[Sidrops] Potential manifest replay vector & solution (Was: New Version Notification for draft-ietf-sidrops-manifest-numbers-01.txt)
Job Snijders <job@fastly.com> Mon, 10 June 2024 21:56 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33294C169416 for <sidrops@ietfa.amsl.com>; Mon, 10 Jun 2024 14:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTjzhECk9Z8n for <sidrops@ietfa.amsl.com>; Mon, 10 Jun 2024 14:56:06 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36536C1E7231 for <sidrops@ietf.org>; Mon, 10 Jun 2024 14:56:06 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a6f13dddf7eso229966566b.0 for <sidrops@ietf.org>; Mon, 10 Jun 2024 14:56:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1718056563; x=1718661363; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=qPUcPHDetKwrUmtDx52j1TdNPHwx8pgHa1zFYF/pxZc=; b=vVTj2Qq2d3+2dNbZ+OqttfJRahXCJUGWiWP4iDJ81Qr9YMXHu3oWD88AyvVBshb846 GHSssfChv6cfsSDUoS2Spw6k22xAXU5/rQ2er5g4fCYJpnpzuSd47gXuMhXFTksfUTB3 K8fNxpLHSfNR42vudfOiZNEH7vue0wvwIpL4w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718056563; x=1718661363; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qPUcPHDetKwrUmtDx52j1TdNPHwx8pgHa1zFYF/pxZc=; b=aLJyNvqpPCcyaXz91wFpy+iz5dZZPQ2IkbZBPHd8BkBDp9Yl8jr7pTqQS8XhoNIkGr /VIbvAS0yE6OJOqwyPeZizXsNjvSjySX/FeN/3uVUNz639mxBlTxM0kItVCcpv4MI8Ag FVD4YBEjpTrCUYrqykYxgIqyUN0uXb4hKGuNx5hrtk8gpKkMoiyvmk+Mn15hWLIho0eM EuRTgyYqkTzFDS1zFj87/d3gfR3ElMuSeYqLEywgkka/C8g3KxZ441aboVbKFsioypmf oWwEpjOVbq15T4ExgxQdiks1X9DSQ/p9/nwiAWmdw8epcBo+3ZxB4g/5DV2WFdGEKGOs Y2gQ==
X-Gm-Message-State: AOJu0Yw+ZYY2KlxYbnRGfL2EzQbmITSUub3f05UNYjX99p+HFy3HCXro qPiiC9LzA58vJtda/UeuBluJcRHhpK9zK+4fmMb6K30MM2U79T2T/j8z9MTBm79DrBpYmLidvZE Cs858vU5oJJTcGixJ3LY6ECjY3kRr9aHQ1iGEGgIV7pEp+xWi4kEzZHNMtcHqHaTPRKj5tCt09Z vvXIE8Bwf2hYcUuo4C59IQhvHn
X-Google-Smtp-Source: AGHT+IEqLcEP67guH02MiD5uN8DoOBNv+QqM+7Btok2HtMMCz0jziA6U5Kne+g4KalpzFkY/t1KaFg==
X-Received: by 2002:a17:907:869e:b0:a6f:1275:1616 with SMTP id a640c23a62f3a-a6f127516b1mr405007266b.49.1718056563080; Mon, 10 Jun 2024 14:56:03 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a6c806eb636sm681569066b.103.2024.06.10.14.56.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 14:56:02 -0700 (PDT)
Date: Mon, 10 Jun 2024 23:56:01 +0200
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <Zmd2cSdsPBEOaFqs@snel>
References: <171805542735.38566.3569110267221822049@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <171805542735.38566.3569110267221822049@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: CXNC6C32KP4HXOLNN7NCT4ERIKFX32XK
X-Message-ID-Hash: CXNC6C32KP4HXOLNN7NCT4ERIKFX32XK
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Potential manifest replay vector & solution (Was: New Version Notification for draft-ietf-sidrops-manifest-numbers-01.txt)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/8IN6lV66bKawVmqp_T9MGVM-b54>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Dear fellow RP developers, I'd like to draw attention to a specific paragraph in the draft-ietf-sidrops-manifest-numbers-01 draft: 213 To avoid certain forms of replay attack, the RP MUST verify that the 214 URI in the accessLocation in one of the id-ad-signedObject 215 accessMethods in the manifest's Subject Information Access (SIA) 216 extension exactly matches the URI presented in the RPKI Repository 217 Delta Protocol (RRDP) [RFC8182] "publish" element or the path 218 presented by remote rsync servers. The above was implemented in rpki-client as following, note the commit message: https://github.com/openbsd/src/commit/024ae3e4d09de1e53e9c73c8b57fadd486087db6 Background: technically, multiple different CAs could use the same keypair in multiple places in the RPKI. The RPKI also doesn't have 'proof of possession': for example, one can use openssl '-force_pubkey' and '-set_subject' to sign over an arbitrary public key and then copy that CA's yesterday's manifest & products back into the system. I can envision various convoluted approaches to 'gracefully' merge information and complicate the certification path validation algorithm - but ... let's not. To me it seems the simplest solution is for RPs to just check whether 'unsigned' meta data (the URL) information provided by the publication point aligns with the signed data inside the Manifest object itself, it's signedObject location. This way replay attempts will fail. All existing deployed CAs appear to precisely and correctly align signedObject with how things are made to appear via rsync and RRDP. This new RP requirement does not break backwards compatibility for anyone. Reach out to me onlist or offlist if you need help wrapping your head around this one! Kind regards, Job On Mon, Jun 10, 2024 at 02:37:07PM -0700, internet-drafts@ietf.org wrote: > A new version of Internet-Draft draft-ietf-sidrops-manifest-numbers-01.txt has > been successfully submitted by Tom Harrison and posted to the > IETF repository. > > Name: draft-ietf-sidrops-manifest-numbers > Revision: 01 > Title: RPKI Manifest Number Handling > Date: 2024-06-10 > Group: sidrops > Pages: 12 > URL: https://www.ietf.org/archive/id/draft-ietf-sidrops-manifest-numbers-01.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-sidrops-manifest-numbers/ > HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers > Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-sidrops-manifest-numbers-01 > > Abstract: > > The Resource Public Key Infrastructure (RPKI) makes use of signed > objects called manifests. A manifest lists each file that a > publisher intends to include within an RPKI repository, and can be > used to detect certain forms of attack against a repository. > Manifests include a "manifest number" (manifestNumber), which the > publisher must increment whenever it issues a new manifest, and > Relying Parties (RPs) are required to verify that a newly-retrieved > manifest for a given Certification Authority (CA) has a higher > manifestNumber than the previously-validated manifest. However, the > manifestNumber field is 20 octets in length (i.e. not unbounded), and > no behaviour is specified for when a manifestNumber reaches the > largest possible value. This document specifies publisher and RP > behaviour for this scenario. > > > > The IETF Secretariat > >
- [Sidrops] Potential manifest replay vector & solu… Job Snijders