Re: [sidr] Questions about draft-huston-rpki-validation-01
Stephen Kent <kent@bbn.com> Wed, 21 May 2014 18:06 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C28C1A0116 for <sidr@ietfa.amsl.com>; Wed, 21 May 2014 11:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1WIuX-8bYJ9 for <sidr@ietfa.amsl.com>; Wed, 21 May 2014 11:06:50 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 057CA1A0107 for <sidr@ietf.org>; Wed, 21 May 2014 11:06:49 -0700 (PDT)
Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:55688) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WnAuo-0003sh-Qu for sidr@ietf.org; Wed, 21 May 2014 14:06:58 -0400
Message-ID: <537CEB37.506@bbn.com>
Date: Wed, 21 May 2014 14:06:47 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: sidr@ietf.org
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com> <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com> <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net> <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com> <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net> <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com> <FB4FB863-1AE0-41DB-97B1-FB022150D29E@ripe.net> <CAL9jLaY3-dy7vA2=bd3dNGM8cL0jqzSZZgwWtx84H_AxiotXCA@mail.gmail.com> <FF3700A5-A766-49C1-B282-26E10B508929@gmail.com> <CAL9jLaauY6kHa+U=TKjW3rDawVAzNhL4ctvBONgey6inFBuT7A@mail.gmail.com>
In-Reply-To: <CAL9jLaauY6kHa+U=TKjW3rDawVAzNhL4ctvBONgey6inFBuT7A@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/qNoReBFDQ1BzgwhelsvJgWFSzYI
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 18:06:54 -0000
Folks, I realize I am very late in commenting on this doc, but I was on vacation for a month, and upon return I am working through 2300+ new messages, so ... I have three concerns with the document: 1- the doc presumes that the solution to the principle problem cited is to change the validation alg. That may be the right outcome, but I think it might be more appropriate to focus on the primary, cited concern, i.e., that a error in the 3779 extension(s) of cert for a CA with many children might cause problems for many of the children. Geoff specifically raised this issue for RIRs, and because they are acting as TAs, they have the ability to issue a new self-signed cert that adversely impacts many of their children. NIRs and very large ISPs don't acts as TAs, so errors by them affect certs issued by them to individual children. One could begin by describing what we believe to be best practices for RPKI CAs with regard to 3779 extension checks. For example, for a CA that is also a TA, it makes sense to run RP validation for every cert issued by the CA prior to publishing a new self-signed cert. That simple process would detect any child certs that would be rendered invalid by an error if the sort cited by Geoff. This RP check can be automated trivially, since the CA/TA has direct access to all of the currently- valid certs that it has issued. For a CA that is not a TA, the impact of a 3779 change is limited to the subtree for the affected cert. Here too, it makes sense for the CA to run an RP check whenever it is reducing the scope of the 3779 extensions. So, the automated check to run here would entail two parts: first see if a cert that is being re-issued represents a reduction in scope for the 3779 extension(s); second, fetch the certs issued by the CA whose cert is being reissued, and see if any of them will be invalidated by the change. If those with experience operating RPKI CAs have other suggestions for good practice wrt avoiding the problem Geoff cited, they too should be part of a doc addressing this issue. (I'd also like to verify that the RIRs are, or are not, performing the first set of checks today, for their ss-certs.) Geoff has argued that other benefits accrue from relaxing the 3779 part of the path validation procedure. There is not agreement on his other examples. For example, we have an I-D describing how to automate more of the resource transfer process (draft-barnes-sidr-tao-00). The mechanism described there would benefit a little from a relaxed 3779 validation check, but only in very limited circumstances. So, that use case does not seem especially compelling. 2- A separate concern is that the candidate doc contains two separable cases: one relaxes path validation by not mandating that every subordinate cert contain only a subset of the resources in the parent cert. The other case introduces the notion of a join into the RPKI tree structure. This latter case was extensively criticized during the SIDR WG meeting, by a number of folks. I suggest that case not be part of a new WG doc at this time. 3- My final concern/observation, is that the text in the doc that describes how to relax the 3779 aspects of path validation is not, as stated, viable. Specifically, it appears to assume that path validation is performed only for EE certs. In the RPKI, we effect path discovery top down, based on our model for discovering CAs and their children. (In PKIs in general, path discovery may be top down or bottom up, or both toward the middle, but the RPKI is not a generic PKI.) Because of the top- down approach, it makes sense for RP software to validate each newly discovered CA. This is not only an efficiency issue, but also an anti-DOS feature. Thus the description of how to modify the current 3779 path validation alg is not adequate. I believe it can be fixed, and I have indicated how it might be fixed in (private) message excahnges with Geoff. Thus this concern is not a reason to reject work on this topic, but it does suggest that a viable algorithmic description might be a prerequisite for adopting a version of this doc. Steve
- [sidr] Questions about draft-huston-rpki-validati… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Sriram, Kotikalapudi
- Re: [sidr] Questions about draft-huston-rpki-vali… Tim Bruijnzeels
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Christopher Morrow
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent
- Re: [sidr] Questions about draft-huston-rpki-vali… Geoff Huston
- Re: [sidr] Questions about draft-huston-rpki-vali… Stephen Kent