[Sidrops] Potential manifest replay vector & solution (Was: New Version Notification for draft-ietf-sidrops-manifest-numbers-01.txt)

Job Snijders <job@fastly.com> Mon, 10 June 2024 21:56 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33294C169416 for <sidrops@ietfa.amsl.com>; Mon, 10 Jun 2024 14:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTjzhECk9Z8n for <sidrops@ietfa.amsl.com>; Mon, 10 Jun 2024 14:56:06 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36536C1E7231 for <sidrops@ietf.org>; Mon, 10 Jun 2024 14:56:06 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a6f13dddf7eso229966566b.0 for <sidrops@ietf.org>; Mon, 10 Jun 2024 14:56:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1718056563; x=1718661363; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=qPUcPHDetKwrUmtDx52j1TdNPHwx8pgHa1zFYF/pxZc=; b=vVTj2Qq2d3+2dNbZ+OqttfJRahXCJUGWiWP4iDJ81Qr9YMXHu3oWD88AyvVBshb846 GHSssfChv6cfsSDUoS2Spw6k22xAXU5/rQ2er5g4fCYJpnpzuSd47gXuMhXFTksfUTB3 K8fNxpLHSfNR42vudfOiZNEH7vue0wvwIpL4w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718056563; x=1718661363; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qPUcPHDetKwrUmtDx52j1TdNPHwx8pgHa1zFYF/pxZc=; b=aLJyNvqpPCcyaXz91wFpy+iz5dZZPQ2IkbZBPHd8BkBDp9Yl8jr7pTqQS8XhoNIkGr /VIbvAS0yE6OJOqwyPeZizXsNjvSjySX/FeN/3uVUNz639mxBlTxM0kItVCcpv4MI8Ag FVD4YBEjpTrCUYrqykYxgIqyUN0uXb4hKGuNx5hrtk8gpKkMoiyvmk+Mn15hWLIho0eM EuRTgyYqkTzFDS1zFj87/d3gfR3ElMuSeYqLEywgkka/C8g3KxZ441aboVbKFsioypmf oWwEpjOVbq15T4ExgxQdiks1X9DSQ/p9/nwiAWmdw8epcBo+3ZxB4g/5DV2WFdGEKGOs Y2gQ==
X-Gm-Message-State: AOJu0Yw+ZYY2KlxYbnRGfL2EzQbmITSUub3f05UNYjX99p+HFy3HCXro qPiiC9LzA58vJtda/UeuBluJcRHhpK9zK+4fmMb6K30MM2U79T2T/j8z9MTBm79DrBpYmLidvZE Cs858vU5oJJTcGixJ3LY6ECjY3kRr9aHQ1iGEGgIV7pEp+xWi4kEzZHNMtcHqHaTPRKj5tCt09Z vvXIE8Bwf2hYcUuo4C59IQhvHn
X-Google-Smtp-Source: AGHT+IEqLcEP67guH02MiD5uN8DoOBNv+QqM+7Btok2HtMMCz0jziA6U5Kne+g4KalpzFkY/t1KaFg==
X-Received: by 2002:a17:907:869e:b0:a6f:1275:1616 with SMTP id a640c23a62f3a-a6f127516b1mr405007266b.49.1718056563080; Mon, 10 Jun 2024 14:56:03 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a6c806eb636sm681569066b.103.2024.06.10.14.56.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 14:56:02 -0700 (PDT)
Date: Mon, 10 Jun 2024 23:56:01 +0200
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <Zmd2cSdsPBEOaFqs@snel>
References: <171805542735.38566.3569110267221822049@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <171805542735.38566.3569110267221822049@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: CXNC6C32KP4HXOLNN7NCT4ERIKFX32XK
X-Message-ID-Hash: CXNC6C32KP4HXOLNN7NCT4ERIKFX32XK
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Potential manifest replay vector & solution (Was: New Version Notification for draft-ietf-sidrops-manifest-numbers-01.txt)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/8IN6lV66bKawVmqp_T9MGVM-b54>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Dear fellow RP developers,

I'd like to draw attention to a specific paragraph in the
draft-ietf-sidrops-manifest-numbers-01 draft:

   213     To avoid certain forms of replay attack, the RP MUST verify that the
   214     URI in the accessLocation in one of the id-ad-signedObject
   215     accessMethods in the manifest's Subject Information Access (SIA)
   216     extension exactly matches the URI presented in the RPKI Repository
   217     Delta Protocol (RRDP) [RFC8182] "publish" element or the path
   218     presented by remote rsync servers.

The above was implemented in rpki-client as following, note the commit message:
https://github.com/openbsd/src/commit/024ae3e4d09de1e53e9c73c8b57fadd486087db6

Background: technically, multiple different CAs could use the same
keypair in multiple places in the RPKI. The RPKI also doesn't have
'proof of possession': for example, one can use openssl '-force_pubkey'
and '-set_subject' to sign over an arbitrary public key and then copy
that CA's yesterday's manifest & products back into the system.

I can envision various convoluted approaches to 'gracefully' merge
information and complicate the certification path validation algorithm -
but ... let's not.

To me it seems the simplest solution is for RPs to just check whether
'unsigned' meta data (the URL) information provided by the publication
point aligns with the signed data inside the Manifest object itself,
it's signedObject location. This way replay attempts will fail.

All existing deployed CAs appear to precisely and correctly align
signedObject with how things are made to appear via rsync and RRDP. This
new RP requirement does not break backwards compatibility for anyone.

Reach out to me onlist or offlist if you need help wrapping your head
around this one!

Kind regards,

Job

On Mon, Jun 10, 2024 at 02:37:07PM -0700, internet-drafts@ietf.org wrote:
> A new version of Internet-Draft draft-ietf-sidrops-manifest-numbers-01.txt has
> been successfully submitted by Tom Harrison and posted to the
> IETF repository.
> 
> Name:     draft-ietf-sidrops-manifest-numbers
> Revision: 01
> Title:    RPKI Manifest Number Handling
> Date:     2024-06-10
> Group:    sidrops
> Pages:    12
> URL:      https://www.ietf.org/archive/id/draft-ietf-sidrops-manifest-numbers-01.txt
> Status:   https://datatracker.ietf.org/doc/draft-ietf-sidrops-manifest-numbers/
> HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers
> Diff:     https://author-tools.ietf.org/iddiff?url2=draft-ietf-sidrops-manifest-numbers-01
> 
> Abstract:
> 
>    The Resource Public Key Infrastructure (RPKI) makes use of signed
>    objects called manifests.  A manifest lists each file that a
>    publisher intends to include within an RPKI repository, and can be
>    used to detect certain forms of attack against a repository.
>    Manifests include a "manifest number" (manifestNumber), which the
>    publisher must increment whenever it issues a new manifest, and
>    Relying Parties (RPs) are required to verify that a newly-retrieved
>    manifest for a given Certification Authority (CA) has a higher
>    manifestNumber than the previously-validated manifest.  However, the
>    manifestNumber field is 20 octets in length (i.e. not unbounded), and
>    no behaviour is specified for when a manifestNumber reaches the
>    largest possible value.  This document specifies publisher and RP
>    behaviour for this scenario.
> 
> 
> 
> The IETF Secretariat
> 
>