Re: [Sidrops] what to do when the CRL is hosed?

Tim Bruijnzeels <> Fri, 03 April 2020 08:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 922DB3A13E6 for <>; Fri, 3 Apr 2020 01:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J4ogCdqPKYNm for <>; Fri, 3 Apr 2020 01:12:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 243FF3A13E2 for <>; Fri, 3 Apr 2020 01:12:39 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:2502:d63b:9003:3606] (unknown [IPv6:2001:981:4b52:1:2502:d63b:9003:3606]) by (Postfix) with ESMTPSA id 2C0DC313A3; Fri, 3 Apr 2020 10:12:37 +0200 (CEST)
Authentication-Results:; dmarc=fail (p=none dis=none)
Authentication-Results:; spf=fail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1585901557; bh=WiNeHw5eFc09jujebhjKVZe5peqZ9MTKmARwLapjN58=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=ZS10obWZ9lO+tyFfmIpwMvMrZfPmY8ruXibo1O4BWWzeL7Q8gm4+z/VZed5AH8nqq cZo1LtH+GCfES5X27uxW2t9wXIyeHCih1KtU3FcW7y82/niMfrhB/chik8kILe6xAG Tg/RQjkC8x4MOGmuZBOjh9mkPYo2OXrQO4UfeLiE=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
From: Tim Bruijnzeels <>
In-Reply-To: <>
Date: Fri, 03 Apr 2020 10:12:36 +0200
Cc: Randy Bush <>, Jay Borkenhagen <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
To: Lukas Tribus <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Apr 2020 08:12:41 -0000


> On 3 Apr 2020, at 09:32, Lukas Tribus <> wrote:
> Hello Randy,
> On Fri, 3 Apr 2020 at 02:28, Randy Bush <> wrote:
>>> - no MITM attacks possible that lead to incomplete VRP sets (with the
>>>  supported retrieval methods, which still includes rsync)
>> you are asking for transport security.  we chose not to take that path.
>> if an evil monkey gets in the middle, it should be detectable.  but the
>> design does not prevent mitm.
> What I'm trying to say is something different:
> We promised transport agnostic security. I'm asking that we maintain
> that promise.
> But if we are unable to maintain that promise and start relying on
> transport security, then we need to actually fully admit that and drop
> rysnc.
> This is because I read some arguments on this list akin to "well this
> attack will not work against RRDP, so only rsync ...". What I am
> saying is that: we should maintain the same guarantees and
> consistencies at the end of the day with both retrieval methods.
> I understand MITM - as in denying the *entire* service - is an attack
> that affects both retrieval methods. That's ok. What would be
> unacceptable for me is that a repository retrieved via rsync could be
> affected by a partial withhold attack, withholding some VRP's.
> The TL;DR here is, as a network operator, I expect both retrieval
> methods to provide the same kind of assurances, consistencies and
> security guarantees. On the other hand, if rsync is a second class
> citizen, then we need big fat warnings about rsync.

I believe that TLS Verification for RRDP MUST become mandatory. No, it's not perfect, it's not a replacement for the *object* security that exists in RPKI, but it's an additional check. In particular it can help to flag if an RP is misdirected or a MITM might be in play.

With regards to phasing out rsync. I tried to start that discussion at IETF 106, and made an initial write-up:

I have not yet asked for WG adoption - I forgot in the midst of lots of other work etc. That said, I can do so. I am happy to accept co-authors as well. My impression from the room (not wanting to put on any chair hats) is that there is no strong opposition to phasing out rsync.

However, this discussion is somewhat orthogonal to what RPs should do in case they find issues with a MFT, CRL, or know that there are objects that are missing. These problems exist regardless of the transport.


> Lukas
> _______________________________________________
> Sidrops mailing list