Re: [Sidrops] what to do when the CRL is hosed?

Christopher Morrow <> Tue, 31 March 2020 15:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8B8D3A2361 for <>; Tue, 31 Mar 2020 08:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PVI-SnBIVTah for <>; Tue, 31 Mar 2020 08:42:12 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 90F483A236C for <>; Tue, 31 Mar 2020 08:42:12 -0700 (PDT)
Received: by with SMTP id o10so23407315qki.10 for <>; Tue, 31 Mar 2020 08:42:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4+O9Ehpbrxmd89fd93+rDxvo4m6q33p/OKzL6h6gHpI=; b=I65h0VSCWOu8ANeJKXaDPtbMsoKDlIQAdFvvn3rB7MoGzSnsEJsKKtn/DlsKzIEA2i 71cIegI6zTXZL6iJ7ir/b2Q+Tk0khbdG9oX3voSgIkixHuYX2VP49Q1+rN73RBfSt94i qMiEyAE/na2yXmk/2lTKEMILK0DcMSMaekwqWpjZlQsbDxj4sRHTOd9nvoS8ld2X40eJ DGXH2XSpzcxi6X4wnmNoP+bm1+8rwwP8TWO278DIKu9p0Z6o/w+PJL7x8w75eshRN6ln /QKnenAqSCDUdQYCIQp3YD5BkC8Rd3E6Q0WhOU26NQiIT+1uBrK0Ndk3RqRCguUJyDjx yVZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4+O9Ehpbrxmd89fd93+rDxvo4m6q33p/OKzL6h6gHpI=; b=SJv60xRwp+B8SjAzF60fkRGUd7Scm3S8ZBw4eWo5WFBNwkwCh+f09gvPl53JFZeaDq crt4Mo9KAEZyt05ej0DpyfmjxFVZ7TeXn/lqgOA4CH9opuvk4zCtpVP6Zi8laADZ/PR+ gSznnGAi2d1kBt83lMzUlW3cIzjc0GHGnEqKKQHCSZgdXDspACDrAT7FrCzbLqnoeiUb Pdtc0K6bqrjf1JXsnoJ/7++FnDGbepMykTX2+JTy8qZa3NnP8taZWnhe6gzMgp0b+twr wUtK8SEsF9D3Cl0BenZKH8+7KOGFeJTXHG2k/FouMs9Qw8ZqaLSEKA4Kp8f2Py8EiwW7 GUlA==
X-Gm-Message-State: ANhLgQ0kEIQSUapGTqFTzkx+GzJMrkIlx186RvfTHRnQQ/NojZrOeo9P qoWt74+sj7R9pz4rxn0nd8rzp5zmC5HeE0kU9BCsdH/q
X-Google-Smtp-Source: ADFU+vtOEw4XoyCkFdmNo/NEQalA/57g9HWG+Nmjqqn+19MiPAE4VvSqQsWSxAKcqtL9qAaPwbprPAf7mqnRy1eKJi8=
X-Received: by 2002:a37:a991:: with SMTP id s139mr4661097qke.116.1585669331363; Tue, 31 Mar 2020 08:42:11 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Christopher Morrow <>
Date: Tue, 31 Mar 2020 11:42:00 -0400
Message-ID: <>
To: Stephen Kent <>
Cc: Job Snijders <>, SIDR Operations WG <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Mar 2020 15:42:14 -0000

first, apologies for getting back around to this so late :(

On Thu, Mar 26, 2020 at 10:57 AM Stephen Kent
<> wrote:

> So, I think discussing MITM attacks is a distraction, unless we have examples of how
> such attacks can affect RPs in ways different from attacks on repositories. Maybe re-reading
> RFC 8211 would be useful, as it tries to analyze a range of possible "adverse actions"  by CAs or
> repository managers in the RPKI context, and discusses how RPKI mechanisms are intended to
> detect/counter these actions.

In the case of the incident which started this thread we ended up
publishing part of the content a
repository needs to publish such that the relying parties can verify
properly that the content in the
repository is correct/valid/usable. The discussion then went along a path like:
   1) "well... maybe we shouldn't have belt and suspenders?" (manifest AND crl)
   2) "what happens if we don't publish this pesky CRL? and rely only
on the manifest?"
   3) "what if we don't publish the manifest and only rely on the CRL?"
   4) "CRL + Manifest has made 'rp software' hard/buggy"

In the world where the protections specified for RPKI exist:
  1) self contained content protection (roa / ee-certs / etc are
packaged securely)
  2) crl signed and available in the repository for revocation actions
on objects in the repository
  3) manifest signed and listing all objects of interest in the repository

Steve (kent!) is right mitm is harder to see as a threat.
  "All objects you get are signed by a ca-cert which is signed by the
root.. which is in the list of TAL you have. You can't have missing
objects and you cant' remove objects without affecting the signed

In a world where we remove one/some of the protections:
   A) no more manifest
   B) no more crl
   C) both

I think mitm problems are much harder to detect/deal with :(
It sounds like WG folk (RP users and RP/CA software authors) are
asking for guidance on handling the problem(s) discussed here.
It sounds, to me, like a chat at the upcoming interim meeting would be
a great place to start that with some slideware and a proposal to use
as kindling.

I think the shape of the conversation is roughly:
  "What would be the effect (on the routing system) for RelyingParties
if we decided to be less strict about CRL existence?"
  "What would be the effect (on the routing system) for Relying
Parties if we decided to be less strict about repository contents vs
Manifest contents?"
  "What happens to the routing system if the manifest and crl are
either/both 'broken' in a repository?"

I don't think it matters much to the routing system where the breakage
occurs (my repository or RIPE/ARIN/etc) certainly there's more fallout
from ARIN/RIPE/etc, but... you can't get to me either way :)
(possibly) until repair and propogation.

Thoughts on some slideware and discussion?
Did I about capture the meat of the sandwich here?

co-chair but asking as a regular chemical engineer at this party.