Re: [Sidrops] what to do when the CRL is hosed?
Christopher Morrow <christopher.morrow@gmail.com> Wed, 01 April 2020 18:33 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11FB13A15FE for <sidrops@ietfa.amsl.com>; Wed, 1 Apr 2020 11:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rm0t6w5Sxy7j for <sidrops@ietfa.amsl.com>; Wed, 1 Apr 2020 11:33:10 -0700 (PDT)
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBCE83A1614 for <sidrops@ietf.org>; Wed, 1 Apr 2020 11:33:09 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id t4so254136qvz.8 for <sidrops@ietf.org>; Wed, 01 Apr 2020 11:33:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Wt8mqvQ31xemRJI69e3FVdj4gZtM2HTb+vLFgmUo/GI=; b=vfEGkIavkADSuhe/d/0JFhqnf7UvG7Ie63eECRiNP1E0tFcMQnPCoFUQAfwcazDo4S 2YXi5leSftdKr8E+qyGvooHXiEJCKHWJ+2bIDtRCChtUZbr8pI56vzuATqAaq96Er6F1 BCLXEtrUXeuyng71S8yvhwmwYioNPMm1+pSdg31e2nTyvKUr3EUePbCm5zEJT/IOX7wJ pLoJ1gYyAq4CWwxYbH+EU3hpAdKuJ6t9vyfeZ+4NFLcHhvhkmOAKSpcG4X1mYVj0ZITe FKHP9gFTBFgfb111N7SEtWU7rL6MuM1G8ahzwfpEaVgwERixcMzYkWkpG26k106G/jyO 5AuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Wt8mqvQ31xemRJI69e3FVdj4gZtM2HTb+vLFgmUo/GI=; b=MbqmSfBjC/n5+asgYXfd/3m5oXDU4zOf6Zg6XqVqzhz5KvYO3hbPvw5RYJQ6sKPLGq oBumonqWVLGoyCjFQ41juH+NaCc08TTpX+X9v/sHZbMwG9XhI35gUDXmcppn03SvpchI JqhbyR/mil1nPKwV5Na7RkI1YTaCq4syYPXbC7BqVV27qqSTK44qe0HP+4nMf4ZkGVVy g5kJoJV0sOQaa2kDwP5q78KdDdcGUyKunVZ+enSd+R/cdF8qwGvI1gn+qm9K8x0y5CJ/ Kt8WUgGhE/o0J70lvFDOjze1614atNDtKH5c7+bIxijL6W7KfaZAqF3ZqQgz+AQCEkje mHVQ==
X-Gm-Message-State: ANhLgQ2OYbAqTYfcgTbrlfGDr/4hJh1Y6dzeJZWoDCUcd0K1nldBAd6G iZgQsCSCJf7v0wL29iirK2WFHobkbYD6sgiROibgDU4n
X-Google-Smtp-Source: ADFU+vvLoxPwi+oz9kLxhgQ8Hc8NaBK7/5CpKGLdV+0OXBMVAzDy8BTLNTcOspXPsVY6IDLNwYcUCYq0LzJWmjCIbvQ=
X-Received: by 2002:a0c:eb4a:: with SMTP id c10mr16564211qvq.70.1585765988468; Wed, 01 Apr 2020 11:33:08 -0700 (PDT)
MIME-Version: 1.0
References: <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl> <20200324135828.GG60268@vurt.meerval.net> <20200324152009.6e6a2c3f@glaurung.nlnetlabs.nl> <20200324151101.GH60268@vurt.meerval.net> <7f54a255-643f-cd2d-12c2-da19562bbffa@verizon.net> <7465c59f-fa10-4083-8e52-291cb47587f6@www.fastmail.com> <ed15512c-4fac-f8b1-f616-4dcf7afbf396@verizon.net> <CAL9jLab_tLDwh8=thqPfWw29g+LK__T2MUfCZmLDv1v_Z77x+w@mail.gmail.com> <CAKr6gn2VN8kXB2KS5LUkuSkihoE5KqUqfD+NTLuopnTVYF1QQA@mail.gmail.com>
In-Reply-To: <CAKr6gn2VN8kXB2KS5LUkuSkihoE5KqUqfD+NTLuopnTVYF1QQA@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
Date: Wed, 01 Apr 2020 14:32:57 -0400
Message-ID: <CAL9jLabp389epPOwheNb0CkBVGrNrp=v5jwA1MKrg_CWD52_dA@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/EoaLpG9MR5P4mHCMxt-MZx1tH-U>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 18:33:12 -0000
On Tue, Mar 31, 2020 at 6:21 PM George Michaelson <ggm@algebras.org> wrote: > > I think you did capture the spirit. > > I would remind people that *all* the products in a repository are > signed objects. To arrive at a state where a manifest is "wrong" this was the meat of the first part of my message: "We planned from the get-go that transport security wasn't available, and instead object security would be required." This brought along some, perhaps implicit, requirements about the state of the repository and objects contained therein. > demands two things: it doesn't reflect some real-world situation > regarding contents of the repository *and* its signed by keys you can > validate back to a trust anchor. If you cannot validate the manifest, > then its not "wrong" its forged, or invalid cryptographically. To me, I agree with this, > a "wrong" manifest checks out cryptographically but somehow is not > coherent with the state of the repository. If objects are on the > manifest but cannot be fetched, you are probably suffering either from > hiding of objects, or a transitional state of publication. If objects > can be found which are not on the manifest, you may be seeing > artifacts which are not defined as critical (must be found) or, the > manifest has not yet been updated. This part isn't really what we started talking about, but bears some discussion I think. The manifest is 'must be there' objects in the repository. If there are manifest listed objects which are not in the fetch... that repository is in a bad state and probably operations should decide what to do about that. o Do we have guidance? o Does that guidance provide a list of actions/tradeoffs? o will resolution come in time (for your particular problem) I think most of the docs so far are less definitive ;) about this. This, is one of the things that I think the discussion/wg should provide in a more clear manner. As an ops group it seems reasonable for us to do this even, we're pointing out a difference between theory and practice and documenting a fix. > There are potentially transitional states in the production of a large > repository under eventually consistent production (e.g. multiple > asynchronous cooperating processes, dual-redundant signing models) > where what can be fetched and what is on manifest do not align. If we Part of the agreement between repository and RP is really, I think: "This repository once published is correct" (note, not: 'eventually consistent') This isn't really said in the docs either, and since we let all the flowers bloom here, and kept saying: "the repositories are going to be inconsistent for a bit" I think we didn't help repository operators pick 'sane' models for management of their repository content over time. > wish to demand that the manifest and a given state of the repository > *always* align, we need to formalise that in a way which makes it > clear we publish repository state in as close to atomic-update as > possible. (copying a repo to a new dir, modifying the contents of the > new dir, and (re)publishing the change through the rename() call in > UNIX is one such model) This was, actually, part of the point I made 'years back' about management of repositories... that lead to the model I (admittedly 'puppet for dummies' style) put together for managing the test repository work setup. I think it'd be worth document (as part of the outcome of the proposed conversation) what 'contract' we expect the respository operations and relying parties to have.. 'contract' in a software expectations sense, not in a legal-beagle sense. The next bits step into the 'given case X guidance from the WG for operators says 'do Y'. > A missing manifest is not a "wrong" manifest -its a sign of data being > hidden from you either because of transitional effect in publishing > the repository, or for persisting state a problem in the repository > (diskfull?) or, production systems, or a MITM attack. Which do you > think is actually most likely at this current time? This is no > different to a missing CRL in that regard. Which do you think is the > most likely reason, because you cannot a-priori know that its a MITM > attack, or a failure in networks, or storage systems, or production > systems. > > During the early design phases of the system, we determined that since > the products were all cryptographically signed, there was no strict > requirement for cryptographic protections on transport. If that > decision needs to be revised I think it should be done in standards > work, here, as a discussion. I do not yet see a document which says > that. I don't see formalisms which go to a normative change in SHOULD > to MUST on this. > > So these comments aside, my plea is that people clearly state when > they say "wrong" or "bad" if they mean that it is cryptographically yes, loose lips (phrasing) sinks ships (discussions). I'm trying to be more clear, if I'm not please say: "You are unclear here, more words pls!" > valid, but does not align with some external reality, or some other > meaning. (Which btw, is complex because the part which none of this > can adequately capture is *intentionality* -Just because you think a > publication of RPKI state is nonsensical does not mean its not > intentional) > > Attack models need to state clearly how they acheve the state. An > attack on the integrity of the manifest needs to explain coherently > how it creates a manifest which checks out cryptographically, and yet > hides or legitemates something which should not exist. They also need > to explain how the specific attack on the manifest in these situation > outweighs other considerations: If they have the keys, then surely the > attack vector is to make validly signed things which cannot be > detected as an attack? > > -George > > On Wed, Apr 1, 2020 at 1:42 AM Christopher Morrow > <christopher.morrow@gmail.com> wrote: > > > > first, apologies for getting back around to this so late :( > > > > On Thu, Mar 26, 2020 at 10:57 AM Stephen Kent > > <stkent=40verizon.net@dmarc.ietf.org> wrote: > > > > > So, I think discussing MITM attacks is a distraction, unless we have examples of how > > > such attacks can affect RPs in ways different from attacks on repositories. Maybe re-reading > > > RFC 8211 would be useful, as it tries to analyze a range of possible "adverse actions" by CAs or > > > repository managers in the RPKI context, and discusses how RPKI mechanisms are intended to > > > detect/counter these actions. > > > > In the case of the incident which started this thread we ended up > > publishing part of the content a > > repository needs to publish such that the relying parties can verify > > properly that the content in the > > repository is correct/valid/usable. The discussion then went along a path like: > > 1) "well... maybe we shouldn't have belt and suspenders?" (manifest AND crl) > > 2) "what happens if we don't publish this pesky CRL? and rely only > > on the manifest?" > > 3) "what if we don't publish the manifest and only rely on the CRL?" > > 4) "CRL + Manifest has made 'rp software' hard/buggy" > > > > In the world where the protections specified for RPKI exist: > > 1) self contained content protection (roa / ee-certs / etc are > > packaged securely) > > 2) crl signed and available in the repository for revocation actions > > on objects in the repository > > 3) manifest signed and listing all objects of interest in the repository > > > > Steve (kent!) is right mitm is harder to see as a threat. > > "All objects you get are signed by a ca-cert which is signed by the > > root.. which is in the list of TAL you have. You can't have missing > > objects and you cant' remove objects without affecting the signed > > manifest" > > > > In a world where we remove one/some of the protections: > > A) no more manifest > > B) no more crl > > C) both > > > > I think mitm problems are much harder to detect/deal with :( > > It sounds like WG folk (RP users and RP/CA software authors) are > > asking for guidance on handling the problem(s) discussed here. > > It sounds, to me, like a chat at the upcoming interim meeting would be > > a great place to start that with some slideware and a proposal to use > > as kindling. > > > > I think the shape of the conversation is roughly: > > "What would be the effect (on the routing system) for RelyingParties > > if we decided to be less strict about CRL existence?" > > "What would be the effect (on the routing system) for Relying > > Parties if we decided to be less strict about repository contents vs > > Manifest contents?" > > "What happens to the routing system if the manifest and crl are > > either/both 'broken' in a repository?" > > > > I don't think it matters much to the routing system where the breakage > > occurs (my repository or RIPE/ARIN/etc) certainly there's more fallout > > from ARIN/RIPE/etc, but... you can't get to me either way :) > > (possibly) until repair and propogation. > > > > Thoughts on some slideware and discussion? > > Did I about capture the meat of the sandwich here? > > > > -chris > > co-chair but asking as a regular chemical engineer at this party. > > > > _______________________________________________ > > Sidrops mailing list > > Sidrops@ietf.org > > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush