Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021
Job Snijders <job@fastly.com> Tue, 30 March 2021 10:00 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C2D83A2D6D for <sidrops@ietfa.amsl.com>; Tue, 30 Mar 2021 03:00:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrALM5LXeZB8 for <sidrops@ietfa.amsl.com>; Tue, 30 Mar 2021 03:00:28 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C11EE3A2D6E for <sidrops@ietf.org>; Tue, 30 Mar 2021 03:00:28 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id u9so23898663ejj.7 for <sidrops@ietf.org>; Tue, 30 Mar 2021 03:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=vHAxCDf9kc/YHSIUOPZSZfulCP61KctL2Yb+msPkykI=; b=RpUDChJw1/audViYZmKCfysFf88MPX+Uq2mJOKNavSijm8ijNTJUp6SNV15nzmhedg IH0GNS94ziYlJuvMJpMuM3Pf2kJkGd1n7HL3TVTKpHyhOTnBoltD6BMW7pZLvjAbKXqu IZZYJI0vx1Fe7X1pQAsn6MmOmrwvs8I4sLc7A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=vHAxCDf9kc/YHSIUOPZSZfulCP61KctL2Yb+msPkykI=; b=BCk05fZscaqMFJdbVxoPZKfYU2bq1DsUNAN9CkCpQUpd8K3CxHI5DH8Dn454mtMute WwgEWQjBJ3s+rZISY0xt7nTQDcI28CouSb803Co886OgouVg9xxo1QczZvrwdIWmqSrU sjYjFRdcSxbQeenHmA6b3EjY0if+IJisCO/uKLw6fBvr13CtiDn/37Yc1ZxKOEoze/Hn AJazoGGr0SZEPMn2Wgjk/pkgTYLgo1IR5s4A/BB0hbaqFsFsWVkrPgTuY0C/6vOrCMSB aAPS8bWoIbe751bAAaIzXw8YwR1Ny/SIspSjJNJ0a2GS824ijjtmKLc9sSp5HOrOTFZc ixTQ==
X-Gm-Message-State: AOAM533I7mWeEjDi/QHC+232+TUUyK7rG88pd4GS40Hsb7QV2A+vIKgM ob7hzmRYJzKGEfIil3bkW7VZoQ==
X-Google-Smtp-Source: ABdhPJwZoIL8/VlvWE7SYRMbQ/QfyCidpQns6JcLDXX966/Owxr6B60Z4B3/E1m/y3O72Pq9hGIDQQ==
X-Received: by 2002:a17:906:19d9:: with SMTP id h25mr33814448ejd.453.1617098425754; Tue, 30 Mar 2021 03:00:25 -0700 (PDT)
Received: from snel (mieli.sobornost.net. [45.138.228.4]) by smtp.gmail.com with ESMTPSA id cb17sm10645464edb.10.2021.03.30.03.00.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Mar 2021 03:00:25 -0700 (PDT)
Date: Tue, 30 Mar 2021 12:00:23 +0200
From: Job Snijders <job@fastly.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: Chris Morrow <morrowc@ops-netman.net>, SIDROps Chairs <sidrops-chairs@ietf.org>, sidrops@ietf.org, sidrops-ads@ietf.org
Message-ID: <YGL2twQ2eEsMQHPq@snel>
References: <87lfa94xyj.wl-morrowc@ops-netman.net> <67F48899-3B77-4722-B467-F73D50DF1006@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <67F48899-3B77-4722-B467-F73D50DF1006@nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/-3PZ_n1bQFT5-Ck5hQvlHMGY1DY>
Subject: Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 10:00:34 -0000
Hi Tim, working group, first things first: I support adoption of this draft. On Mon, Mar 29, 2021 at 04:06:56PM +0200, Tim Bruijnzeels wrote: > = revocation? > > A large number of experiments for the process of ROA issuance have > been made on our RPKI testbed, it is found that the misconfigurations > during the issuance may cause the ROAs which have been issued to be > revoked. > > I don't see how the ROAs would be revoked in this context. Perhaps 'revoked' is the wrong word, maybe 'withdrawn' or 'unpublished'? I took the third suggestion in 'Section 3' to mean that if the ROA issuer does not confirm the End-Entity certificate signing the ROA eContent checks that it is allowed to sign the resources listed in the eContent, it might end up submitting an invalid object to the Repository. The Repository deferences any previous ROA with the same filename, performs validation on the newly submitted ROA, concludes it is invalid (because the resources in the eContent overclaim compared to the resources listed as subordinate on the EE cert) and ends up publishing a CA Repository without the intended ROA. I would suggest: """ 3) A safeguard scheme is essential to protect the process of ROA issuance. Before committing to the issuance of a ROA object, the signer software should confirm the ipAddrBlocks in the To-Be-Signed eContent are fully contained by the RFC 3779 extensions listed on the End-Entity certificate used to generate the signature. """ In other words, a signing pipeline would help the operator by performing RFC 6482 Section 4 validation *before* constructing the ROA, to prevent constructing ROAs the Repository operator would consider invalid. Kind regards, Job
- [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-con… Chris Morrow
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… George Michaelson
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… chku
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Tom Harrison
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Job Snijders
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Job Snijders
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Job Snijders
- [Sidrops] Publication Server Checks (was: Re: [WG… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Randy Bush
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… George Michaelson
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Di Ma
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Taiji Kimura
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… LEAU YU BENG -
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Christopher Morrow
- Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa… Christopher Morrow