Re: [sidr] Questions about draft-huston-rpki-validation-01
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Mon, 17 March 2014 23:21 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 360421A01E3 for <sidr@ietfa.amsl.com>; Mon, 17 Mar 2014 16:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaUy4Wt55TPJ for <sidr@ietfa.amsl.com>; Mon, 17 Mar 2014 16:21:41 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0189.outbound.protection.outlook.com [207.46.163.189]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0B51A044B for <sidr@ietf.org>; Mon, 17 Mar 2014 16:21:41 -0700 (PDT)
Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) with Microsoft SMTP Server (TLS) id 15.0.898.11; Mon, 17 Mar 2014 23:21:31 +0000
Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.12]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.43]) with mapi id 15.00.0898.005; Mon, 17 Mar 2014 23:21:31 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Geoff Huston <gih@apnic.net>
Thread-Topic: Questions about draft-huston-rpki-validation-01
Thread-Index: Ac89eRhd+ibZbQZWQW6u2RB/Km153QAQRwSAABsPsLAA1ffwgAAtxyld
Date: Mon, 17 Mar 2014 23:21:30 +0000
Message-ID: <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>, <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net>
In-Reply-To: <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.222.35]
x-forefront-prvs: 0153A8321A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(24454002)(377454003)(189002)(199002)(76482001)(54316002)(20776003)(94316002)(56776001)(74706001)(83072002)(66066001)(86362001)(65816001)(33646001)(95666003)(51856001)(79102001)(74316001)(81542001)(4396001)(63696002)(81816001)(69226001)(74662001)(81686001)(80022001)(47446002)(85852003)(31966008)(93136001)(49866001)(93516002)(47736001)(59766001)(77982001)(56816005)(92566001)(90146001)(74502001)(74876001)(94946001)(19580395003)(19580405001)(83322001)(76576001)(80976001)(46102001)(2656002)(47976001)(87266001)(87936001)(81342001)(95416001)(53806001)(54356001)(97336001)(76786001)(74366001)(97186001)(76796001)(77096001)(561944002)(85306002)(50986001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB053; H:BLUPR09MB053.namprd09.prod.outlook.com; FPR:6FC1F2DF.9EF297ED.B2CF5C47.9AE6A17E.20548; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: nist.gov does not designate permitted sender hosts)
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/ilYmz5n_isIuVXATJ9I-BD2TXAw
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 23:21:44 -0000
Geoff, Thanks. Comments inline. >Hi Sriram, >I am espousing method B in your terminology. Yes, I thought so. I also think method B should be preferable over method A, if we do go down this path. >Perhaps if I rephrase the validation question a little, >it may be a little clearer. >The validation question is: Given a certificate X and a TA certificate, >for what resources is this certificate "valid"? Suggestion: s/Given a certificate X and a TA certificate/Given a certificate X and its certification path (per Section 6 of RFC5280)/ >You point out >> (In terms of language and clarity, the notion of calling a certificate "valid" >> is misleading when in fact all that is being checked is merely >> whether a given INR is subsumed in it.) >Maybe there is a way of tightening this up. >How about: A resource contained in the resource extension >of a certificate is defined as "valid" if this resource >is listed in the resource extension field of all certificates >that are contained in a certification path, where the >construction of this certification path is defined in section 6 of RFC5280. Suggestion: s/is listed in the resource extension field of all certificates/ /is subsumed in the resource extension field of each of the certificates/ (Note: A prefix may not be listed but may be subsumed in a less specific that is listed.) Do you need somewhat different wording for the case of ROA validation? (Is a ROA also technically a "certificate"?) When you say "resource contained in the resource extension", is that well defined for a ROA as well? >(In the WG I also considered a slightly expanded question: >Given a certificate X and a set of TA certificates, >for what resources is this certificate "valid"?, >but that proved to be a little more controversial for many!) Yes, I also feel that the “join” idea is far more complicated and the benefits are not clear. Thanks. Sriram ________________________________________ From: Geoff Huston <gih@apnic.net> Sent: Sunday, March 16, 2014 9:15 PM To: Sriram, Kotikalapudi Cc: George Michaelson; sidr wg list Subject: Re: Questions about draft-huston-rpki-validation-01 Hi Sriram, I am espousing method B in your terminology. Perhaps if I rephrase the validation question a little, it may be a little clearer. The validation question is: Given a certificate X and a TA certificate, for what resources is this certificate "valid"? You point out > (In terms of language and clarity, the notion of calling a certificate "valid" > is misleading when in fact all that is being checked is merely > whether a given INR is subsumed in it.) Maybe there is a way of tightening this up. How about: A resource contained in the resource extension of a certificate is defined as "valid" if this resource is listed in the resource extension field of all certificates that are contained in a certification path, where the construction of this certification path is defined in section 6 of RFC5280. Back you your example...So the question posted by the ROA, which is signed by certificate 3, is "Is certificate 3 valid for 10.0.0.0/24?" As you've described here the certification path is Cert 1, Cert 2, and Cert 3, and as 10.0.0.0/24 is contained in the resource extension of all of these certificates then it can be concluded that the question posed by the ROA, namely whether certificate 3 is valid for 10.0.0.0/24, can be answered in the affirmative. (In the WG I also considered a slightly expanded question: Given a certificate X and a set of TA certificates, for what resources is this certificate "valid"?, but that proved to be a little more controversial for many!) regards, Geoff On 13 Mar 2014, at 7:17 am, Sriram, Kotikalapudi <kotikalapudi.sriram@nist.gov> wrote: > Geoff, > > About my Question (3), let us discuss this a bit more carefully with an example. > > There is this ROA: {10.0.0.0/24, AS64499} that we wish to validate. > It is signed with Certificate 3, which has the following certificate path to the TA: > Certificate 1: It lists {10.0.0.0/12, AS64501, AS64505, AS64509} (TA certificate) > Certificate 2: It lists {10.0.0.0/22, AS64501, AS64505, AS64511} > Certificate 3: It lists {10.0.0.0/20, AS64501, AS64505} > Note: Certificate 1 is the TA certificate. > > It is clear that following the current (RFC 3779) method, > Certificates 2 and 3 are invalid, and it follows that the ROA is invalid. > > Now, there are two methods that we may enumerate for a modified (or alternate) > validation proposal: > > Method A (more conservative but less robust relative to Method B below): > > Step 1: Ask what certificate is used to sign the RAO? Answer: Certificate 3. > > Step 2: Do the resources in Certificate 3 subsume the prefix in the ROA? Answer: YES, > because "the INR of interest" 10.0.0.0/24 in the ROA is subsumed by > an INR 10.0.0.0/20 in Certificate 3. OK, now proceed to validate Certificate 3. > Note that "the INR of interest" in Certificate 3 is 10.0.0.0/20. > > Step 3: Ask if the resources in Certificate 2 subsume "the INR of interest" in Certificate 3? > Answer: NO, because "the INR of interest" 10.0.0.0/20 in Certificate 3 is NOT subsumed > by an INR in the parent Certificate 2. > (Note: The parent Certificate 2 has a more specific prefix 10.0.0.0/22.) > > Step 4: Since the certificate chain "validation" failed at Step 3, declare the ROA > being considered as "Invalid" for the prefix-origin pair {10.0.0.0/24, AS64499} . > > Method B (less conservative but more robust relative to Method A above): > > Step 1: Ask what certificate is used to sign the RAO? Answer: Certificate 3. > > Step 2: Set "the given INR" as 10.0.0.0/24. That is the INR in the ROA for which > validation is being sought. > [Note: "The given INR" remains a constant in the steps that follow. > We just *stay focused on this given INR* for the rest of the validation process below. > This is the main difference compared to method A.] > > Step 3: Do the resources in Certificate 3 subsume the "the given INR" 10.0.0.0/24? > Answer: YES, because the given INR 1.0.0.0/24 is subsumed by an INR 10.0.0.0/20 in Certificate 3. > > Step 4: Do the resources in Certificate 2 subsume the "the given INR" 10.0.0.0/24? > Answer: YES, because the given INR 1.0.0.0/24 is subsumed by an INR 10.0.0.0/22 in Certificate 2. > > Step 5: Do the resources in Certificate 1 subsume the "the given INR" 10.0.0.0/24? > Answer: YES, because the given INR 10.0.0.0/24 is subsumed by an INR 10.0.0.0/12 in Certificate 1. > > Step 6: Since the certificate chain "validation" passed at each step above > for "the given INR" 10.0.0.0/24, declare the ROA being considered > as "Valid" for the prefix-origin pair {10.0.0.0/24, AS64499} . > > So Method A produces an "Invalid" result for the ROA, > whereas Method B yields a "Valid" result. > I hope the difference between Methods A and B is clear. > In Method A, "the INR of interest" at level x must be subsumed by an INR at level x+1. > But in Method B, only "the given INR" (e.g., a prefix in a ROA or an ASN in a router certificate) > is the steady focus, and what is required is that "the given INR" must be subsumed > by resources listed in the certificate at each level (1, 2, 3, ..., n). > > The description on your Slide #18 falls short of describing precisely > either Method A or Method B. From your Slide #14, it seems evident that you are > proposing Method B; am I right? > (In terms of language and clarity, the notion of calling a certificate "valid" > is misleading when in fact all that is being checked is merely > whether a given INR is subsumed in it.) > > Sriram > >
- [sidr] Questions about draft-huston-rpki-validati… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Tim Bruijnzeels
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent