Re: [Sidrops] what to do when the CRL is hosed?
Job Snijders <job@ntt.net> Tue, 24 March 2020 13:58 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F32D3A0BDE for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 06:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.111
X-Spam-Level:
X-Spam-Status: No, score=-3.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJDc58nghCth for <sidrops@ietfa.amsl.com>; Tue, 24 Mar 2020 06:58:34 -0700 (PDT)
Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC2F3A0BF0 for <sidrops@ietf.org>; Tue, 24 Mar 2020 06:58:33 -0700 (PDT)
Received: by mail-wr1-f68.google.com with SMTP id 65so4861716wrl.1 for <sidrops@ietf.org>; Tue, 24 Mar 2020 06:58:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=2foSOj8dqMAR246F2ElEnHLf4BtdvlzD5GnpFgFCO5M=; b=cfe7sodsUZW6/4JvZ6lM4gt4wGyvpxXjAtGgAxbCB54h09VGlR/7vAaF3QS2l0uRwW ANa6ANAft/ZrmaySDhSfOVNduGdbbQ23vrMQtTyZibKKpsCNtRZ2MmBoRBbiaeusQLWQ EmoP34/AoLX8yV/CyapE+Ewgt4YHrniRUkwFncStcqHa+nVvKO3fi10Po39k3/hbWRF/ K2INLJCxt8cELKbTHLYMKgM4si+fdAYyrTDNRlXJQ2ABmTc0k+W03jaz4JHPH9VavdKN 4etW6CxKjT3lo/PDfBwsXuB9c+AelzJahmnXS8oeKqSaLEN2Iif9SYzGcgi/+CLwq07C fywg==
X-Gm-Message-State: ANhLgQ3xnpviLfHZMOaD/7PDGvVz5/PfjZ2O7Vwcswte9uWI0NlN+kFq +7jv6kybZwas7X9UdKdX2KPuozSnkRc=
X-Google-Smtp-Source: ADFU+vvZS4n984eAQpGx5sDbDt8ErP8Cr3FxRToTWqdP2VmLggu/cYTvdv8hTfFL+VqZoTUVwVsCGw==
X-Received: by 2002:a5d:6a01:: with SMTP id m1mr27701107wru.353.1585058310973; Tue, 24 Mar 2020 06:58:30 -0700 (PDT)
Received: from vurt.meerval.net (vurt.meerval.net. [192.147.168.22]) by smtp.gmail.com with ESMTPSA id f9sm29839203wro.47.2020.03.24.06.58.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Mar 2020 06:58:30 -0700 (PDT)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id c06c980c; Tue, 24 Mar 2020 13:58:29 +0000 (UTC)
Date: Tue, 24 Mar 2020 13:58:28 +0000
From: Job Snijders <job@ntt.net>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: SIDR Operations WG <sidrops@ietf.org>
Message-ID: <20200324135828.GG60268@vurt.meerval.net>
References: <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/6130sMfIPf2GrF0ZrIrWsCWu-_I>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 13:58:53 -0000
On Tue, Mar 24, 2020 at 10:42:37AM -0300, Tim Bruijnzeels wrote: > >> As I wrote before, I believe that a single mistake (withheld / > >> unpublished object or even a bit flip) invalidating a whole > >> repository, > > > > Some nuance could be added: it depends on where the error in the > > tree exists. If a top level manifest or CRL is hosted, indeed > > everything underneath it should be tossed. But for instance when a > > manifest 'at 2 levels deep', references a file that doesn't exist, > > you only need to toss that specific manifest (at least). So, yes, > > errors in the repository should result in the repository (or parts > > of it) being considered inadmissible. > > > > RPKI started out on the premise that an unencrypted transport > > (rsync) was acceptable, because everything was signed and > > cryptographically verifiable. Now we are in a situation where the > > transport channel *is* insecure, and the data transmitted across it > > is not properly verified. Validators are *knowingly* proceeding to > > produce VRPs with incomplete, expired, and/or corrupted data. > > With RRDP over HTTPS a lot of in transit / MITM issues are mitigated. I'm not sure I agree - routinator, fort and octorpki are trivially forced to use rsync if the attacker blocks TCP port 443. > The RFC currently still says that invalid certificates should be > accepted though. The thought at the time was that we have object > security and people make too many mistakes configuring HTTPS. With > Letsencrypt I believe this argument no longer holds. Yeah, I recall the discussions ~ a year ago about that section of the RFC. Unfortunately it turns out that we (as RP implementers) appear to lack some checks in the RP software to be able to say we have 'object security'. I also believe that the onus is on the CA operators to correctly configure their HTTPS service. A misconfiguration of HTTP TLS service of the RRDP publication point *should* result in the publication point being dismissed (and perhaps use the local cache for what its worth) > First off I agree with Job that it would be better to disregard > information that is known to be a partial version of the truth. An additional check is needed: if one of the .roa files a manifest references is corrupt (the MITM didn't delete strategically file, but instead filled a .roa file with garbage), the anything referenced in that manifest should be considered invalid. an example, on my MITM box I did 'echo XX > fIeCcC8KpdJQd-olU2APdxNZkyA.roa', so the .roa file exists, but the RP can see there is a mismatch between the hash in the manifest and the hash derive from the fIeCcC8KpdJQd-olU2APdxNZkyA.roa file. If a validator proceeds to output VRPs based on the remaining (parseble) .roa files, you end up with an incomplete set: job@anton ~$ grepcidr 80.128.0.0/11 /var/db/rpki-client/openbgpd 80.128.0.0/12 source-as 3320 80.128.0.0/11 source-as 0 80.128.0.0/11 source-as 3320 80.144.0.0/13 source-as 3320 80.152.0.0/14 source-as 3320 80.156.0.0/16 source-as 3320 80.157.0.0/16 source-as 3320 80.157.8.0/21 source-as 3320 80.157.16.0/20 source-as 3320 80.158.0.0/17 maxlen 24 source-as 34086 80.159.224.0/19 maxlen 24 source-as 2792 In the above eaxmple there should be ~ 19 VRPs in total, fIeCcC8KpdJQd-olU2APdxNZkyA.roa contained 8 VRPs. I suppose we must consider a 'partial withholding attack' equivalent to a 'partially corrupted attack'. In summary: If a manifests references a non-existing file, or if there is a mismatch between the hash listed in the manifest and the hash as derived from the .roa or .crl files, the RP MUST consider the whole manifest invalid and MUST not produce VRPs with the remaining .roa files. Kind regards, Job
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush