Re: [Sidrops] what to do when the CRL is hosed?
Job Snijders <job@ntt.net> Wed, 26 February 2020 02:25 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6643A09CA for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 18:25:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TSVuTkFnVOPY for <sidrops@ietfa.amsl.com>; Tue, 25 Feb 2020 18:25:39 -0800 (PST)
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D23E3A0972 for <sidrops@ietf.org>; Tue, 25 Feb 2020 18:25:39 -0800 (PST)
Received: by mail-wr1-f43.google.com with SMTP id p18so1024844wre.9 for <sidrops@ietf.org>; Tue, 25 Feb 2020 18:25:38 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=kS5y3qwsHU/vTQ6DeWCPbNZv+BMFlb8j2JOnfgAB1BA=; b=C5YJeGfpeSRTQKQ2FVlSESPrldi1uX7xzRcUoKHAU62JM33+nkP8o/9rZLl/EE/oLn BFCe0WNHEHSFWiyOjt7lF5rMto0XT86BJ7aGy1k2Ghk3O860RQcdHAa73N6WLp7283xV aDTUi85mm/SznsrSXc4W6DNEbTpcndc2r3ZmhGQ/nNk9rMszVV9v4iuGQCYnFdFB1xNV P+Q9GVv/ldouUgfV96pmkAxngFhnUVjlmYd3zjncxyFcgDgNQ1RRbPvq/ZazgOVqF990 cxcRK5qkiSGeK5Qx6sWmjkyYyDCT1PaDryLt6nKr/NYcB1DxIKvR55GpcPxRkakCVtaH suCA==
X-Gm-Message-State: APjAAAVAY+N6M/3FZ7tL9Nqs3obGu1G5gVzl2v3dJSXRWSJkzvNgNf+0 +9z7RiTgJA05eGIHMfyHQAM4zUi8YpI=
X-Google-Smtp-Source: APXvYqzyyuYlDCwqTwpIVDDEfukdUokrKu24HbwdA1opKU/pSHyHQ0cC1UN00d/U4ViLH221trB0yQ==
X-Received: by 2002:a5d:4b82:: with SMTP id b2mr2310501wrt.102.1582683937271; Tue, 25 Feb 2020 18:25:37 -0800 (PST)
Received: from vurt.meerval.net (vurt.meerval.net. [192.147.168.22]) by smtp.gmail.com with ESMTPSA id u62sm858244wmu.17.2020.02.25.18.25.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2020 18:25:36 -0800 (PST)
Received: from localhost (vurt.meerval.net [local]) by vurt.meerval.net (OpenSMTPD) with ESMTPA id 5deeaba0; Wed, 26 Feb 2020 02:25:35 +0000 (UTC)
Date: Wed, 26 Feb 2020 02:25:35 +0000
From: Job Snijders <job@ntt.net>
To: Louis Poinsignon <louis.poinsignon@gmail.com>
Cc: sidrops@ietf.org
Message-ID: <20200226022535.GA72144@vurt.meerval.net>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <CANw9378e0VVPZXjjtktm-eUBxe1sPeK-69CyLWXLHocL3Ws-=g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANw9378e0VVPZXjjtktm-eUBxe1sPeK-69CyLWXLHocL3Ws-=g@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/V3edp8Mpm4bievN8qjLwGeV4G3Y>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 02:25:41 -0000
Dear Louis, group, On Tue, Feb 25, 2020 at 06:02:05PM -0800, Louis Poinsignon wrote: > My opinion on an operational standpoint. > I don't think I'd like having our routers suddenly reprocessing the million > routes associated with 78000 ROAs leaving us with an increased surface of > attack and potential reroutings. It differs from BGP implementation to BGP implementation whether a milion routes in their concept of the RIBs need to be reprocessed, or only the routes covered by the (now invalid) ROAs / VRP removal. I believe there are high performant BGP/ROV implementations out there. > The outage lasted 8 hours as well. Even with a replayed certificate, > I don't believe the impact would be as critical. And it would leave > traces. If the impact of a mistake is more punitive than a proper > misuse, it's bad. > > While I believe Job is right on the discrepancy between validators, I agree > with the point of Martin on the added complexity. The only punitive effect I observe is towards the CA operators (a small group, appears not too often to make mistakes), but at the same time there are continuous benefits going to the relying parties (a large group, the internet). I see opportunity for a movement to motivate CA operators to the strictest possible interpretation of how their RPKI CA & publication process works and how the data distributed will be validated. > Even though browsers and RPKI are different, I think we can learn from > the experience. Which is to get away from CRLs. I agree this is worthwhile exploring. Kind regards, Job
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush