[Sidrops] current state of TA certificate issuances & validity periods
Job Snijders <job@fastly.com> Mon, 24 June 2024 15:52 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0335DC14F68C for <sidrops@ietfa.amsl.com>; Mon, 24 Jun 2024 08:52:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Weto20oNaIdX for <sidrops@ietfa.amsl.com>; Mon, 24 Jun 2024 08:52:42 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0273BC18DB8B for <sidrops@ietf.org>; Mon, 24 Jun 2024 08:52:41 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-a724a8097deso163439266b.1 for <sidrops@ietf.org>; Mon, 24 Jun 2024 08:52:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1719244360; x=1719849160; darn=ietf.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=AlO9/BSEnY4tSnQR4gf1zYyTnJ4nk/kAkmbxpPqVDHI=; b=fomT7byeFd2z3uWPx9JOc2Hi6Bcsw9EUMW+gmKw7TX80XVjDdvvZ2mwyKbq/Iplkwe Cs33i2/gS27S4JpfX2NelhbKeiz/QCVXKHCKqrlA1hcV1kffz6t1br0/g9ZPLXyPxh6v bFsErHY2ZkqA3jG+cuciKiCXmrqUjhRbbvFUc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719244360; x=1719849160; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AlO9/BSEnY4tSnQR4gf1zYyTnJ4nk/kAkmbxpPqVDHI=; b=vLH5l5G+G4xfGRO4dvV6zvARkyRg+55k4LfyrnrZI0obpDMw1p0uJ4Th67/hzbrI4B Gj7as0Z+HnEGfI4cRogaZsuooX3//s3L+q14eDD71bi/hH8oKYH0uxRiWm/olyQIcmIi zbQ5CANyPl92r04DTLc7Ghf2ASllXiecGW3AeKDpg804faXKyuPTJnLXhyV320QkIRU5 61Z/nRpf31pZsvoS7MNisBA1VpZpHVqjrwTVuWlMabN5/XaB1BGLSs0P8RHtPicjsKvO tJrj8MWo0y/inhTcEVUYOYq3Pg7yJL0wu+cafaKcciwNtsvdKubEzBO+xp43ZELQd0I0 vIig==
X-Gm-Message-State: AOJu0YwYyHSKnQq9f8b12/kcqO38MOh5wJyTn4NBQmtFa0ehZvYjuvcW 12PVcbE95mxl7ueXQJ3lapsgGu0ynkcJ5BHRwzJVsIPqSY+d6wrYVMMDaO7De20K3NxoRukujah SQe7aAH4dSwmSSd78+ZQDu3eyNP1h2qIVPn6pRONDXFxJOkXziqCAOnt7rMliJBZvqXtI5/R+c2 B+MbBrzihg7W11wMQGHPuf5w==
X-Google-Smtp-Source: AGHT+IGGeXrE8MufuS/FOjm0TLGj5HHOqa3lZ3B/CXC70UAVTNN3+VM8L+1PmkeETfvDmgSuzfEwxg==
X-Received: by 2002:a17:906:dc91:b0:a72:60e2:bf5 with SMTP id a640c23a62f3a-a7260e21034mr85556166b.19.1719244359892; Mon, 24 Jun 2024 08:52:39 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a6fe4eeb106sm302186466b.167.2024.06.24.08.52.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jun 2024 08:52:39 -0700 (PDT)
Date: Mon, 24 Jun 2024 17:52:37 +0200
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <ZnmWRSGxXgplYioq@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: JHUULDEFMFOK3QHARWZL4PU26WEFGMXU
X-Message-ID-Hash: JHUULDEFMFOK3QHARWZL4PU26WEFGMXU
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] current state of TA certificate issuances & validity periods
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/NxzvSFH0sPXEmyfOS99cLApFKqM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Dear group, I'd like to share more information on the relevancy of https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-ta-tiebreaker/ in context of old but still valid TA certificates. I've done some spelunking and discovered that in the past (at least) two TA certificates have been issued which contain constraining INRs, which by now are woefully outdated. However, these TA certs are valid for at least another year or two: Certificate issuer: /CN=arin-rpki-ta Certificate serial: 010D0C9F4328576D51CC73C042CFC15024AF3A1B Hash identifier: x0GxHqdGhsdJnlXnzpu2CSPL9XwYPowW/ECKqzZysBI= Manifest: rsync://rpki.arin.net/repository/arin-rpki-ta/arin-rpki-ta.mft caRepository: rsync://rpki.arin.net/repository/arin-rpki-ta/ Certificate not before: Thu 01 Oct 2015 18:34:34 +0000 Certificate not after: Wed 01 Oct 2025 18:34:34 +0000 Subordinate resources: AS: 1 -- 6 AS: 8 -- 27 AS: 29 -- 136 AS: 138 -- 172 ... Certificate issuer: /CN=AfriNIC-Root-Certificate Certificate serial: D462C96A060634CE Hash identifier: 6oniYNeHhwxwMOqOCY8sxpRyIf9JKQum37pe6y2Sd18= Manifest: rsync://rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft caRepository: rsync://rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/ Certificate not before: Thu 22 Dec 2016 11:13:39 +0000 Certificate not after: Sun 20 Dec 2026 11:13:39 +0000 Subordinate resources: AS: 1228 -- 1232 AS: 2018 AS: 2561 ... If copies of the above two certificates somehow are brought back into circulation, RPs (without the ta-tiebreaker mechanism or without a cached copy) are likely to end up rejecting 100% of subordinate products (in the case of AfriNIC), or ~ 50% (in the case of ARIN). The difference in impact between the two is be explained through ARIN's use of 'inherit' elements in various top-level certs. RISK ASSESSMENT OF REPLAYS ========================== In this working group the phrase 'on-path attacker' is a nice shortcut to reference a fairly elaborate concept, but I don't think actual adverserial on-path attacks are the highest risk that needs addressing. A lot of RPs nowadays use TLS verification on the HTTPS channel when fetching TA certs which helps increase confidence in the download. I deem a more probable risk that TA operators accidentally place an older issuance on the URI's referenced from the TAL file. I suspect there is a number of manually executed steps in the TA resigning ceremonies, so to me it isn't beyond imagination that at some point in the future the wrong files are copied to the online location. Another probable risk is when CDNs are in use and one of the CDN's caching nodes for some reason is out-of-sync with the origin, serving an older version of the TA certificate. >From the RP perspective, the latter two cases are indistinguishable from an actual on-path attacker. THE CASE FOR SHORTER VALIDITY PERIODS ===================================== The two issuances of TA certificates mentioned before would obviously no longer pose a risk had their validity period expired by now. TA operators require agility, specifically for two cases: updating the subjectInformationAccess extension and updating the INRs in the RFC 3779 extensions. TA operators might think "we will NEVER change the SIA and ALWAYS stick to 0.0.0.0/0 + ::/0 as INRs!", then again Charles Dickens warned us "Never say never" :-) It probably is reasonable to confidently state "in the coming 12 months we do not anticipate to change the SIA or INRs", but confidence probably start waivering when imagining the coming 5, 10, or even 100 years. Now that there is a formal description in the form of draft-spaghetti-sidrops-rpki-ta-tiebreaker to favor shorter validity periods, I think there now is a (small) incentive for TA operators to - going forward - issue TA certs with shorter validity periods. It seems beneficial for both TA operators and RP instances for older issuances with (now) outdated SIA or INR information to expire in accordance with the length of internal planning cycles related to possible future SIA or INR changes. CURRENT VALIDITY WINDOWS OF TA CERTS ==================================== AfriNIC: Mon 30 Mar 2020 09:58:36 - Thu 28 Mar 2030 09:58:36 APNIC: Wed 01 Nov 2023 23:48:07 - Mon 30 Oct 2028 23:48:07 ARIN: Tue 30 Jan 2024 16:17:49 - Mon 04 May 2026 15:17:49 LACNIC: Tue 05 Mar 2024 14:14:56 - Sun 05 Mar 2124 14:19:56 RIPENCC: Tue 28 Nov 2017 14:39:55 - Sun 28 Nov 2117 14:39:55 ARIN's validity period clocking in at 2 years is the shortest, followed by APNIC (5 years), AfriNIC (10 years), and then LACNIC & RIPE NCC both at 100 years. In this context, I personally favor ARIN's approach. Kind regards, Job
- [Sidrops] Re: current state of TA certificate iss… Tim Bruijnzeels
- [Sidrops] current state of TA certificate issuanc… Job Snijders