Re: [Sidrops] trying to limit RP processing variability

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 16 April 2020 09:40 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF8E63A138C for <sidrops@ietfa.amsl.com>; Thu, 16 Apr 2020 02:40:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJ9RrMVEBnr9 for <sidrops@ietfa.amsl.com>; Thu, 16 Apr 2020 02:40:25 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F305F3A135A for <sidrops@ietf.org>; Thu, 16 Apr 2020 02:40:20 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:b4a7:2c39:255:587f] (unknown [IPv6:2001:981:4b52:1:b4a7:2c39:255:587f]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 77F971CDDC; Thu, 16 Apr 2020 11:40:19 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1587030019; bh=MuipPggxSfdMn8bo5uNGmO4ct+SVxEyXEtQT6G5iEdI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=KOFIViFuwKVTJGsFGCPCFesASbq+aNoHqids2EPTvPrs8EEk7udkRseUYVNuEeRZW +ihMqoLQXsewFHwuIelWbi5NIsgvjxLADIX4AmtgG45NtO4eAwoGoYaApVyctZclEy syYewxKblZTbH/6bGEGU+vaHWaB4Aqh28uEr2atA=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <29647983-ba87-96c1-111f-a185ef142c38@ripe.net>
Date: Thu, 16 Apr 2020 11:40:19 +0200
Cc: Martin Hoffmann <martin@opennetlabs.com>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <82CFB3CE-47F5-4B0B-9A9C-084DA23FA791@nlnetlabs.nl>
References: <a9448e54-320f-300c-d4f9-d01aca2b6ef4.ref@verizon.net> <a9448e54-320f-300c-d4f9-d01aca2b6ef4@verizon.net> <20200415150141.016d021d@glaurung.nlnetlabs.nl> <29647983-ba87-96c1-111f-a185ef142c38@ripe.net>
To: Robert Kisteleki <robert@ripe.net>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/GtDU_Lt8jgQlXSGDvz65vDnS6-0>
Subject: Re: [Sidrops] trying to limit RP processing variability
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 09:40:34 -0000


> On 16 Apr 2020, at 10:50, Robert Kisteleki <robert@ripe.net> wrote:
> 
> 
>>> 1.Manifest present, valid, current
>> 
>> If there is a present, valid, and current manifest, the CRL can safely
>> be ignored for all objects.
> 
> While I see the benefits on reducing code complexity, I believe there
> have been arguments before against ignoring the CRL.
> 
>> In order to avoid using partial sets of information, the entire content
>> of the PP is ignored if any object is missing, corrupted, or invalid.
> 
> Doing so will, in the presence bit flips or non-atomic PP updates or an
> attacker hiding/modifying files, invalidate whole subtrees of the
> hierarchy. If this happens high enough in the chain, the result is
> invalidation a significant portion of the RPKI space.

With RRDP CAs can publish consistent atomic deltas. This was one of its design goals.
A bit flip on an HTTPS connection seems highly unlikely, if not impossible, to me as well.

Also RPs that have previous copies of files (and know their URI and hash) do not need to be affected by intermittent issues.

While I understand that it's scary to exclude all VRPs from near the apex of the tree, the alternative is that you will need to accept that announcements can be marked as invalid - because you *know* you do not have the full picture.

> We can do better.

How?



> 
> Robert
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops