Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-09.txt
Tom Harrison <tomh@apnic.net> Thu, 14 April 2022 11:13 UTC
Return-Path: <tomh@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id F28FB3A076E
for <sidrops@ietfa.amsl.com>; Thu, 14 Apr 2022 04:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wLEpo09OWF3I for <sidrops@ietfa.amsl.com>;
Thu, 14 Apr 2022 04:13:39 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com
(mail-me3aus01on2061b.outbound.protection.outlook.com
[IPv6:2a01:111:f403:7004::61b])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id AB8D43A0764
for <sidrops@ietf.org>; Thu, 14 Apr 2022 04:13:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=n4NKChj1q7/b4x6aWVeC0Z5vj4y3Bj5ctnrueHuVUNPcScTyu23VDe3asvmIHCuDyLBQKurI0dL4kJPylY0P+lFskbTz536IHwrcdlN/PW8fLGP7x5dNevCSj5gPxK71ApQy+RWz1G0t1g5XqHQKI24AQM7uQjs7Lemcspv/7J8tSgKEoPVncc5TR64cuDzeSLEfzvAgtgLx8TEnyTmmoM2XPL99fxact+LY2rUfvinzv4f4nkHQiXi1iCbeuODbRhyo73zok2K60puYA0jfsHO/zwtq2SRQ9j11ktFs/93b3nkAeiTfMuDzE1WRwN6n0VgQ6VtUqMlBBD3ltpZ+Gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=vV9YuMSgtXCS79stnXABWqI+Xg/cO4H1q5CGmLDapgk=;
b=Nkssg/K8ZDiOPMjc+vZ6TT/xmOEQ2fCVE+Vd63WyhDiLEeycVPyunAL4Oo6h3AN4t9dAR39/FdOy3qR8aG26yduKDiPWaFzd+CTHtZfe2KKJZ/hmJjIc/8aOaJqDucYW+MnXB88VqFSUND6roNSSI8jil+Dv8OR18GEADZ+mPz5EnZ7poWBbPVT6CITFBpQHU3KsD/PHHydd1354AYLb3a3e/4FNhFRq5OWSJZG6b704S8ulq9ZgabqnIfe2+khzW0znTHrdPZL5IajMFozLos/VVN6sgxs1Kz51VvemxvFRKGjtyEiuAuAt/I3nCjvd7dQIpkqyDp6fsNXvjTp1Ow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net;
dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=vV9YuMSgtXCS79stnXABWqI+Xg/cO4H1q5CGmLDapgk=;
b=TynfDlc8nxGVBvxltr8Q7SpIRSoh/VxWcTE6+LjVZm4w8Uy6lwyKoJGRJ4PuxPeAp1EkASOWIuNp9ZSGfuCRVQPgdLg4PlsPf3nM75eB9GRZzTGbiNGkg6BjVQmgnIP5F/4WAJ8D0tlvCEOS4UPlqrHLeTGmJYfRzFk9igQOcYI=
Authentication-Results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=apnic.net;
Received: from SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:68::12) by
ME3P282MB3902.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:1b6::6) with
Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5164.20; Thu, 14 Apr 2022 11:13:30 +0000
Received: from SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM
([fe80::7dc8:857d:4206:5ec1]) by SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM
([fe80::7dc8:857d:4206:5ec1%5]) with mapi id 15.20.5164.020; Thu, 14 Apr 2022
11:13:30 +0000
Date: Thu, 14 Apr 2022 21:13:28 +1000
From: Tom Harrison <tomh@apnic.net>
To: sidrops@ietf.org
Message-ID: <YlgB2LB5rmaQq64T@TomH-802418>
Mail-Followup-To: sidrops@ietf.org
References: <164661854534.9143.14008577014418310525@ietfa.amsl.com>
Content-Type: multipart/mixed; boundary="NorFhMryEzOVeM8m"
Content-Disposition: inline
In-Reply-To: <164661854534.9143.14008577014418310525@ietfa.amsl.com>
X-ClientProxiedBy: SY4P282CA0003.AUSP282.PROD.OUTLOOK.COM
(2603:10c6:10:a0::13) To SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM
(2603:10c6:10:68::12)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 05bfad19-1756-40b0-425d-08da1e07ce5b
X-MS-TrafficTypeDiagnostic: ME3P282MB3902:EE_
X-Microsoft-Antispam-PRVS: <ME3P282MB3902175F274FA1521E95A3D4C0EF9@ME3P282MB3902.AUSP282.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: fOUjU04v1RKqW2B3LNSzWn297syiFY8LR3oMaD98BVN77OI45z2BdPQOvDkz/h9iCdHxIEKQJmqps4giY7NiM7tOz9J6cneb8GGQBSxcd9YdY5CCYx64p/RUvHwHVid+PJ54xGYt0VZaXCmTs9oG6cwLZYAB8buKWPIxPq0u6fN4668ypTrrQvWAXHE6bC3JcnHoRQ/h1xI2Cv/q3Bqr8PO0XTMedOwosRbfSMQ+b1IOndV6Ep5wkD6Q6Y9GVVkALhuaroZ/0iDUltl9iitPM2/YvF8AdEB/fBrGZygukBThhkRGLLp7nLQAt1VNkBV0718uiRlKjWUdPc4Xvv/9adH04f3O310V138ArOdUvXRha7yHBAvmDzI2CmgxaHDU3//x3VjXfFz0aft5UfDC/vgvCBre2RO0hnNZtBSEJZDlYkn4+IFXlFte3EI+E84dAioqyN/Q2rCbvT7vnL4MX8lkQXHxLECh2EAGqPL39c3PEi4jhTZKGYs9OecP0A8lhHzFgoF3Px0IUsjQG53d11nisMcshkaE83oZJmEQ7zrTg8XSE8glwBBHRTln9G8V3S4DvzZSH/EQ192L0WvebfreW2EXoeLCDPbS6z6yhA99+OhOshw1WU+rBRcN3fc+ukNeVgA8NhztzV3/fjbFN3lAqXtF91yfV7ZUi4n0LkAxml0imkB0GboZ1XIQtP+xPl5E15YLfCBaaB59Nv2uUYKeT8W8ZPTGOZP55NllHkSKymG2gjpvLRIKJdNXOSXy
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
SFS:(13230001)(4636009)(7916004)(346002)(39840400004)(136003)(376002)(366004)(396003)(2906002)(38350700002)(38100700002)(9686003)(44144004)(6916009)(235185007)(86362001)(5660300002)(8936002)(83380400001)(508600001)(66476007)(66556008)(33716001)(66946007)(66574015)(316002)(186003)(26005)(8676002)(6506007)(6486002)(52116002)(6512007)(2700100001);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?YxYm+daUHmMio0saXxQ/rDH+6niZpf9F6LdkEwwHCRufZo+QeIlJuGHpBkra?=
=?us-ascii?Q?HQFFSsBABuU8dP2u72ruLCiUfipSf6wIVUNj1TWXR71/bJ/ZqdXYU963nBS1?=
=?us-ascii?Q?3U2vwzlI2JXy8ettLaUVlM74jmPCF/QCPq1NKRL8TlViC/To8tfT2+Cm8/tH?=
=?us-ascii?Q?jOV0+WI5wEpzDlOD5E/2Qqz+MkYkKaQftl/UWKJsZkUjEJnUpb38agwIlTcq?=
=?us-ascii?Q?6wdsP859nLMjGUYs6LUz3omQmuXv5jfQl2A0ex8A7GRXtxBkTDk6gx+qsNfJ?=
=?us-ascii?Q?7NqlrMPN02SeEtMnAOX70LEt6SZHW5B72/FJs9O3DR5pX6nyx+ZfMNAnCWIh?=
=?us-ascii?Q?ecmyhOBoWsZ0P7tfxTNAEOw1fmY7MCJwJ3DnYj1Jj/aJLXeu3YaoNuOxE0w4?=
=?us-ascii?Q?UCElFMWpg5ixzsdiFLf0XkcTB9u9PlQriRkC5TC0qwR8lTuokoMkoGje+mNG?=
=?us-ascii?Q?eFBQKUuCPnrs9dhpkijBhQ/UqD+ZAJWjjAkrtWgqeuaA7WDSgPLI5RhHjrp7?=
=?us-ascii?Q?2/PYHi9EpStDdBSRd3OjR/Zz3bEOSfDV3Sc7reAThqCq8Zg168mkqc2qk66q?=
=?us-ascii?Q?rw2TzKHKafK+Qce7n5al9gaY7GN7o/DZNc/C5dM4czPm6tzUmWCL1yrZDHCb?=
=?us-ascii?Q?3VJMdhAsxuWfomX/aLqE1rdUmfxzUSFxQL1RgZSVbTR/cPeSlDi19ynTUUuM?=
=?us-ascii?Q?lfXLXkM4M21XnruBOvK1MpExMUFqO9y1z1zLsowIxfMB8nRBf+TY3at+K5ut?=
=?us-ascii?Q?oo6ZgdRnpUMul9eLWtOMOXnLOZIlCCKh/tBwQoA7EARhcNWkHa2RtGtC0rYS?=
=?us-ascii?Q?lJKM6msId4aHpTq7lXH+cjdMHhpdXqGwdWeqHB+VA4Ci01raVZocuGkkaibc?=
=?us-ascii?Q?EWZA2UAHFTQoQS+qnA8fIcfxIPmkwGRAeIFaTk/cZxuHEcsSEHZqUoUZ2XqF?=
=?us-ascii?Q?LRCAzjfJJgcGCLya6gwYjUNAC4EHptg3PWWIRW88axbDrlI5BoR0m73ANrff?=
=?us-ascii?Q?x8V0v7IZMX/cfjjW95swYpyJaFGOa/+OOuugtrhSyWaq4K97Cbe6wPaOtjpd?=
=?us-ascii?Q?Sp4SG7ncyDv3tASh/D9sbkq554rUy4Fd27HXt97TObmtiVxp417oa2xOJ+C1?=
=?us-ascii?Q?WPJR8kGt7HK9EJJPQgTPQ/jU+sJOFHSKBNfuH+2b017PIBb9L1mHEXPjeUIz?=
=?us-ascii?Q?xUkCtOiVkxBFCaOxiRY30bQFlPxwNS3e+1hzpCdglvbRndtO0O9Ta510CzDO?=
=?us-ascii?Q?hljRiyDilKFc7XdR1zYU7LKaGWNyFGIGEu5LiHJuOtETfS3kLyCTb5FK5ZcF?=
=?us-ascii?Q?CoqDn3tGeBsVZzLUiP+xO/aSyb8yFWlKVPeTVm+rhK+P6v5IaiU3iR1MY2Cc?=
=?us-ascii?Q?z1KuKZALsbpaA9pp428WmipxxDAxSix1mEatrwNXmW/aQ6sI+bU0DOfo5a1V?=
=?us-ascii?Q?iTgvc/ldamLUo6xmg7gdgqE0bK4zWpRbdTBJqkSGH8YZD55P+H93PzYIhzR5?=
=?us-ascii?Q?Yxmx7LE7WjjZceaQO3pJb6AMzvG6wzOcaymazWLES5NGEqIm+nj3cW+ipHPi?=
=?us-ascii?Q?VytMXKTZoxAYRsnSyecg4/vu55Wlr3DBetG4Jj+sSJoMvn5/fPwgRWmB6OMv?=
=?us-ascii?Q?3uAhVjrb8kMxTUsY/piUL1fikU6R3UHb1Lmf8H+LXA4dMYN43B+HMErcGlhF?=
=?us-ascii?Q?vpaeM72aZOJ3pKgjeCkQoYzVOmU5A0E8G4svs7UMOjD6ZyDylsLC6SBiciyG?=
=?us-ascii?Q?mccnuFNIqg=3D=3D?=
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 05bfad19-1756-40b0-425d-08da1e07ce5b
X-MS-Exchange-CrossTenant-AuthSource: SYBP282MB0553.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Apr 2022 11:13:30.6569 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: V8MEJrvOrchILqSoyyj8RbKEIz4k6TwVzNUIpZM0OKIIT0bYmS7zCIWSYU6V56ov
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3P282MB3902
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/A8JqQUv7aT5ioj4UWtqsULnhqYM>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-09.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>,
<mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>,
<mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2022 11:13:44 -0000
On Sun, Mar 06, 2022 at 06:02:25PM -0800, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the SIDR Operations WG of the IETF. > > Title : RPKI Signed Object for Trust Anchor Key > Authors : Carlos Martinez > George G. Michaelson > Tom Harrison > Tim Bruijnzeels > Rob Austein > Filename : draft-ietf-sidrops-signed-tal-09.txt > Pages : 18 > Date : 2022-03-06 > > Abstract: > A Trust Anchor Locator (TAL) is used by Relying Parties (RPs) in the > Resource Public Key Infrastructure (RPKI) to locate and validate a > Trust Anchor (TA) Certification Authority (CA) certificate used in > RPKI validation. This document defines an RPKI signed object for a > Trust Anchor Key (TAK), that can be used by a TA to signal the > location(s) of the accompanying CA certificate for the current key to > RPs, as well as the successor key and the location(s) of its CA > certificate. This object helps to support planned key rolls without > impacting RPKI validation. To summarise the changes in -09: - acceptance timers (similar to those in RFC 5011) for transition to new keys have been added; - the term 'revoked' is avoided, so that there is no confusion around semantics; and - the predecessor key is included in the TAK object, as an additional check that things are set up correctly. Feedback on this updated model would be appreciated. The changes in more detail: in the feedback on -07, there were various pointers to alternative approaches to TA rollover, and suggestions that we look into that topic more generally. Notes on this feedback: - RFC 4210: Certificate Management Protocol (CMP) - The process in RFC 4210 is that the root CA operator signs the old key with the new key, and the new key with the old key, which the clients can then fetch from the CA operator. That means that clients who trust the old key can validate certificates signed with the new key, and clients who trust the new key can validate certificates signed with the old key. - It's not clear that this work translates to RPKI, though. The mechanism in RFC 4210 appears to be designed to account for out-of-band TA distribution, as well as clients receiving certificates from other sources. Since the aim with signed TAL is to have TA distribution be in-band, and also considering that all certificates are stored in a repository, it doesn't appear that this work will help here. - RFC 8649: Hash Of Root Key Certificate Extension - This document defines a process where the TA can include the hash of the next TA key in their current TA certificate, and then clients can transition on seeing that new certificate. - Tim commented on this on the list: a couple of issues are that some RPs might not ignore the extension (compare the situation with a new signed object, which would definitely be ignored), and it also limits the ability to transition once the certificate has been replaced (i.e. once the new TA certificate is published, the old TAL data can no longer be used). - Another consideration is that RPKI supports arbitrary reissuance of the TA certificate, so there would need to be additional guidance around what the RP should do when the extension is removed, or when a new hash is seen, and how long the hash should be in place before a new TA using the associated key will be accepted, and so on. - Web PKI generally - It doesn't appear that key rollover happens in this context. It looks like root CA operators simply issue new root CA certificates as required, and then rely on cross-certification for clients that aren't configured to trust the new root CA. - RFC 5011: Automated updates of DNSSEC TAs - The acceptance timer behaviour from this document seems like a useful way to guard against the problems raised around key compromise, and has been added to the document. With a timer, an attacker who gains access to the TA key and publication point is no longer able to immediately transition all clients to a key and publication point controlled solely by the attacker, which is helpful. - Including this delay also deals in part with some of the support for a "sign in advance"-type model. As far as literature/reference material on TA rollover more generally is concerned, we couldn't find any. Any pointers would be appreciated. The other main piece of feedback from last time was to do with using the term 'revoked' to describe TA keys that aren't current, because those 'revoked' keys will still be trusted by clients configured with the corresponding TAL, and an attacker who gains access to that key and publication point will still be able to cause trouble for any client configured with that TAL data who hasn't transitioned to the new key. This was addressed by avoiding the use of the term 'revoked' in the TAK object and the document, so as to avoid any confusion around semantics, and also by advising TAs to reuse TA certificate URLs for new keys, once they stop maintaining the previous keys hosted as those points. That will inhibit the use of the previous key by an attacker, since the URL will be in use for a different current key. The only other substantive change to the document since -07 is the inclusion of the predecessor key in the TAK object. This allows a relying party to confirm that the successor intends to operate as the successor for this specific key. This is just an extra check to make sure that things are set up correctly. Separately, there was a suggestion that we look into the versions of validators that are in use, to see how long it takes people to upgrade to current versions. The graph of this data for September 2021 through February 2022 is attached to this mail. The data is taken from APNIC's RRDP service, as at the last day of each month. The Y-axis is in terms of client ASNs, where individual IP addresses were mapped to ASNs by looking at data from BGP. Each ASN was only counted for the most up-to-date validator that was seen running from it. Only validators that provide version information in the user agent string were taking into account: Routinator, FORT, the RIPE validator, OctoRPKI, and rpki-prover. Version information for each validator was taken from the tags in the corresponding Github repository. Requests directly from browsers were discounted, while all other requests were placed in the 'Unknown' category. The key points from this data are that 30-50% of the known validators are running code that is more than one year behind the current version of that validator, and there are a large number of unknown clients hitting RRDP services (probably a substantial portion of these clients are rpki-client, though). To rely on signed TAL as the principal transition mechanism for TA rollover, it's likely that a concerted effort would need to be made on getting clients to upgrade once the associated RP code is in place, as well as getting a better understanding of the clients in the 'Unknown' category. -Tom
- [Sidrops] I-D Action: draft-ietf-sidrops-signed-t… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tom Harrison