry Manderson's No Objection on draf… Tim Bruijnzeels