IETF Logo Mail Archive

Re: [sidr] RPKI <-> allocation consistency

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 30 August 2012 18:30 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0876F21F85C3 for <sidr@ietfa.amsl.com>; Thu, 30 Aug 2012 11:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.494
X-Spam-Level:
X-Spam-Status: No, score=-3.494 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcpNbPoD-0ku for <sidr@ietfa.amsl.com>; Thu, 30 Aug 2012 11:30:06 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id F3BBE21F85AF for <sidr@ietf.org>; Thu, 30 Aug 2012 11:30:05 -0700 (PDT)
Received: by wibhq12 with SMTP id hq12so568207wib.1 for <sidr@ietf.org>; Thu, 30 Aug 2012 11:30:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2w+GkoRpDoYFf+d0+0PJKu+jpsXHWhT2SwN/JVz4o0c=; b=I/iGy15OO/Bgdf+Ph2zT4Rqr/eVeGoy8nML3TKyW8oUxxxuPXFgl2r8gc2btGPAh4a 8B5aVMxqaPK1WVsSFBHKTDDdXJlRJKcm0qZ2730exVRUDdq9F+dAz2pPWTrN8Z6uK0IG PVZhimf99NYztd9NAD5eE8nbuH9zyKXbZJmSdpdzdLA+xEt/Mbwkq7AVWstd38D0oj9P iDkEAiAodz5R0sNMlLTCs0rOalHIfKECj5o7g4jisBdJZ1nsnx0bxHwu/6amh24TU381 d1ikzXFwIMxW07U9mjdG80Vtq8RQR/+6QMvmxsWxlwkdfx0V/LPhq3ipQqLxuUi30kEV hdKA==
MIME-Version: 1.0
Received: by 10.216.245.70 with SMTP id n48mr3121974wer.139.1346351403492; Thu, 30 Aug 2012 11:30:03 -0700 (PDT)
Received: by 10.223.61.12 with HTTP; Thu, 30 Aug 2012 11:30:03 -0700 (PDT)
In-Reply-To: <CAL9jLaaew6HLdHK4=UrsUF2JKsRRV=sbXzCOFiDnLRKtVSK1tw@mail.gmail.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F555CB@Hermes.columbia.ads.sparta.com> <D857A4BB-E484-45A4-A09F-FB8FAF2215AC@tcb.net> <C5B88834-3A10-41F7-A4F3-2B7C9B540197@verisign.com> <50389897.3040503@bbn.com> <97856400-9F70-4AEC-AF91-A0673A6D716D@verisign.com> <503C47A8.7030700@bbn.com> <303C576D-D1F8-4F62-8E0E-0D74A28B2771@verisign.com> <503D141F.1060404@bbn.com> <3A791D9E-4F16-4481-94AE-BD38A5389593@verisign.com> <CAL9jLaaew6HLdHK4=UrsUF2JKsRRV=sbXzCOFiDnLRKtVSK1tw@mail.gmail.com>
Date: Thu, 30 Aug 2012 14:30:03 -0400
Message-ID: <CAH1iCirWo+JYOpFjVhtxXYKGB86nLhcogC20bEy0-Ldkp7Oc8A@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Content-Type: multipart/alternative; boundary="e0cb4e43d03325e6d204c87fdd42"
Cc: sidr@ietf.org
Subject: Re: [sidr] RPKI <-> allocation consistency
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2012 18:30:08 -0000

On Thu, Aug 30, 2012 at 1:17 PM, Christopher Morrow <morrowc.lists@gmail.com
> wrote:

> On Thu, Aug 30, 2012 at 10:59 AM, Eric Osterweil
> <eosterweil@verisign.com> wrote:
> >
> > On Aug 28, 2012, at 2:55 PM, Stephen Kent wrote:
> >
> >> Eric,
> >>
> >> Perhaps what you are looking for is some text in an operations doc,
> suggesting what
> >> an RP can expect, depending on how it elects to interact with the
> repository system,
> >> maintain its local cache, etc.
> >
> > Actually, I was looking for some intuition/guidance for people in a
> position to take a systematic look at how to implement the design.  I'm not
> sure which draft, or which section, etc.  Basically, I'm trying to get
> things worked out, but I keep having issues w/ ensuring that ingestion of
> data by a process at (say) one router has something/anything to do with the
> ingestion of the same thing at (say) another router.  Consistency models
> tell me what properties I can rely on at time t_0 at location r_0 vs time
> t_1 at r_1, etc.  Right now, I'm having a lot of trouble ensuring that
> anything agrees with anything else in the Interwebz and I don't know if I
> should just let that be the case, or there is some sort of consistency I
> need to adhere to...
> >
>
> right, for the whole system you want to know:
>   'how long between ROA create and ROA-foo on router'
>
> I think what you really want (because across the whole of the realm
> it's a 'simple' model, where inside islands there is potentially lots
> more fudgery) is:
>   1) 'how long from roa-create -> roa-at-all-ASNs'
>   2) 'what model of timing makes sense for 'once a ROA is at a remote
> ASN, how long before that data is available on 1 routing-device, then
> all routing-devices in that realm'
>   3) should this set of numbers apply to ALL objects in the RPKI
> equally? or should some object types have different timing
> requirements?
>
> -chris
>
> (using ROA as the unit, you could use CRL update, EE-cert, etc... 'one
> item in the RPKI')
>


I think this extends out to the several kinds of "consistency" questions I
have, as well.

For example:

There are a whole bunch of documents that detail bits and pieces of the
RPKI, some of which have some ASCII-art showing parts of the system.

However, there is a severe lack of detail on the things it is about,
specifically IP prefixes (INRs) that are protected via the whole system.

In fact, in the one document that I think should be most critical, on
validating ROAs, there are almost no references to IP blocks, and what few
there are get referred to either indirectly (via another RFC reference) or
using inconsistent terminology.

After reviewing the whole mess of docs, and following the mutual implicit
or explicit cross-references, I have some questions that don't seem to have
been answered by the docs (both the published RFCs and current I-Ds).

(1) What is the presumed model for INRs themselves?
Are INRs presumed to be exclusive, and allocations hierarchical (with the
occasional instance of an entire allocation being handed off without being
divided)?
That is to say, is a given piece of address space (contiguous power-of-2
block) always under the exclusive control of one party, based on
longest-match rules of IP routing?
(I'm pretty sure that the existing assignment methods starting at
IANA->RIRs is built entirely on exclusivity, modulo RFC1918 space.)

(2) If INRs are meant to be exclusive, why does the RPKI not enforce that
exclusivity?
It appears, having looked at the docs in the context of grandparenting,
that despite the assertion that validation is a top-down activity, it is
fundamentally a bottom-up process (looking for an eventual match against a
trust anchor).
And, in essence, there is no requirement that INR "delegations" that occur
at any given CA, need to be unique, which presumably contradicts the nature
of INRs.
(Note here - the presumption is not uniqueness by ASN, but uniqueness by
organization controlling ROA assignment, where that single org could/would
issue ROAs for multiple ASNs.)
I believe that enforcing exclusivity of INR blocks within each CA's set of
signed objects, is all that is needed to achieve global uniqueness. A CA's
ROA(s) could be matched against delegations, requiring a zero-overlap, or
alternatively modifying the ROA validation process to somehow disambiguate
things.

(3) If an ROA is issued by CA_1 for A.B.C.D/X (max length X+Y, Y>=1), and
the same CA_1 also signs a delegation on A.B.C.D/(X+1) to CA_2, who issues
an ROA for A.B.C.D/(X+1) (max length (X+1)+Y, Y>=0), that two parties are
then legitimately able to originate (conflicting) BGP routes for
A.B.C.D/X+1 - something that I doubt CA_2 would be happy about (even as a
possibility, let alone an actuality).

(4) ROAs appear to be "containers" for (possibly) multiple prefixes. Is it
strictly necessary for every prefix in a ROA to validate properly, for a
ROA to validate? Or, if not, how does that work for partial validity,
prefix-by-prefix?

(5) Everything in the validation and RPKI seems to be forward-lookup
oriented from an ASN perspective. What about trying to look up information
on a given prefix, if you don't have the ASN(s)? It seems like it would
require an exhaustive search of every pub point under any published CA that
contained a covering address for the prefix in question. Is that correct,
and did anyone look at this originally when designing the RPKI? What if you
have one ASN that you know is announcing a given prefix, but want to find
out if any other ASN has a valid ROA which includes the same prefix (or
covering prefix, or child prefix)?

(6) What about an informational RFC to tie all the relevant bits together,
e.g. with big ASCII-art diagrams, high-level text describing relationships,
and pointers to detailed technical RFCs? Without this, trying to understand
any of this, let along trying to implement, is rather unwieldy.

(7) This also points towards the number of places the docs "punt" on
critical issues. E.g. the question of INR->RPKI timing ("...is a
side-effect...") is pretty vague. I also think the issue of "bogon" space
could/should be addressed, so that unused space can not only _not_ be part
of any ROA, but that unused space can authoritatively be excluded from
routing tables via BGPSEC mechanisms. (There is no reason to wait for
everyone to deploy BGPSEC to achieve this piece of low hanging fruit.)
Since INRs are allocated top-down, Reserved space can trivially be
authenticated and placed into a "black list" dynamically.

Any comments, from anyone, on any of these, are welcome.

Brian

v2.23.0 | Report a Bug | By Email