IETF Logo Mail Archive

Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-pki-profiles-19: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 04 January 2017 23:11 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C7F9129426; Wed, 4 Jan 2017 15:11:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVEDQK6CBdc1; Wed, 4 Jan 2017 15:11:54 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9981F127076; Wed, 4 Jan 2017 15:11:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 798B8BE32; Wed, 4 Jan 2017 23:11:51 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zf1ch_EMTiqV; Wed, 4 Jan 2017 23:11:49 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2B89EBE2F; Wed, 4 Jan 2017 23:11:49 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1483571509; bh=Nvb5ToAvbIUbhAAaX8OX4pc5xNScbKjjoOx4R1q+oPM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=V6ZCvMiHMOWbFoE/goavIZ8B7TYEBubN4THKCUCxbBVp9ld55Hkn/PJTHm1ITBxit FlDa/EhcabC0Hn1aCvpxOeji5MpubbbgkpTerdlOqKd337LD6/qdePHJlKVgYfnfM4 gafrZl/xuUe98yd7a9h9GWjP+P+vQhhrEvpAb9Qc=
To: Rob Austein <sra@hactrn.net>
References: <148353788046.13042.160471261406266.idtracker@ietfa.amsl.com> <20170104200413.1DFD04581178@minas-ithil.hactrn.net> <99955d9c-4771-dd45-f019-313661631e87@cs.tcd.ie> <20170104221557.73CF84581C4F@minas-ithil.hactrn.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <0811b400-fc2a-8675-7b74-4b549940de65@cs.tcd.ie>
Date: Wed, 04 Jan 2017 23:11:48 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <20170104221557.73CF84581C4F@minas-ithil.hactrn.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070408020000060603050304"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/ua8uwPaEsdHtxj0Xr26VETXpjMI>
Cc: morrowc@ops-netman.net, sidr-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-sidr-bgpsec-pki-profiles@ietf.org, sidr@ietf.org
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-bgpsec-pki-profiles-19: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 23:11:57 -0000

Hiya,

On 04/01/17 22:15, Rob Austein wrote:
> At Wed, 4 Jan 2017 20:57:24 +0000, Stephen Farrell wrote:
>> On 04/01/17 20:04, Rob Austein wrote:
> ...
>>> This draft is a profile of RFC 6487, which is itself a profile of RFC
>>> 5280.  All of the above is pretty much verbatim from RFC 6487.
>>
>> Hmm. I wonder if that's the best plan, especially if there's
>> no interop justification for some of it.
> 
> The theory, such as it is, goes:
> 
> * RPKI is a tightly constrained profile of X.509v3, with almost
>   everything either required or forbidden, to reduce the number of
>   grey areas.
> 
> * The BGPSEC profile is a minimal set of changes and extensions to the
>   RPKI profile: same overall goal, slightly different constraints.
> 
>> I note that 6487 says "In the RPKI, the subject name is determined
>> by the issuer, not proposed by the subject" but that seems a bit
>> weird for routers, where I would guess there'll be more diversity in
>> terms of key/CSR generation code.
> 
> Well, strictly speaking the subject name is always selected by the
> issuer in X.509, but I know what you mean.
> 
> RFC 6487 is weird about this because various parties were extremely
> concerned to avoid anything that could be construed as certification
> of real-world identity, ie, they did not want to find themselves in
> the mainstream PKI business.  So RPKI uses meaningless names and has
> the ability to enforce that, hence the text you note in RFC 6487.

I'd say any concerns that the web PKI CAs might have had ought
now be ameliorated (or OBE, give letsencrypt), so not trodding
on mainstream CA business is probably not as much as concern
as was the case at the start of the RPKI work.

> 
> RFC 6487 6.1.1 does in fact allow the subject to include a subject
> name in the PKCS #10 request, but the text is loaded with weasel
> words.  Speaking as someone who has implemented all of this, I find
> the RFC 6487 constraints on subject name in PKCS #10 requests a bit
> excessive, but that's not the document currently under discussion.

Well, except that this draft does re-iterate some of those now
clearly weird MUSTs.

> 
>> (Correct me if I'm wrong but I'm not sure if it's possible to
>> conform to these requirements with e.g. openssl, or is it?)
> 
> The OpenSSL command line tool would probably fight hard against either
> omitting the subject field from the PKCS #10 request or allowing it to
> be NULL.  The former (field absent) is not even syntactically legal
> X.509.  The latter (present but NULL) is legal but kind of unusual:
> RFC 5280 4.1.2.6 allows it in certificates if a critical, non-empty
> subjectAltName extension is present, RFC 2986 is silent on the subject
> and is only informational in any case.
> 
> I'm pretty sure that the OpenSSL library would allow the
> present-but-NULL form, but haven't tested it (recently? ever? don't
> recall...).
> 
> In practice, I don't think any of the RKI CA implementations reject
> PKCS #10 requests for having a non-NULL subject, they just ignore it.
> 
> All of this is still a problem with RFC 6487, which we should have
> caught five years ago.  Oops.  Not sure what the best approach is when
> trying to sub-profile a profile with a known wart like this.

Fair point.

So assuming there isn't a chorus of WG participants asking to
remove the weird constraints then I'd say the right thing must
be to not re-iterate any weirdness from 6487 but to only inherit
that by reference. That way, if/when we modify 6487, we won't
have to do the same with this, and maybe also hit problems
with these constraints being enforced by code in two places.

I think the only such text I saw (that re-iterates 6487) was
in 3.1.1 but there might I guess be more.

> 
>>>> And I'd wonder if router cert revocation will be more common than
>>>> for other resource certs, in which case an OCSP-like system could be
>>>> needed - did the WG consider that?
>>>
>>> Not as such.  Fair question, but the architecture kind of assumes that
>>> the RPKI RP process is separable from the BGPSEC implementation per
>>> se, BGPSEC just consumes the output of that process.
>>
>> I'd wonder if that means some revocation request protocol will be
>> needed later. But it's fine to not try define that now.
> 
> Fair point.
> 
>> More to the point is whether or not the WG have thought about the
>> revocation support in the RPKI and whether or not that seems also
>> ok for BGPsec. (I'm unsure myself, but mostly due to the number of
>> moving parts in the RPKI.)
> 
> Has been discussed, somewhat noisily.  Ask a SIDR WG chair if you want
> an opinion on WG consensus.  My own take is that router keys probably
> get whacked on roughly the same kind of timescale as other RPKI keys,
> so if the revocation mechanism is good enough for everything else,
> it's probably good enough for router keys.  YMMV.

Fair enough. Again, assuming that there's no chorus wanting
change, I'll clear this point as well.

Cheers,
S.

> 
>>> Most likely implementation technique does all the RPKI stuff per se on
>>> a separate box and just stuffs the resulting raw keys into the router
>>> using the rpki-rtr protocol, so the router itself probably would not
>>> have the information needed to play OCSP even if it wanted to do so,
>>> which it probably doesn't.  
>>
>> So if that's a widely shared view of WG participants then it'd be
>> good to see it described somewhere to help implementers. (It may
>> be in the -overview document which I've yet to read.)
> 
> It's sort of in RFC 6810 (rpki-rtr).  The update to RFC 6810 is
> stalled because I dropped the ball last year.
> 
>>> Requiring the routers to speak OCSP seems
>>> like a potentially dangerous layering violation.
>>
>> Not sure about a layering violation but I can see it'd likely be
>> problematic;-)
> 
> I had front-row tickets to the "let's stuff routing policy data into
> the DNS!" show back in the '90s.  My main take-away from that mess was
> a fear of real-time circular dependencies.
>

v2.23.0 | Report a Bug | By Email