Re: [sidr] Questions about draft-huston-rpki-validation-01
Geoff Huston <gih@apnic.net> Mon, 17 March 2014 01:15 UTC
Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC6D61A0340 for <sidr@ietfa.amsl.com>; Sun, 16 Mar 2014 18:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.338
X-Spam-Level:
X-Spam-Status: No, score=-102.338 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z64kz-55jAWD for <sidr@ietfa.amsl.com>; Sun, 16 Mar 2014 18:15:15 -0700 (PDT)
Received: from so-mailgw.apnic.net (so-mailgw.apnic.net [IPv6:2001:dd8:a:3::230]) by ietfa.amsl.com (Postfix) with SMTP id 657191A033C for <sidr@ietf.org>; Sun, 16 Mar 2014 18:15:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer:return-path; bh=n+8xGszjokIFk3TijGHaB4rB6fbgkr0lOYliD+Fi61Q=; b=hBIom3qXW+yrMDrtc9WeNC4vt80QNPu68PtlAy3fzQri57yB5F/I50PbA+/8oN9C/oWMNKT4Zu5vf t70vXxMmNpgAEh+Eo8r0cgt3I3lIRo907P4KeGiFIp7i5a3OKmix+pGVyfZNQKOktP8g6pPZckPG0B DXitsEOnTshszam4=
Received: from NXMDA1.org.apnic.net (unknown [203.119.93.247]) by so-mailgw.apnic.net (Halon Mail Gateway) with ESMTP; Mon, 17 Mar 2014 20:24:58 +1000 (EST)
Received: from robewin.canberra.aarnet.edu.au (203.119.101.249) by NXMDA1.org.apnic.net (203.119.107.11) with Microsoft SMTP Server (TLS) id 14.1.218.12; Mon, 17 Mar 2014 11:15:04 +1000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>
Date: Mon, 17 Mar 2014 12:15:03 +1100
Content-Transfer-Encoding: quoted-printable
Message-ID: <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/obSnxy4Jhvk5wUHMSsPjqqjqRfY
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 01:15:19 -0000
Hi Sriram, I am espousing method B in your terminology. Perhaps if I rephrase the validation question a little, it may be a little clearer. The validation question is: Given a certificate X and a TA certificate, for what resources is this certificate "valid"? You point out > (In terms of language and clarity, the notion of calling a certificate "valid" > is misleading when in fact all that is being checked is merely > whether a given INR is subsumed in it.) Maybe there is a way of tightening this up. How about: A resource contained in the resource extension of a certificate is defined as "valid" if this resource is listed in the resource extension field of all certificates that are contained in a certification path, where the construction of this certification path is defined in section 6 of RFC5280. Back you your example...So the question posted by the ROA, which is signed by certificate 3, is "Is certificate 3 valid for 10.0.0.0/24?" As you've described here the certification path is Cert 1, Cert 2, and Cert 3, and as 10.0.0.0/24 is contained in the resource extension of all of these certificates then it can be concluded that the question posed by the ROA, namely whether certificate 3 is valid for 10.0.0.0/24, can be answered in the affirmative. (In the WG I also considered a slightly expanded question: Given a certificate X and a set of TA certificates, for what resources is this certificate "valid"?, but that proved to be a little more controversial for many!) regards, Geoff On 13 Mar 2014, at 7:17 am, Sriram, Kotikalapudi <kotikalapudi.sriram@nist.gov> wrote: > Geoff, > > About my Question (3), let us discuss this a bit more carefully with an example. > > There is this ROA: {10.0.0.0/24, AS64499} that we wish to validate. > It is signed with Certificate 3, which has the following certificate path to the TA: > Certificate 1: It lists {10.0.0.0/12, AS64501, AS64505, AS64509} (TA certificate) > Certificate 2: It lists {10.0.0.0/22, AS64501, AS64505, AS64511} > Certificate 3: It lists {10.0.0.0/20, AS64501, AS64505} > Note: Certificate 1 is the TA certificate. > > It is clear that following the current (RFC 3779) method, > Certificates 2 and 3 are invalid, and it follows that the ROA is invalid. > > Now, there are two methods that we may enumerate for a modified (or alternate) > validation proposal: > > Method A (more conservative but less robust relative to Method B below): > > Step 1: Ask what certificate is used to sign the RAO? Answer: Certificate 3. > > Step 2: Do the resources in Certificate 3 subsume the prefix in the ROA? Answer: YES, > because "the INR of interest" 10.0.0.0/24 in the ROA is subsumed by > an INR 10.0.0.0/20 in Certificate 3. OK, now proceed to validate Certificate 3. > Note that "the INR of interest" in Certificate 3 is 10.0.0.0/20. > > Step 3: Ask if the resources in Certificate 2 subsume "the INR of interest" in Certificate 3? > Answer: NO, because "the INR of interest" 10.0.0.0/20 in Certificate 3 is NOT subsumed > by an INR in the parent Certificate 2. > (Note: The parent Certificate 2 has a more specific prefix 10.0.0.0/22.) > > Step 4: Since the certificate chain "validation" failed at Step 3, declare the ROA > being considered as "Invalid" for the prefix-origin pair {10.0.0.0/24, AS64499} . > > Method B (less conservative but more robust relative to Method A above): > > Step 1: Ask what certificate is used to sign the RAO? Answer: Certificate 3. > > Step 2: Set "the given INR" as 10.0.0.0/24. That is the INR in the ROA for which > validation is being sought. > [Note: "The given INR" remains a constant in the steps that follow. > We just *stay focused on this given INR* for the rest of the validation process below. > This is the main difference compared to method A.] > > Step 3: Do the resources in Certificate 3 subsume the "the given INR" 10.0.0.0/24? > Answer: YES, because the given INR 1.0.0.0/24 is subsumed by an INR 10.0.0.0/20 in Certificate 3. > > Step 4: Do the resources in Certificate 2 subsume the "the given INR" 10.0.0.0/24? > Answer: YES, because the given INR 1.0.0.0/24 is subsumed by an INR 10.0.0.0/22 in Certificate 2. > > Step 5: Do the resources in Certificate 1 subsume the "the given INR" 10.0.0.0/24? > Answer: YES, because the given INR 10.0.0.0/24 is subsumed by an INR 10.0.0.0/12 in Certificate 1. > > Step 6: Since the certificate chain "validation" passed at each step above > for "the given INR" 10.0.0.0/24, declare the ROA being considered > as "Valid" for the prefix-origin pair {10.0.0.0/24, AS64499} . > > So Method A produces an "Invalid" result for the ROA, > whereas Method B yields a "Valid" result. > I hope the difference between Methods A and B is clear. > In Method A, "the INR of interest" at level x must be subsumed by an INR at level x+1. > But in Method B, only "the given INR" (e.g., a prefix in a ROA or an ASN in a router certificate) > is the steady focus, and what is required is that "the given INR" must be subsumed > by resources listed in the certificate at each level (1, 2, 3, ..., n). > > The description on your Slide #18 falls short of describing precisely > either Method A or Method B. From your Slide #14, it seems evident that you are > proposing Method B; am I right? > (In terms of language and clarity, the notion of calling a certificate "valid" > is misleading when in fact all that is being checked is merely > whether a given INR is subsumed in it.) > > Sriram > >
- [sidr] Questions about draft-huston-rpki-validati… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Tim Bruijnzeels
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent