[Sidrops] Heads-up, almost all caches are about to follow draft-spaghetti-sidrops-rrdp-same-origin
Job Snijders <job@fastly.com> Thu, 11 April 2024 15:34 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4D1C14F699 for <sidrops@ietfa.amsl.com>; Thu, 11 Apr 2024 08:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYi-COvURDLT for <sidrops@ietfa.amsl.com>; Thu, 11 Apr 2024 08:34:14 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1ECAC14F706 for <sidrops@ietf.org>; Thu, 11 Apr 2024 08:34:14 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2d89346eb45so58069331fa.0 for <sidrops@ietf.org>; Thu, 11 Apr 2024 08:34:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1712849652; x=1713454452; darn=ietf.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=4N8qnFA8Yd3ghmV0jrRStK6qkFNAy8pphqnkQb9FmgU=; b=cuvNYvtUOk2itGAH6ZjKb8JvDdKC5zceis0ODhGdCteIQDV4uOpyisKN8+IzVdoisu DIW8kpi1/Pe9xtVE/QxOtRtr5a+8T5mnUcZDImpgT6blDUgkjwl4jfXUBufBK1jcbtrq IiZDi9882Pb7MWc2ylaHb5g5/mzknJP0S/h6I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712849652; x=1713454452; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4N8qnFA8Yd3ghmV0jrRStK6qkFNAy8pphqnkQb9FmgU=; b=u4Wj7Z+GXx9qGVG8vNqhgZUQcAmSiclouYof2/SV+wVV6I1IrVF54ntmCTCCaNhMnJ HTVeU57DFfE4SK710eEHtRoC0CZABpYGf5eFXI273d/kGnVqv+YJNSFFMRGl2hrBpZCX MUuWCEzHg/uxzEMnU1IFVjlvF3Z99JAcmup8Sq7UPepV6AXTX+yI/vWFanQp5ghrqft3 ovEgLks/sBEcGL6s3x1fdvRyOa3lX5fPZPWIgAD4rrjQb31++MX35dBmmshwbWbw+H2X dFrVdKjAOrw2SafptJ0xG8K/R9xmn/yBUL2Rr6QgPwg+33wjqfDbONJKisOxRP746Xoo ejGw==
X-Gm-Message-State: AOJu0Yz9ilatelf6eNRGYDB1fnNp5G/i7eOMQnq8mw13ecXAjBObWnfs K2aHqn6L95Fl9m49OUBQaA69ojtjxsr5dB4gIj1M7i/yekN317GFgiMqvA0qHXnBCa3Cf1vmMk8 K0Sv+A2rbKBm74nXuKOTTwDTF1W2Mgbh8CojUAUGxVAzPsN7DFeVjUfcbRWrW2qluMIIFXLyQWb RhaGMfvSeUDlzteHmuM3LPWQ==
X-Google-Smtp-Source: AGHT+IH+JfeSSFEykdaiT1YNdNJ2motgB7GaCyUBpSlaSTp8Ng/ugVyCMo+Zfc9wsWa72nhyuOgTRw==
X-Received: by 2002:ac2:5056:0:b0:516:cd71:9bb1 with SMTP id a22-20020ac25056000000b00516cd719bb1mr57638lfm.38.1712849652119; Thu, 11 Apr 2024 08:34:12 -0700 (PDT)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id o11-20020a1709061b0b00b00a51a20e8bfasm869207ejg.18.2024.04.11.08.34.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 08:34:11 -0700 (PDT)
Date: Thu, 11 Apr 2024 17:34:09 +0200
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <ZhgC8e6xzEIRGCUz@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/BCq3asiRdzdLlh0ScCc_oCHuiBY>
Subject: [Sidrops] Heads-up, almost all caches are about to follow draft-spaghetti-sidrops-rrdp-same-origin
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 15:34:18 -0000
Dear SIDROPS, It recently came to my attention that a small footcannon was laying around in the current interpretation of the RRDP: the specification allows cross-origin pointers. Behind the scenes four implementations (rpki-client, Routinator, Fort, rpki-prover) converged on a specific solution: to apply a "Same-Origin Policy" for RRDP. Each of these implementations has implemented this concept on a development branch, with general public releases expected to become available in the next weeks. This is an opportunity for RRDP Publishers and other stakeholders to consider the implications and provide feedback on the problem & choosen solution. This message also serves to notify the wider community there is a thorny aspect in RRDP. I'd like to request a call for working group adoption for draft-spaghetti-sidrops-rrdp-same-origin - especially considering there already are 4 implementations. Kind regards, Job ----- Forwarded message from internet-drafts@ietf.org ----- Date: Thu, 11 Apr 2024 08:14:29 -0700 From: internet-drafts@ietf.org To: Job Snijders <job@fastly.com> Subject: New Version Notification for draft-spaghetti-sidrops-rrdp-same-origin-00.txt A new version of Internet-Draft draft-spaghetti-sidrops-rrdp-same-origin-00.txt has been successfully submitted by Job Snijders and posted to the IETF repository. Name: draft-spaghetti-sidrops-rrdp-same-origin Revision: 00 Title: Same-Origin Policy for the RPKI Repository Delta Protocol (RRDP) Date: 2024-04-11 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rrdp-same-origin-00.txt Status: https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rrdp-same-origin/ HTML: https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rrdp-same-origin-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rrdp-same-origin Abstract: This document describes a Same-origin policy (SOP) requirement for RPKI Repository Delta Protocol (RRDP) servers and clients. The same- origin policy concept is a security mechanism to restrict how a document loaded from one origin can cause interaction with resources from another origin. Application of a same-origin policy in RRDP client/server communication isolates resources such as Delta and Snapshot files from different Repository Servers, reducing possible attack vectors. This document updates RFC 8182. The IETF Secretariat ----- End forwarded message -----
- [Sidrops] Heads-up, almost all caches are about t… Job Snijders
- Re: [Sidrops] Heads-up, almost all caches are abo… Tom Harrison
- Re: [Sidrops] Heads-up, almost all caches are abo… Job Snijders