Re: [Sidrops] 6486bis: Failed Fetches

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 04 September 2020 23:14 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0EA3A0B8B for <sidrops@ietfa.amsl.com>; Fri, 4 Sep 2020 16:14:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vI3VnrgT4iJT for <sidrops@ietfa.amsl.com>; Fri, 4 Sep 2020 16:13:58 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41C5B3A0B6E for <sidrops@ietf.org>; Fri, 4 Sep 2020 16:13:58 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:55e4:165c:ff49:a540] (unknown [IPv6:2001:981:4b52:1:55e4:165c:ff49:a540]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 7C62B24751; Sat, 5 Sep 2020 01:13:56 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1599261236; bh=jTnEqQkKgEytlXGPUjfPIohzVTah/MLyC6qVHi9BpAI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Ceir8LqxrmtJQNWIUOpJO2uZGU6ppz+HhSu5HwK8Rd3zYJI3XbZjHBCNlud+GVQDY Yg7tID9qZBhWxP08pXoS1n8dKRszNh5dKOp80yamn18SuzDS+TI25fjRidaOMuI6kR zYq00JuphyB9j19/3PuJrIfKZVKnfXmDXF5YoyhE=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <8AAB93F3-6024-438E-9A32-5AE583A51C06@nlnetlabs.nl>
Date: Sat, 5 Sep 2020 01:13:56 +0200
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <02763DA8-EE43-405B-9D87-B704D33D9C57@nlnetlabs.nl>
References: <20200817163134.29aa1a6b@glaurung.nlnetlabs.nl> <c1a8fffb-9106-d08e-4254-44ddf1a0115a@verizon.net> <20200818083659.1922a98c@grisu.home.partim.org> <6cebcc89-3e07-8a85-3813-b4ae9887d119@verizon.net> <20200826122539.52493813@glaurung.nlnetlabs.nl> <b71c9c88-fb10-b037-d06a-910711e51e04@verizon.net> <cf7030be-adc4-dde4-7eda-516339fd6c91@verizon.net> <24393.25181.84151.476185@oz.mt.att.com> <4d77e33d-25bb-03a7-7a7e-1535bb2e1f18@verizon.net> <24399.58769.547600.368430@oz.mt.att.com> <8AAB93F3-6024-438E-9A32-5AE583A51C06@nlnetlabs.nl>
To: Jay Borkenhagen <jayb@braeburn.org>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/OzKwWb3VK_D5KHKojxC4lZVVTLo>
Subject: Re: [Sidrops] 6486bis: Failed Fetches
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 23:14:00 -0000


> On 4 Sep 2020, at 22:40, Tim Bruijnzeels <tim@nlnetlabs.nl> wrote:
> 
> Hi,
> 
>> On 2 Sep 2020, at 20:33, Jay Borkenhagen <jayb@braeburn.org> wrote:
>> 
>> Steve,
>> 
>> Stephen Kent writes:
>>> The crux of the issue is whether it is preferable to reject all objects 
>>> at a pub point if an error is detected (until the error is rectified), 
>>> and thus potentially treat many more routes as having an unknown 
>>> verification status, or to accept bits and pieces of data from a pub 
>>> point with the potential that some routes will be treated as valid, even 
>>> if they are invalid. To me, that is a value judgement to be made by 
>>> network operators, not by developers of RP software. [...]
>> 
>> No, there is a bit more to it than that.
>> 
>> I want my network's routers and those of all other networks to be fed
>> with VRPs that represent all the verified and legitimate published
>> origin-ASN intentions of verified, legitimate IP number resource
>> holders.
>> 
>> Clearly the challenge there is in determining "verified" and
>> "legitimate."  In creating the rules (to be documented in
>> standards-track RFCs) for those determinations, I would like the input
>> of all SIDROPS participants to be valued, including the input of the
>> RPKI designers, the CA- and RP-implementers, the RIRs, and the network
>> operators.
>> 
>> To my point: if RP-implementers feel that the "bits and pieces of
>> data" (to use your words) should be considered to best make those
>> determinations, such input should be welcomed; conversely, if
>> RP-implementers feel that strict publication rules and accompanying
>> strict handling of retrieved records together create the best way to
>> make those determinations, we all should listen to what they have to
>> say.
> 
> I don't think it's entirely fair to say that us 'developers' are willing to create security issues for network operators.
> 
> This document is still under discussion, and there simply are still cases that are not fully discussed, e.g. how to filter VRPs if a publication point is found to be bad - to which I posted a suggestion only last week. I thought that discussion phases were meant for that. To look at things from different angles. I am quite certain though that consensus can be reached if we have constructive talks, and that implementation can follow quickly when it does.
> 
> To the point of "bits and pieces". Rejecting a full publication point is the easiest to reason about, so I can see its appeal. That said, consider the case where a ROA is invalid because it contains a prefix no longer held by the CA. Instead of rejecting the complete PP for a CA certificate, and filtering out all VRPs overlapping the resources on it, one could also reject all the invalid ROAs and only filter out VRPs that have any overlap with those ROAs.

This should have said: overlap with the intersection of resources on those ROAs and the CA certificate.

> I understand this is a bit more elaborate, but not dramatically different. As far as I can tell it is just as secure in that this cannot result in RPKI invalid announcements because of a single invalid ROA object.
> 
> Note that I talk about ROA objects that can be fetched, and are known to be current. I.e. the actual manifest content. And provided they can be parsed and validated so you know which resources are affected. If any objects are missing or obsolete then assume the worst - I actually made statements to that effect months ago.
> 
> In any case, I can live with the reject-all model for its simplicity. But I would like to hear an operator input on whether this is indeed desirable. And that the consequence of child CAs - even NIR sized ones - blinking out for a few hours every now and then is an acceptable price for this simplicity.
> 
> Tim
> 
> 
>> 
>>> Experience with X.509 cert extensions suggests that the approach I noted 
>>> is preferable. Saying that older RPs can ignore objects they don't 
>>> understand introduces ambiguity in RP behavior, which is precisely the 
>>> concern that motivated the effort to generate 6486bis.
>> 
>> Ambiguity is bad in any technical endeavor where precision is needed.
>> And we're here discussing this now because there was ambiguity in
>> rfc6486 (not assigning blame -- I missed it, too).  But I don't see
>> how it follows that if/when ASPA (for example) is standardized, that
>> older RPs should be required to throw away all records retrieved from
>> PPs whose MFTs now cite ASPA records.
>> 
>> Thanks.
>> 
>> 						Jay B.
>> 
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops