IETF Logo Mail Archive

Re: [sidr] AD Review of draft-ietf-sidr-rpki-validation-reconsidered-07

Tim Bruijnzeels <tim@ripe.net> Thu, 22 June 2017 08:36 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F9511279EB; Thu, 22 Jun 2017 01:36:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IsrTet-u_W1u; Thu, 22 Jun 2017 01:36:29 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F5AC1242F7; Thu, 22 Jun 2017 01:36:26 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1dNxbA-0000DA-R1; Thu, 22 Jun 2017 10:36:22 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-45.ripe.net) by titi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1dNxbA-0002Gd-Jh; Thu, 22 Jun 2017 10:36:20 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <C1D1FDD2-9892-4EE0-86FF-24F412AF6669@cisco.com>
Date: Thu, 22 Jun 2017 10:36:19 +0200
Cc: "draft-ietf-sidr-rpki-validation-reconsidered@ietf.org" <draft-ietf-sidr-rpki-validation-reconsidered@ietf.org>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, Chris Morrow <morrowc@ops-netman.net>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DDA98C9A-F765-4922-A11B-52470A8AD2E1@ripe.net>
References: <5821A5CF-EFF8-4CE3-9AA4-CFDB9C903D63@cisco.com> <20170311222527.324125ACF21@minas-ithil.hactrn.net> <yj9ok27upcws.wl%morrowc@ops-netman.net> <6359B4B1-478D-4017-B259-7B60BA55FF39@zdns.cn> <68C71545-48E4-40B8-91AC-88DE44C4125D@ripe.net> <yj9ozigpz299.wl%morrowc@ops-netman.net> <8C26566E-8E22-4D35-85E1-387BA980115E@ripe.net> <C1D1FDD2-9892-4EE0-86FF-24F412AF6669@cisco.com>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>
X-Mailer: Apple Mail (2.3273)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: -------
X-RIPE-Spam-Report: Spam Total Points: -7.5 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719db093de51ab813d90c693c2833294ff4
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/hS_-qoxEEAFCOd4OS_GnYtZb3PM>
Subject: Re: [sidr] AD Review of draft-ietf-sidr-rpki-validation-reconsidered-07
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2017 08:36:31 -0000

Hi Alvaro, all,

Speaking for myself the reason for the delay is that I underestimated the impact of the new OIDs on deployability of this algorithm. I also meant to talk to all interested parties about this in person in Chicago, but unfortunately my father was hospitalised at the time (all good now!).

All that said I will work on an update of this document following Alvaro’s review. This document will define an additional validation algorithm, but not update the existing one. We can finish this work first and then have a structured discussion about deployment - I propose that we take this work to SIDROPS.

I canceled all my meetings today so I should have updated text to share with my co-authors soon. Will then send a new version to the WG asap.

Tim



> On 15 Jun 2017, at 17:02, Alvaro Retana (aretana) <aretana@cisco.com> wrote:
> 
> Dear authors:
>  
> Hi!
>  
> It’s been 3 months since this e-mail, which was the last of the thread started from my review.
>  
> I am expecting a revised ID – what are the plans to move forward?
>  
> Thanks!
>  
> Alvaro.
>  
>  
>  
> On 3/15/17, 10:24 AM, "sidr on behalf of Tim Bruijnzeels" <sidr-bounces@ietf.org on behalf of tim@ripe.net> wrote:
>  
> Hi Chris, 
>  
>> On 13 Mar 2017, at 15:21, Chris Morrow <morrowc@ops-netman.net> wrote:
>>  
>> but, having 2 versions of the validation
>> algorithm and seeing published data for both OID sets for a single
>> prefix/publication bundle will be very problematic. There's no
>> proscribed 'prefer new over old' action here, so a CA must only
>> publish one version of their data.
>  
> Why is this a problem, really?
>  
> The OIDs are set on a per certificate basis by the issuing CA. FWIW, in our hosted set up we *will* be able to pro-actively re-issue everything using the new OIDs without user interaction, but there are cases in hosted CA deployments where a hosted CA can automatically re-issue manifests, but ROAs can only be re-issued by explicit user request, one by one.
>  
> So we may see hosted CAs with products like this:
>  
> 1 CRL (validation algorithm does not apply)
> 1 MFT (new validation, although it won't matter because inherit is used)
> 1 ROA with new validation (which has been re-issued by the user)
> 1 ROA with old validation (which has NOT yet been re-issued)
>  
> This might seem confusing, but since the OIDs make it very explicit which algorithm the CA intended to use, I really do not see any ambiguity here.
>  
> My main concern is that we need to be quite confident that new RP code that understands the new OIDs has been available and is deployed. Because old RPs will reject EVERYTHING once CAs start using the new OIDs.
>  
> That is why I would have preferred to not need new OIDs, and just agree on a day that the new algorithm should be preferred. Rob seems adamant that the RFC3779 extension library code does not have access to the context of the full certificate with the RPKI CP OID - so there is no way to have something like:
>  
> if (FULL certificate has RPKI CP OID && Date is after 'switch' day) {
>   do NEW on RFC3779 extension
> } else {
>   do OLD on RFC3779 extension
> }
>  
> The impact of RP software not using the new library on 'switch' day is fairly limited. They would not reject the full repository, but only reject the exceptional cases where certificates ARE over-claiming. And of course the date check can be removed in releases of the library after 'switch' day..
>  
> It seems to me that this is a design issue with OpenSSL itself, but be that as it may - it may be unsurmountable. Rob knows this code much better than I do.
>  
> Still the consequence of all this is is that we will have to have a mix, and that despite our best efforts to warn everyone to upgrade their RP software I expect that we WILL see a number of operators that suddenly find that their old RP software has reject our full repository when start using the new OIDs.
>  
> If it can't be avoided than so be it, but I believe this perspective should be considered as well.
>  
>  
>  
> Cheers
>  
> Tim
>  
>  
>

v2.23.0 | Report a Bug | By Email