IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 24 March 2022 07:57 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA673A1211 for <sidrops@ietfa.amsl.com>; Thu, 24 Mar 2022 00:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhamLcsT8x-l for <sidrops@ietfa.amsl.com>; Thu, 24 Mar 2022 00:56:56 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:65::8:228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1E833A1205 for <sidrops@ietf.org>; Thu, 24 Mar 2022 00:56:55 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 8A0DF43D for <sidrops@ietf.org>; Thu, 24 Mar 2022 07:56:44 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net []) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1648108604; bh=QMeJVlw3nD3O76E0VZGdPukA/VCyxvzaqK4TwkMSZBw=; h=Subject:From:In-Reply-To:Date:References:To:From; b=lNxHPH3GBfT+iSpNlSzupMWRDikQ/XIJuwbQHDLfS8lewfmdG9C9oS9INMGzj72wO XcXlhyVAqaiIpytYUzUzrxtr1O5nzBMYdIjCUjXrhCHYkomBXLMOiyAjqSVqLlrdNt Cmh1G6+X4yua8/0gVNc7RVJ977QCxTCTAspGfk44gAh9q8UmxqBLv/aievyALi+Zxt jlNN1iFrMaEeqxgvr5OU9PFbFbS9j4WvAqJz/ehe4Y5srLLY1L5LH8O0ktEhAqM1Mk 3v39PektQ8/yc40fMCPqVfvxRlwqJ7ywpi2XnvROctrCoRm306SLD+TTPwYGF+pDzz 3O5nmuXvQ8QBA==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <2ca4980f-5b36-13d6-29e8-c73c9f0958bf@verizon.net>
Date: Thu, 24 Mar 2022 08:56:40 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <73C4FCC8-42DF-455F-9EF2-56DC6BD80476@nlnetlabs.nl>
References: <BYAPR18MB26961DE9F15501CCA12ECCF1C13D9@BYAPR18MB2696.namprd18.prod.outlook.com> <851649A5-9075-4956-8B57-E51F612DF6BD@nlnetlabs.nl> <m235jqa2fk.wl-randy@psg.com> <D46FDA88-15E2-4EC6-BE07-0A1A93038B64@ripe.net> <m2v8wm8278.wl-randy@psg.com> <8961B085-5022-49C8-8775-77031B3DD814@ripe.net> <m2r17a80zl.wl-randy@psg.com> <9B0B0DBF-9F7A-4A61-9EBE-BCE556150475@apnic.net> <m25yol8srn.wl-randy@psg.com> <56A29364-EB28-4224-96D0-8A5FE95D1880@apnic.net> <2ca4980f-5b36-13d6-29e8-c73c9f0958bf@verizon.net>
To: SIDR Operations WG <sidrops@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Lh3_qYdxUz_TXJ8MKyzC5LP43pU>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 07:57:04 -0000

Dear WG

Allow me to share some thoughts outside of the box.. the things below
may not work but I believe they are worth thinking about.

> On 10 Mar 2022, at 21:46, Stephen Kent <stephen.kent=40verizon.net@dmarc.ietf.org> wrote:
> 
> Geoff,
>> 
>> agreed, yet we have TLS using just-in-time credential provisioning in the
>> initial handshake which has very different scaling properties. The models
>> of DNSSEC provisioning also staple the credentials to the data. RPKI
>> is one of the few models that attempt to pre-provision the entirety of the
>> credential sets to all relying parties all of the time, and I find myself
>> wondering why we ever thought that such an approach would scale!
>> 
>> yes, I agree its just one more aspect of the intrinsic brokenness of the
>> Internet, and, as you say, we plod on! :-)
> 
> TLS creates a pairwise connection between two entities, so transmitting the cert of the server is an obvious, simple approach to solve the problem in question. And, because of the artificially shallow PKI underlying the issuance of certs to servers (thanks to the browser vendors and the cabal of for-profit CAs), it's easy to ensure that a client gets the certs (and CRLs) it needs.
> 
> The RPKI requires essentially ALL RPs to have access to the certs for essentially ALL address space holders. It is much more logical to have a bulk distribution mechanism to facilitate this, vs. some sort of pairwise distribution mechanism of the sorts you cite. The requirements for cert and CRL distribution are completely different for the RPKI vs. the Web PKI- apples vs. kumquats (as Randy might say).

I believe there may be merit in *combining* current repositories with information
that may be sent in BGP itself.

There are some issues with relying on the current RPKI repositories that may benefit
from this approach.

- Delays

New announcements may be invalid regarding to current ROAs, similarly a new provider
may be invalid under known ASPA providers (when deployed), and a new BGPSec router key
may be unknown.

RPKI objects will have to published, retrieved, validated and the validated content
(VRP, providers, ASN-router-key) have to make their way into routers. Until that time
announcements and routes may be rejected.

The delay can be significant. Optimistically it can be as low as 20 minutes between
a CA publishing a new object and on-path routers getting the validated content, but
it may take much longer as well - more than an hour would not be uncommon.

- Repository unreachable

Consider that an RPKI Repository becomes unreachable because for example a mistake
was made in ROA configuration - and this ROAs is published in said repository..

Obviously this should be avoided, but if it does happen then recovery is painful.

RPs are not going to be able to retreive any updated corrective ROA, until the old
information expires and ROV goes to "not found" rather than "invalid". Slurm may
help a bit but I don't think that expecting all ASNs to start using exceptions would
be realistic.

For BGPSec things may be worse - suppose the old router key is lost and unusable..
The repository could publish a new BGPSec router key, but its route would be invalid,
so RPs in validating networks would not be able to find out.

- Publishing CA (client) unreachable

In this case a delegated CA has invalidated the prefix for their CA software and
is no longer able to reach the repository server.

Again this should be avoided, but if it happens..

If the CA can use an alternative path or Slurm between itself and the repository
server then this may help to fix things. Alternatively it can wait for manifests
and CRLs to expire. Or it can ask the parent to be revoked.

I would say all of these are painful.

- Include objects in BGP

Suppose that in some future we would not do full TLS but allow routers to send
the necessary authorization objects for the context of their announcement/update
along. This could simply be the applicable ROA object, ASPA object of BGPSec
router certificate. Dedicated objects could be invented if needed - but there
may be no need.

Routers that receive such objects for routes lacking a current VRP/ASPA/router
key entry could then dispatch this (rtr++) to RP software which can then validate
these objects directly under the applicable CA certificate that it has. Much
like Job was describing for RSC objects. Routers that already have received
the entries through rtr (or lack this capability of finding the objects in BGP)
can ignore the included objects.

In other words: it would allow capable routers to discover new attestations
sooner, but it would not require any or all routers to do this.

This would of course require that routers have a way to include necessary
object. There could be APIs that allow operators push relevant objects manually,
but one could even consider an RTR like protocol where routers can talk to a
CA to get objects. ROAs/ASPAs/BGPSec certificates are usually long-lived,
so this exchange would be low volume and infrequent.

A slightly more involved approach would be to CMS objects with a full path
of certificates and CRLs. But.. this would require regular updates of all
those - and make the validation process more involved. So, just expecting
objects that are signed directly under a known CA certificate (which btw
could also revoke these objects if needed) would still be complicated, but
much simpler.

I understand that all of this would add complexity to an already complicated
infrastructure. So, not doing any of this may be a valid answer, but.. I
don't see other obvious ways to deal the situations described above. If
anyone has other ideas about ways to handle them I would be very interested.



Tim










> 
> Steve
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email