Re: [sidr] Questions about draft-huston-rpki-validation-01
"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Wed, 12 March 2014 19:07 UTC
Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CCAF1A0758 for <sidr@ietfa.amsl.com>; Wed, 12 Mar 2014 12:07:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06drh-nIAAmp for <sidr@ietfa.amsl.com>; Wed, 12 Mar 2014 12:07:33 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id D89C21A0365 for <sidr@ietf.org>; Wed, 12 Mar 2014 12:07:32 -0700 (PDT)
Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB008.namprd09.prod.outlook.com (10.255.211.151) with Microsoft SMTP Server (TLS) id 15.0.893.10; Wed, 12 Mar 2014 19:07:19 +0000
Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.70]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.70]) with mapi id 15.00.0893.001; Wed, 12 Mar 2014 19:07:19 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Geoff Huston <gih@apnic.net>
Thread-Topic: Questions about draft-huston-rpki-validation-01
Thread-Index: Ac89eRhd+ibZbQZWQW6u2RB/Km153QAQRwSAABqu5AA=
Date: Wed, 12 Mar 2014 19:07:18 +0000
Message-ID: <29aaf7410c27484fa790408f93db4d74@BLUPR09MB053.namprd09.prod.outlook.com>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net>
In-Reply-To: <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.140.100]
x-forefront-prvs: 01480965DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(51914003)(189002)(199002)(13464003)(51444003)(377454003)(33646001)(50986001)(47976001)(74366001)(77096001)(97336001)(74316001)(85852003)(95666003)(56816005)(76576001)(83072002)(49866001)(47446002)(80022001)(87936001)(31966008)(74662001)(74502001)(76786001)(76796001)(97186001)(2656002)(63696002)(94946001)(90146001)(74706001)(87266001)(47736001)(66066001)(4396001)(92566001)(53806001)(65816001)(81342001)(81686001)(46102001)(51856001)(54356001)(80976001)(81816001)(19580395003)(76482001)(19580405001)(81542001)(83322001)(56776001)(69226001)(54316002)(95416001)(93516002)(86362001)(85306002)(59766001)(74876001)(94316002)(79102001)(93136001)(77982001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB008; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:9E28DD97.AE029312.32F3EDB7.54E7E958.2047F; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: nist.gov does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/phr2rgzJAR3Hwb8MaNTa5vcZS3Y
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 19:07:35 -0000
Geoff,
Thanks for the reply.
Quoting from your responses,
> I think that is a
>consistent extension, but its a matter that should be further considered.
>(with the same caveat that this is an extension to the described approach to
>certificate
>validation, but an extension that I personally am comfortable with)
Yes, that is right. I think we are in sync on my questions (1) and (2),
except that as you've said all this needs further consideration by the WG.
For my question (3), we need to delve deeper. Please see my next email.
Sriram
>-----Original Message-----
>From: Geoff Huston [mailto:gih@apnic.net]
>Sent: Wednesday, March 12, 2014 2:14 AM
>To: Sriram, Kotikalapudi
>Cc: George Michaelson; sidr wg list
>Subject: Re: Questions about draft-huston-rpki-validation-01
>
>Hi Srinam,
>
>Thanks for your questions - let me try and answer them as best I can...
>
>
>> I went through your -01 draft and the SIDR presentation slides from
>> last week once again, and have the following questions:
>>
>> (1) An update with prefix-origin pair {5.0.0.0/24, AS64511} is received.
>> There is a ROA: {5.0.0.0/22, maxLength = 24; AS64511} in the RPKI.
>> However, it is signed using a certificate that is "valid" only for resource
>{5.0.0.0/24}.
>> In this case, is it the intent of your alternate validation model to
>> ascertain that the above ROA is partially valid, and accordingly prefix-origin
>pair {5.0.0.0/24, AS64511} is "Valid"?
>
>If I understand your question, you are painting the picture where:
>
>The ROA says that AS64511 can announce 5.0.0.0/22 or any subset up to a /24
>
>The EE cert that signed it has a resource extension of 5.0.0.0/24 (i.e. the ROA is
>overclaiming)
>
>And the CA that signed it has a resource extension set that encompasses
>5.0.0.0/24
>
>And the CA "above" it has a resources extension that encompasses 5.0.0.0/24
>
>etc to the trust anchor
>
>So if we said "is the UPDATE 5.0.0.0/24 valid" then given that 5.0.0.0/24 is
>contained in the ROA, and the same prefix is contained in all the certs from the
>EE cert to a TA in an otherwise valid validation path, then the answer would be
>YES
>
>Although I note that the draft did NOT explicitly talk about the relationship
>between a ROA and the EE cert that signed it. It only talked about the treatment
>of the resource extensions in the pair-wise comparison of certificates in the
>validation path.
>In your question you've extended that same approach to the relationship
>between the EE cert that signed the ROA and the ROA. I think that is a
>consistent extension, but its a matter that should be further considered.
>
>
>>
>> (2) Let us say, there is a ROA: {1.0.0.0/24, 2.0.0.0/22, 3.0.0.0/20; AS64500} in
>the RPKI.
>> But this ROA is signed using a certificate that is "valid" only for resources
>{1.0.0.0/24, 3.0.0.0/20}
>> that is a subset of the prefixes listed in the ROA.
>> In this case, is it the intent of your alternate validation model to ascertain that
>> the above ROA is partially valid, and accordingly prefix-origin pairs
>> {1.0.0.0/24, AS64500} and {3.0.0.0/20, AS64500} are "Valid"?
>
>
>In this example you are again painting a picture of a ROA that "overclaims" as
>compared to the resources
>listed in the EE certificate that signed it.
>
>Assuming that there are validation paths for 1.0.0.0/24 and 3.0.0.0/24 between
>a TA and the EE cert then yes,
>by the same reasoning as the answer to the previous question I would say that a
>consistent answer
>is that these two updates would be accepted as "valid"
>
>(with the same caveat that this is an extension to the described approach to
>certificate
>validation, but an extension that I personally am comfortable with)
>
>
>
>
>>
>> (3) On slide #18, do you need to require "Certificates 1 through n-1 are also
>"valid"
>> according to this same criterion"? You are not validating them at this point.
>> You are only validating Certificate 'n' for *a given INR*.
>> Is it not enough to require that "the resources in the INR extension of
>> Certificate x must subsume the given INR" for each x (individually); x=1, 2, 3,
>..., n?
>
>
>I was taking the text of RFC3779 that defined the certificate validity (slide 3) and
>was illustrating
>the difference in that text were we to use this approach. I think your formulation
>of the text has the same semantic
>intent as the text on slide 18, but your text highlights the difference from
>RFC3779, while I was
>trying to illustrate what would need to change from the original validation
>definition.
>
>Either that or I have not understood your question! If so, could you explain this a
>bit more?
>
>regards,
>
> Geoff
- [sidr] Questions about draft-huston-rpki-validati… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Tim Bruijnzeels
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent