Re: [sidr] New Version Notification for draft-madi-sidr-rp-00.txt

Di Ma <madihello@icloud.com> Sun, 16 July 2017 21:43 UTC

Return-Path: <madihello@icloud.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C192126CB6; Sun, 16 Jul 2017 14:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRyUKp8EoTVM; Sun, 16 Jul 2017 14:43:13 -0700 (PDT)
Received: from mr25p46im-ztdg02101301.me.com (mr25p46im-ztdg02101301.me.com [17.111.255.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 474AE126BF3; Sun, 16 Jul 2017 14:43:13 -0700 (PDT)
Received: from process-dkim-sign-daemon.mr25p46im-ztdg02101301.me.com by mr25p46im-ztdg02101301.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) id <0OT700100DLF3L00@mr25p46im-ztdg02101301.me.com>; Sun, 16 Jul 2017 21:43:13 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=04042017; t=1500241392; bh=MW5C8bUbbqtY5VWNqSQ6Bj2Tqyewpt9sg6PY1Zpbvtk=; h=Content-type:MIME-version:Subject:From:Date:Message-id:To; b=Sp4vtrfRLagvG6/r4meoh53DpNUhxuHXVM+H7/BHv4EmF+GlzqIXJtflsDDzVvl3y PBfgayMXGGXvoRXQboOk7lLTatw3ElOWQ7BA45lGOgqMZCVuNkqcbucVBS34rIlt6a d3ZSuFqEZUWtD4Er1sQVS4ai5+4n7yPxx+0Ran5qrNqXK0fG2VfQF8xW+9gI0smhCj dbFjgUqkG5deo94VEUG6CWUwuuo+Oca4B7jD/Q4hwHe/qqKHtqXWLoQQqAnl5eNqin T+A5gXN/EpeGIpwbqqDMdyMaKt3tlUKlhS71x6CT3lRSsJYJNBR3LZyfH/zjhTqlSv MygaS+ETbAy7g==
Received: from icloud.com ([127.0.0.1]) by mr25p46im-ztdg02101301.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) with ESMTPSA id <0OT700O59DNVGY20@mr25p46im-ztdg02101301.me.com>; Sun, 16 Jul 2017 21:43:12 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-07-16_16:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1034 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1701120000 definitions=main-1707160365
Content-type: text/plain; charset=gb2312
MIME-version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Di Ma <madihello@icloud.com>
In-reply-to: <F0799243-C489-4BB9-B2C1-FAB115D9536D@ripe.net>
Date: Sun, 16 Jul 2017 23:43:06 +0200
Cc: IETF SIDR <sidr@ietf.org>, sidrops@ietf.org, kent@alum.mit.edu, Declan Ma <declan.ma@qq.com>
Content-transfer-encoding: quoted-printable
Message-id: <D96830FA-D423-4831-9FA8-55753C964639@icloud.com>
References: <20160412100344.32250.28492.idtracker@ietfa.amsl.com> <E3DE4ED0-1BAE-48EE-849B-E0E0813CE411@icloud.com> <F0799243-C489-4BB9-B2C1-FAB115D9536D@ripe.net>
To: Oleg Muravskiy <oleg@ripe.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/w4kMQpDRX6qSafmLGN2hvAHYsc8>
Subject: Re: [sidr] New Version Notification for draft-madi-sidr-rp-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 21:43:15 -0000

Oleg,

Thanks very much for your comments.

See my responses in lines. 

> 在 2016年7月13日,17:05,Oleg Muravskiy <oleg@ripe.net> 写道:
> 
> Hi Di,
> 
>> On 27 Apr 2016, at 03:46, Declan Ma <madihello@icloud.com> wrote:
>> 
>> Hi, folks,
>> 
>> Steve Kent and I have generated this document to try to consolidate RP requirements in one document, with pointers to all the relevant RFCs. 
> 
> I read the document, and I appreciate you putting it together, but I can't say I support this effort.
> 
> As you state in Section 1:
> 
>   The follow sections present requirements imposed on RPs as defined in
>   the following RFCs:
> 
>   RFC 6480 (RPKI Architecture)
>   RFC 6481 (Repository Structure)
>   RFC 6482 (ROA format)
>   RFC 6485 (Algorithms)
>   RFC 6486 (Manifests)
>   RFC 6487 (Certificate and CRL profile)
>   RFC 6488 (RPKI Signed Objects)
>   RFC 6489 (Key Rollover)
>   RFC 6810 (RPKI to Router Protocol)
>   RFC 6916 (Algorithm Agility)
>   RFC 7730 (Trust Anchor Locator)
>   RFC XXXX (Router Certificates)
> 
>   This document will be update to reflect new or changed requirements
>   as these RFCs are updated, or new RFCs are written.
> 
> I agree that there are many documents that one has to consult on order to make or verify an implementation of RPKI validation, but this document will *add* to that number!
> 
> Once this document is out, someone will have to keep it up to date (and not conflicting) with all those other documents. This could create more problems than it could solve.
> 
> My following comments basically show why it is difficult to keep this document in a state that would not create more problems.

I understand your concerns but I do think this document deserves our efforts. 

It’s not in state of art at present yet I hope it would be adopted to move along with help from the WG. 

> 
> 
>> As I mentioned in IETF 95 meeting, there is no standards language (e.g., MUST, SHOULD, MAY, ...) in this doc, as it is just POINTING to the docs that have the real requirements. 
> 
> Well, actually there is normative language:
> 
>   3.3.  CRL Processing
> 
>   The CRL processing requirements imposed on CAs and RP are described
>   in [RFC6487].  CRLs in the RPKI are tightly constrained; only the
>   AuthorityKeyIndetifier and CRLNumber extensions are allowed, and they
>   MUST be present.  No other CRL extensions are allowed, and no
>  ^^^^^^
>   CRLEntry extensions are permitted.  RPs are required to verify that
>   these constraints have been met.  Each CRL in the RPI MUST be
>                                                        ^^^^^^
>   verified using the public key from the certificate of the CA that
>   issued the CRL.
> 
> And there are several other places where the normative language is not used, but implied.

Thanks for catching the typos. 

We will change ‘MUST’ into ‘must’.

As for the implication stuff, the text is just paraphrasing the requirements from RFCs which I don’t think is sort of inappropriate. 


> 
> 
>> This doc outlines the RP functions, summarizes them and then gives reference to those precise sections or paragraphs, in order to make life easier for implementers to make sure he/she has addressed all of these requirements.
> 
> I have two comments for this paragraph.
> 
> First, it might seem appealing to create a document that will give a "reference to those precise sections or paragraphs", so that the implementer could skip reading those long RFCs in full.  But I do not think it is possible or advisable. Even in your draft you say:
> 
>   An RP is required
>   to verify that a resource certificate adheres to the profile
>   established by [RFC6487].  This means that all extensions mandated by
>   [RFC6487] must be present and value of each extension must be within
>   the range specified by this RFC.  Moreover, any extension excluded by
>   [RFC6487] must be omitted.
> 
> or
> 
>   To determine whether a manifest is valid, the RP is required to
>   perform manifest-specific checks in addition to those specified in
>   [RFC6488].
> 
> So very often it is more practical to refer to the whole RFCs, because an implementer has to implement all of it, not just specific paragraphs.
> 

We are not suggesting that implementers skip reading those RFCs in full.

This draft is born to be a guide to help implementers get the essentials of RP functionalities scattered in different RFCs. Anyone who wants to comprehend RPKI cannot be exempted from reading all the RPKI RFCs, let alone the implementers.

One might see the RP requirements document as a“Manifest” for all necessary RP functions. 

> 
> Second, what if, for whatever reason, this document will not list *all* of the requirements?  Will it be OK for the implementer to say "I did everything specified there", or will (s)he be required to double-check with other RFCs you refer to?  Or even with those you do not refer to?
> 
> I’m not sure how to define the applicability of such document.

This is document is intended to be Informational, which is going to help implementers to find what they want. The tricky part is the your concerns are of different granularity!

This document tell readers an RP system is supposed to contain these categories:

--Fetching and Caching RPKI Repository Objects

-- Processing Certificate and CRL

--Processing RPKI Repository Signed Objects

--Delivering Validated Cache Data to BGP Speakers

But for whether an implementer did everything specified “there”, they should double check “there” which is specific paragraph in the referenced RFCs. 


Once again, we are not suggesting that implementers skip reading those RFCs in full.

IF they want to do double-check, they are encouraged to know the breakdown of every categories in terms RP requirements. 

> 
> 
>> Any comments and feedbacks are appreciated.
> 
> Here are my comments for some specific sections:
> 
>   3.1.  Verifying Resource Certificate and Syntax
> 
>   Certificates in the RPKI are called resource certificates, and they
>   are required to conform to the profile [RFC6487].  An RP is required
>   to verify that a resource certificate adheres to the profile
>   established by [RFC6487].  This means that all extensions mandated by
>   [RFC6487] must be present and value of each extension must be within
>   the range specified by this RFC.  Moreover, any extension excluded by
>   [RFC6487] must be omitted.
> 
> I think you should not repeat the text of other RFCs, otherwise you risk of being incomplete or going out of sync with referenced RFC.

Good suggestion. 

We authors will see how to address issues.

And I would appreciate your help. 


> 
> 
>   3.2.  Certificate Path Validation
> 
>   In the RPKI, issuer can only assign and/or allocate public INRs
>   belong to it, ...
> 
> I don’t think assignment or allocation of INR happens in RPKI.

Agreed.

It should have been expressed like:  In the RPKI, issuer can only authorize the custodianship of public INR belonging to it, …

> 
> 
>   3.3.  CRL Processing
> 
>   The CRL processing requirements imposed on CAs and RP are described
>   in [RFC6487].  CRLs in the RPKI are tightly constrained; only the
>   AuthorityKeyIndetifier and CRLNumber extensions are allowed, and they
>   MUST be present.  No other CRL extensions are allowed, and no
>   CRLEntry extensions are permitted.  RPs are required to verify that
>   these constraints have been met.  Each CRL in the RPI MUST be
>   verified using the public key from the certificate of the CA that
>   issued the CRL.
> 
> 
> Apart from using normative language mentioned above, you seem to repeat the text of other RFC.
> Is it the only bit of RFC6487 that is applicable to CRL processing in RPKI validation?
> Aren’t any CRL validation (not only in RPKI) requires that CRL must be verified using the public key of it's issuer?

We will be considering adding text in terms of generalized CRL specification.


> 
> 
>   4.2.1.  Manifest
> 
>   To determine whether a manifest is valid, the RP is required to
>   perform manifest-specific checks in addition to those specified in
>   [RFC6488].
> 
>   Specific checks for a Manifest are described in section 4 of
>   [RFC6486].  If any of these checks fails, indicating that the
>   manifest is invalid, then the manifest will be discarded and treated
>   as though no manifest were present.
> 
> This description is quite incomplete. Perhaps you should merge the content of section "4.3.  How to Make Use of Manifest Data” in here, but even there I do not see a reference to section 6 (Relying Party Use of Manifests) of RFC6486, which is quite a big omission.

Manifest has been a tricky part. 

Manifest processing has proven to be significantly more complicated that initially anticipated. 

I hope SIDROPS WG to take the chance to give an operational advice along with this draft. 

> 
> 
>   4.2.2.  ROA
> 
>   To validate a ROA, the RP is required perform all the checks
>   specified in [RFC6488] as well as the additional ROA-specific
>   validation steps.  The IP address delegation extension [RFC3779]
>   present in the end-entity (EE) certificate (contained within the
>   ROA), must encompass each of the IP address prefix(es) in the ROA.
>   More details for ROA validation are specified in section 2 of
>   [RFC6482].
> 
> The second sentence is almost a 1-to-1 copy of Section 4 of 6482. What’s the point of copying it instead of referencing?


For smooth reading, in some cases, the text of this draft paraphrases the requirements, and in other cases it may merely restate them.

> 
> Section 2 of RFC6482 defines the ROA content-type, not the validation.
> 
> 
>   4.2.3.  Ghostbusters
> 
>   The Ghostbusters Record is optional; a publication point in the RPKI
>   can have zero or more associated Ghostbuster Records.  
> 
> This is true for all objects except manifest and CRL.
> 
>   If a CA has at
>   least one Ghostbuster Record, RP is required to verify that this
>   Ghostbusters Record conforms to the syntax of signed object defined
>   in [RFC6488].
> 
> And this is also true for any signed object.
> 
>   The payload of this signed object is a (severely) profiled vCard.  An
>   RP is required to verify that the payload of Ghostbusters conforms to
>   format as profiled in [RFC6493].
> 
> I'm mentioning it here, but it applies to many places in this document: the validation section of RFC6493 already references RFC6488. So why duplicate it here?
> 

They are not duplicate.

RFC6488 is for generalized validity check in terms of syntax yet RFC6493 is for syntax check especial for Ghostbusters. 


> 
>   4.3.  How to Make Use of Manifest Data
> 
>   For a given publication point, the RP ought to perform tests to
>   determine the state of the Manifest at the publication point.  A
>   Manifest can be classified as either valid or invalid, and a valid
>   Manifest is either current and stale.  An RP decides how to make use
>   of a Manifest based on its state, according to local (RP) policy.
> 
>   If there are valid objects in a publication point that are not
>   present on a Manifest, [RFC6486] does not mandate specific RP
>   behavior with respect to such objects.  However, most RP software
>   ignores such objects and this document recommends that this behavior
>   be adopted uniformly.
> 
> Instead of “recommending" it in this document, maybe we should review and change 6486?
> 
>   In the absence of a Manifest, an RP is expected to accept all valid
>   signed objects present in the publication point.  
> 
> Actually, 6486 says that all such objects "SHOULD be viewed as suspect, but MAY be used by the RP, as per local policy", which has subtle difference.
> 

As I mentioned above, Manifest has been a tricky part. Manifest processing has proven to be significantly more complicated that initially anticipated. 

We might as well considering to update RFC 6486. 


> 
> 
> I think this confirms that keeping such document up to date and consistent with other documents is not an easy task, and having this document will not relieve the implementer from studying deeply all the documents it refers.


As far I responded to you above, I think this document is worth efforts as a WG item though it is not in state of art at present. 

I would appreciate help and contributions from the WG, especially guys in charge of RP software. 


Di