[Sidrops] revised text for section 6 of 6486bis
Stephen Kent <stkent@verizon.net> Fri, 18 December 2020 16:28 UTC
Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B0A3A09F9 for <sidrops@ietfa.amsl.com>; Fri, 18 Dec 2020 08:28:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YCpaAFoEd-ET for <sidrops@ietfa.amsl.com>; Fri, 18 Dec 2020 08:28:35 -0800 (PST)
Received: from sonic303-2.consmr.mail.bf2.yahoo.com (sonic303-2.consmr.mail.bf2.yahoo.com [74.6.131.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F16023A09BD for <sidrops@ietf.org>; Fri, 18 Dec 2020 08:28:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1608308914; bh=mDt4VLoeJ12A0zwJwOmV+8VA+wz0TDvGqbdCPSrA/4Y=; h=To:From:Subject:Date:References:From:Subject; b=GwEZ66cd+keObmBiaRyOzg+8GE/guo5/ZDmkPdIO3Ij4od8jRgITSSwCb7hWeAC+m2kXU0ix++zGv0Xcb4fNeLpntgNUTwXnzKdHaClw/zI7j1I5as6/MUHepIY0FNKRhxOKtO694OYZ/dGQkwraQqgyC/rt2/iWShkmYmWZ4XvoFAdGvX7R0kCBHRNekW37oQl9cSXpIU7bxFihjeYiPbsat8ynyNMrdlsyGJSXLE658uixZjQoEXk5WaAa33aBzXfKK7oF50FX3DovOzY+8CQ6lGM5/u4d3A2wVK8yCAmRUaA0jFGICrnq+Bhj+J9ttaGeMJa5W2pjp+O1SgCd8Q==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1608308914; bh=CGLF1MqyubzM5BnDeBxH+JV2QxBvKMnHvsIfuR7wEw5=; h=To:From:Subject:Date:From:Subject; b=X1Eq9QxmtPretiQnmxbCCscMJApfCTT+mhHbM4ET5P220fLLoWiDkpu9Mr3e97N9U0l+3mRs0E5K6K0rj9RwHxFmb82p4iHvn3bgIIEV5fEN7ODKHjKsjqi8rQIF58A0fUzsmWYzlilzdf2PgkEH4j0SKMcQGmAUUrf59hi4FXa2MjnyE/pnhKKV40HNLzz75vPIaDLuBI/RoIu/MAJZRmcCAOTS2wOsk5K2VoD8CVohqCXrc2GaWRZQbdSFKfNvtVFhf4gCW7XLLBSXLgkb6nnXXYXAVBLWakSkDEpvaUcAfSYtbmQIOiTDWGQyebIQwgLD98machWfkUApKTdSVg==
X-YMail-OSG: 65dmvT0VM1n_QM2SdCX8QBKsrEtuHt2zlKZ4Y4CCgtOyxgWFQHZQo8lMbmeaCpI 32Pl.PQFl9vR7fEn2S4TQ7tn5wc9mj9bi_1eXCL_vWOGx75dWb78xDWNX_e_mwrzCYs_MI3Lue3t GtbT60FjeUrJ84.ja98V2VQH6uOMUx5IYKfaX3rMsAg3FbyBCSsLTPLOWxTc2h0OgOKaTxl6Ig9K VYdfArK.eQZfDaesd9KPhC49DAhNLXgftEm4JphMpPrIP.SBeGB6KRqxj7ZY97vunUXNFDQ0MB_W .nKEqTBmvlpgR5S1M36EGiNTD0GTldAfq8cS1eJeo47lpB8ZNzBYDC22z.jqt60jZldYMd6UBrG0 ERd9anGXOewUI6lNnyX8JJdD7EseZn5LXrOvjQHTxJLF8MAMBlCG2J_2YCQ2yxEOehKILsfK84qk RnlRgkrz7ggevrZDXZn3PlA1dr5YKp1ImgqQnNU1UlILu4Y_B8nScnR7itMlzDCP1dbsRw1Ui4q7 REVZ2QxUsfrg3te88zQnpl8wgt3.KzwI118NuzR66TuITIe74eRHcCrL0WLXQtdxocEJjmSHfb2R fWJZdVi.CVzr.blHvWj7zXFzJcAl39vIfO.FExnOe1ZMuKJF9WYCWmoV_FqeJ8bdPVy27Uqj5tNf ZelR37zkJXSyigHCxZzpznn5uifurHfQcvqZE33Z1aOu4QdOFxKEngFwZIXaPYCAhar6jSioXfWx 6h90yv.2jkCMwRiwdlKjFATkkbXDAUA6CYKnH8r8wFwfOFgrCvLEO0kZZ0FXpbn7pVFJMbY9UTeo kNT4uQ9zCflhSgX8wgh2xU6CCTcO65UjAlfpo8PJtUwMjvJPWkxG5zVLp2vKm4Djk6tFAgR59lhl xb_33CudJNP9qBfe1haMg7LXdsbo4I6qOFMi.EYmeF8ceh.BjZlaKSjssd3hq7nOnkEfQh58k0nY T1D7j_uCc.RfphqUM.0N_aoSf7jRMOuQfRXIBIhIS0lXzv08WVl3V9xj8fXInFiLGGlMtEYhaYih 0lrAGUKrxyTE20TWR9jvOBn2NIPg5rq25zAq8l330iLh6aO_beRbqoYSpAQCYRIWYB.7ZwLC4s43 jn1TwTqHnfOl8VSfycIhhFg590PkpHU0_iLg7mHx3Lxk3aI90xKtBnnuPlRMtbEgcn8Ww58gF6ue PrH7vbIyNRNnoMparg4kw_9BN0gRFZxNm_w1zTXrOOKRKIB8NzZDZYZJD_W60vG1HwAGKfNrhnKK p6k8.u2keKV2Q3HcG3X47adPdYdhpFuE643iygrEnqKJ0zEDlpi4ao2stNLbTXOSah4DfAJliPCg u7NINL9xYgqupRHzIYN.GKfwRooFkaqsLS9.gPO6y_QsD5GtaIHoiXCdDKiSDtL2C_1TgRYkho8d fyeRA5LG8nipKcXhSUfOhvMdxqGMFK_T5g77Wfc_iDAkoLEsGAtO72A25ThSg5U7jLFuPt9PMcUb 5bI6M8lA9yHoAuPxKeE2lT51XX._zqQx4oTszurzrSP910xfFCkYTTHip4IJN1qF.0HXxarxXIPO KkEuPc1D7_n.P4bRS23W0M.B1C4Wl.w5te4yRWzi3qujR4Z_jyu7Kn79QbEhVV37rlj1ziKDYVY1 GCHDxI5TGxHaVzY4vUFvoo5M73UPUB2qiVHbigIllK0R1_yys5oY0H3B7tUFSeYYh_L16bwo6EUs avzhesPD1BL_gjm4nTpp4xEfsCdEJudG0q8D5_K1In.cDLovbeVdzR4lG99QGbEnWuLvo9RaOa18 vJn_aU0Wi24xWcK_wb6F3WWSoVR4No.TLLW3eWO.pCRg0VlXbeCmfAohVs2JF2p2Sja.a7x1Egq2 nqJfSqnQOYqqXpz0IvAqSSBN3nULs4GghbaDlF.tGlQ5DAscnqEdsDhvofVIX9vUMAeFKuRVPF2y up5lw8Eck4ein0_Or1dGRbX8xeWotsAWF.34H4uipec6QadT55tnZ7alJK8dfe9NN3YA_1ZYRjAH BC8Cv9Ndo5coDKCmMNLqKqw21IXl0PqTQMlEmDkAt3w5l5KrFLhRYu83s8uDWIGgr48Jx8qZmwUk gm2SgjZT8lrZSB7WEGGc07JM6pHSJQ3CrwPdtuaifdSh9bHHXrw7J2tMqA2CoQj6oDarOPqtiVPq 4m0S3GD96grwTTMwnknjRXW9sH7Ff51HhkV3y8OALOXoMfrDDazdjBBriS.rKa66tV2klu9S8lhY 6fRL8x3WVxYlVbipmAQe.ffwXGBoTwgpRQwvMrATWKb_f_tGpH5poDIq.1oro4S0SmYvQR_hss1Z f_RTYTZ8cq7hDJ.b8NJ9Hnvo2Xf6qEaECEB7lMjH74TXLjlVI608w8d150Du5gb7IqxrT2OYeyT4 QA_eAK_sTe429uJ1wiR_v9CfhDg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.bf2.yahoo.com with HTTP; Fri, 18 Dec 2020 16:28:34 +0000
Received: by smtp401.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 89b3dd82edcac33aaac7d2525bb535db; Fri, 18 Dec 2020 16:28:30 +0000 (UTC)
To: "sidrops@ietf.org" <sidrops@ietf.org>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <12001c46-2fe3-6616-2969-f97d247e972e@verizon.net>
Date: Fri, 18 Dec 2020 11:28:29 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------55DA7E5AC43C53AC633D6C98"
Content-Language: en-US
References: <12001c46-2fe3-6616-2969-f97d247e972e.ref@verizon.net>
X-Mailer: WebService/1.1.17278 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/F-qYDk9Y_mG7KhzWr8o6ODa8w98>
Subject: [Sidrops] revised text for section 6 of 6486bis
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 16:28:38 -0000
Based on the numerous comments posted over the past 2+ weeks I have revised the text of section 6 of the document. The revised text focuses exclusively on using a Manifest to ensure that the set of files retrieved from a pub point match those that were posted by the cognizant CA instance. Thus, for example, the text no longer requires that the files being retrieved be verified based on RFC 6488. As a result, there is no need to enumerate the object types that are mandatory to support. Consequently, there is no need to specify how to deal with files that are retrieved but that are not among the mandatory-to-support object types. All of that now belongs in other documents, given the newly-agreed upon scope limitation for Manifest processing. For example, the section no longer requires that there be only one CRL, consistent with the notion that the purpose of the manifest is to ensure that the retrieved objects matches what the CA published. Because we have removed the object validation constraints from this document, we can no longer state that "The processing described below is designed to cause all RPs with access to the same local cache and RPKI repository data to achieve the same results with regard to validation of RPKI data." Instead, the text now states: "The processing described below is designed to cause all RPs with access to the same local cache and RPKI repository data to acquire the same set of validated repository files. It does not ensure thatthe RPs will achieve the same results with regard to validation of RPKI data, since that depends on how each RP resolves any conflicts that may arise in processing the retrieved files." Steve -------- 6.Relying Party Processing of Manifests Each RP must determine which signed objects it will use for validating assertions about INRs and their use (e.g., which ROAs to use in the construction of route filters).As noted earlier, manifests are designed to allow an RP to detect manipulation of repository data, errors by a CA or repository manager, and/or active attacks on the communication channel between an RP and a repository. Unless all of the files enumerated in a manifest can be obtained by an RP during a fetch operation, the fetch is considered to have failed and the RP MUST retry the fetch later. [RFC6480] suggests (but does not mandate) that the RPKI model employ fetches that are incremental, e.g., an RP transfers files from a publication point only if they are new/changed since the previous, successful, fetch represented in the RP's local cache.This document avoids language that relies on details of the underlying file transfer mechanism employed by an RP and a publication point to effect this operation.Thus the term "fetch" refers to an operation that attempts to acquire the full set of files at a publication point, consistent with the id-ad-rpkiManifest URI extracted from a CA certificate's SIA (see below). If a fetch fails, it is assumed that a subsequent fetch will resolve problems encountered during the fetch.Until such time as a successful fetch is executed, an RP SHOULD use cached data from a previous, successful fetch.This response is intended to prevent an RP from misinterpreting data associated with a publication point, and thus possibly treating invalid routes as valid, or vice versa. The processing described below is designed to cause all RPs with access to the same local cache and RPKI repository data to acquire the same set of validated repository files. It does not ensure that the RPs will achieve the same results with regard to validation of RPKI data, since that depends on how each RP resolves any conflicts that may arise in processing the retrieved files. Moreover, in operation, different RPs will access repositories at different times, and some RPs may experience local cache failures, so there is no guarantee that all RPs will achieve the same results with regard to acquisition or validation of RPKI data. Note also that there is a "chicken and egg" relationship between the manifest and the CRL for a given CA instance.If the EE certificate for the current manifest is revoked, i.e., it appears in the current CRL, then the CA or publication point manager has made a serious error.In this case the fetch has failed; proceed to Section 6.7. Similarly, if the CRL is not listed on a valid, current manifest, acquired during a fetch, the fetch has failed; proceed to Section 6.7, because the CRL is considered missing. 6.1.Manifest Processing Overview For a given publication point, an RP MUST perform a series of tests to determine which signed object files at the publication point are acceptable.The tests described below (Section 6.2 to Section 6.6) are to be performed using the manifest identified by the id-ad- rpkiManifest URI extracted from a CA certificate's SIA.All of the files referenced by the manifest MUST be located at the publication point specified by the id-ad-caRepository URI from the (same) CA certificate's SIA.The manifest and the files it references MUST reside at the same publication point.If an RP encounters any files that appear on a manifest but do not reside at the same publication point as the manifest the RP MUST treat the fetch as failed, and a warning MUST be issued (see Section 6.7 below). Note that, during CA key rollover [RFC6489], signed objects for two or more different CA instances will appear at the same publication point.Manifest processing is to be performed separately for each CA instance, guided by the SIA id-ad-rpkiManifest URI in each CA certificate. 6.2.Acquiring a Manifest for a CA The RP MUST fetch the manifest identified by the SIA id-ad- rpkiManifest URI in the CA certificate.If an RP cannot retrieve a manifest using this URI, or if the manifest is not valid (Section 4.4), an RP MUST treat this as a failed fetch and, proceed to Section 6.7; otherwise proceed to Section 6.3. 6.3.Detecting Stale and or Prematurely-issued Manifests The RP MUST check that the current time (translated to UTC) is between thisUpdate and nextUpdate.If the current time lies within this interval, proceed to Section 6.4.If the current time is earlier than thisUpdate, the CA has made an error; this is a failed fetch and the RP MUST proceed to Section 6.7.If the current time is later than nextUpdate, then the manifest is stale; this is a failed fetch and RP MUST proceed to Section 6.7; otherwise proceed to Section 6.4. 6.4.Acquiring Files Referenced by a Manifest The RP MUST acquire all of the files enumerated in the manifest (fileList) from the publication point. If there are files listed in the manifest that cannot be retrieved from the publication point, the fetch has failed and the RP MUST proceed to Section 6.7; otherwise, proceed to Section 6.5 6.5.Matching File Names and Hashes The RP MUST verify that the hash value of each file listed in the manifest matches the value obtained by hashing the file acquired from the publication point.If the computed hash value of a file listed on the manifest does not match the hash value contained in the manifest, then the fetch has failed and the RP MUST proceed to Section 6.7; otherwise proceed to Section 6.6. 6.6.Out of Scope Manifest Entries If a current manifest contains entries for objects that are not within the scope of the manifest (Section 6.2), the fetch has failed and the RP SHOULD proceed to Section 6.7; otherwise the fetch is deemed successful and the RP will process the fetched objects. 6.7.Failed Fetches If a fetch fails for any of the reasons cited in 6.2-6.6, the RP MUST issue a warning indicating the reason(s)for termination of processing with regard to this CA instance.It is RECOMMENDED that a human operator be notified of this warning. Termination of processing means that the RP SHOULD continue to use cached versions of the objects associated with this CA instance, until such time as they become stale or they can be replaced by objects from a successful fetch.This implies that the RP MUST not try to acquire and validate subordinate signed objects, e.g., subordinate CA certificates, until the next interval when the RP is scheduled to fetch and process data for this CA instance.
- [Sidrops] revised text for section 6 of 6486bis Stephen Kent
- Re: [Sidrops] revised text for section 6 of 6486b… Ties de Kock
- Re: [Sidrops] revised text for section 6 of 6486b… Stephen Kent