IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

Stephen Kent <kent@bbn.com> Wed, 21 May 2014 18:06 UTC

Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C28C1A0116 for <sidr@ietfa.amsl.com>; Wed, 21 May 2014 11:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1WIuX-8bYJ9 for <sidr@ietfa.amsl.com>; Wed, 21 May 2014 11:06:50 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 057CA1A0107 for <sidr@ietf.org>; Wed, 21 May 2014 11:06:49 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:55688) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WnAuo-0003sh-Qu for sidr@ietf.org; Wed, 21 May 2014 14:06:58 -0400
Message-ID: <537CEB37.506@bbn.com>
Date: Wed, 21 May 2014 14:06:47 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: sidr@ietf.org
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com> <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com> <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net> <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com> <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net> <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com> <FB4FB863-1AE0-41DB-97B1-FB022150D29E@ripe.net> <CAL9jLaY3-dy7vA2=bd3dNGM8cL0jqzSZZgwWtx84H_AxiotXCA@mail.gmail.com> <FF3700A5-A766-49C1-B282-26E10B508929@gmail.com> <CAL9jLaauY6kHa+U=TKjW3rDawVAzNhL4ctvBONgey6inFBuT7A@mail.gmail.com>
In-Reply-To: <CAL9jLaauY6kHa+U=TKjW3rDawVAzNhL4ctvBONgey6inFBuT7A@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/qNoReBFDQ1BzgwhelsvJgWFSzYI
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 18:06:54 -0000

Folks,

I realize I am very late in commenting on this doc, but I was on 
vacation for
a month, and upon return I am working through 2300+ new messages, so ...

I have three concerns with the document:

1- the doc presumes that the solution to the principle problem cited is 
to change
the validation alg. That may be the right outcome, but I think it might 
be more
appropriate to focus on the primary, cited concern, i.e., that a error 
in the
3779 extension(s) of cert for a CA with many children might cause 
problems for many of the
children. Geoff specifically raised this issue for RIRs, and because 
they are acting
as TAs, they have the ability to issue a new self-signed cert that 
adversely impacts
many of their children. NIRs and very large ISPs don't acts as TAs, so 
errors by them
affect certs issued by them to individual children.

One could begin by describing what we believe to be best practices for 
RPKI CAs
with regard to 3779 extension checks. For example, for a CA that is also 
a TA,
it makes sense to run RP validation for every cert issued by the CA 
prior to
publishing a new self-signed cert. That simple process would detect any 
child certs
that would be rendered invalid by an error if the sort cited by Geoff. 
This RP check
can be automated trivially, since the CA/TA has direct access to all of 
the currently-
valid certs that it has issued.

For a CA that is not a TA, the impact of a 3779 change is limited to the 
subtree for
the affected cert. Here too, it makes sense for the CA to run an RP 
check whenever
it is reducing the scope of the 3779 extensions. So, the automated check 
to run here
would entail two parts: first see if a cert that is being re-issued 
represents a reduction
in scope for the 3779 extension(s); second, fetch the certs issued by 
the CA whose cert
is being reissued, and see if any of them will be invalidated by the 
change.

If those with experience operating RPKI CAs have other suggestions for 
good practice wrt
avoiding the problem Geoff cited, they too should be part of a doc 
addressing this issue.
(I'd also like to verify that the RIRs are, or are not, performing the 
first set of checks
today, for their ss-certs.)

Geoff has argued that other benefits accrue from relaxing the 3779 part 
of the path
validation procedure. There is not agreement on his other examples. For 
example, we
have an I-D describing how to automate more of the resource transfer 
process (draft-barnes-sidr-tao-00). The mechanism described there would 
benefit a little from a relaxed
3779 validation check, but only in very limited circumstances. So, that 
use case does
not seem especially compelling.

2- A separate concern is that the candidate doc contains two separable 
cases: one relaxes
path validation by not mandating that every subordinate cert contain 
only a subset
of the resources in the parent cert. The other case introduces the 
notion of a join
into the RPKI tree structure. This latter case was extensively 
criticized during the
SIDR WG meeting, by a number of folks. I suggest that case not be part 
of a new WG
doc at this time.

3- My final concern/observation, is that the text in the doc that 
describes how to
relax the 3779 aspects of path validation is not, as stated, viable. 
Specifically,
it appears to assume that path validation is performed only for EE 
certs. In the RPKI,
we effect path discovery top down, based on our model for discovering 
CAs and
their children. (In PKIs in general, path discovery may be top down or 
bottom up, or
both toward the middle, but the RPKI is not a generic PKI.) Because of 
the top-
down approach, it makes sense for RP software to validate each newly 
discovered
CA. This is not only an efficiency issue, but also an anti-DOS feature. 
Thus the
description of how to modify the current 3779 path validation alg is not 
adequate.
I believe it can be fixed, and I have indicated how it might be fixed in 
(private)
message excahnges with Geoff. Thus this concern is not a reason to 
reject work on this
topic, but it does suggest that a viable algorithmic description might 
be a prerequisite
for adopting a version of this doc.

Steve

v2.23.0 | Report a Bug | By Email