[Sidrops] Implementation report for draft-ietf-sidrops-signed-tal-12
Job Snijders <job@fastly.com> Fri, 21 October 2022 13:48 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10A0BC14CF0B for <sidrops@ietfa.amsl.com>; Fri, 21 Oct 2022 06:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJBE1ZB7kLNx for <sidrops@ietfa.amsl.com>; Fri, 21 Oct 2022 06:48:00 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27A81C14F749 for <sidrops@ietf.org>; Fri, 21 Oct 2022 06:48:00 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id e18so6070531edj.3 for <sidrops@ietf.org>; Fri, 21 Oct 2022 06:48:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=iiB8HPNQcTZ8HaosczBI0yfEemmzwtlNjBCyt1+VO3E=; b=TnFhJYSkVVncj7HkwTsa3+twBog0A+S8Xb8Qlya8WUr81OozyQFkV8sIO/A0qiPRxc r1681/kfycnflgErJV5/FX1gUR30ixdaoH8pnjxBG7Mvwt3EyfJOD/lzpuwQuBzYyllG 9dlYOc88JNjWfQOk+znJr2PTr3VNjfp1Y2Pgc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iiB8HPNQcTZ8HaosczBI0yfEemmzwtlNjBCyt1+VO3E=; b=5DWCgUSdP3RKA1kzZfU4Pg1XPShEHcsrbelBcq4wFlKT8xLnQ/QkxLSULuRdVTq6TM gbi5LsHc/9TLAVcss4zl6EReiYNhcbvsxsFRpZjQlT0PRdo5Vi0cADdXFf+UMuyDi684 fZjENmdhqmcNOryUIBorowIO7u5un5qwnV5AKxzD2H9MjWsasluPjibaaldUvxPGUOPU ZVSg8822tNIcwMCgokYO0v7F6ZGU9OMWThSL8AKnFTmCK5e0etLsAxaMTy9m5c6eJavb BaFxxVzniH/szLTEnNESQ5kkynkNhZx0/ksh4PD0K+ETSVNx+i/g0xum8VxuDRfzkhBe Ks8Q==
X-Gm-Message-State: ACrzQf2ldLLERI+9tI5cf443tF/ZyRoyvVP/c/ory321k2TedcmEOxGD ELNfThaX2hwrqexK8pyxVIEzk4g8VBAoY6gGRRoYSQHCqmAHmNd1OA7EUS1liiC/uoBWVLlosNy n8yloh2phEunEHC3IHBI5L2Yy5V9UNCaoBFJjK6f5KjHYfFVVUpBROzo=
X-Google-Smtp-Source: AMsMyM5d6I8Pty4fIoeEczdRRPgFje4qrJkaConBzSvGDV2EC748Amjx9BFIIT0MHIH7S1Xs3f+9+Q==
X-Received: by 2002:a17:906:dac9:b0:780:ab6f:591f with SMTP id xi9-20020a170906dac900b00780ab6f591fmr15716356ejb.77.1666360077902; Fri, 21 Oct 2022 06:47:57 -0700 (PDT)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id ky18-20020a170907779200b00780a26edfcesm11663031ejc.60.2022.10.21.06.47.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Oct 2022 06:47:57 -0700 (PDT)
Date: Fri, 21 Oct 2022 15:47:56 +0200
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <Y1KjDK4k64UBWra2@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/W9KsbHfXlr5U0k0j6jFCeO0R1ys>
Subject: [Sidrops] Implementation report for draft-ietf-sidrops-signed-tal-12
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 13:48:04 -0000
Dear all, I implemented draft-ietf-sidrops-signed-tal-12 in OpenBSD's RPKI validator. More information about this RP implementation is available at: https://www.rpki-client.org/ The 'Signed TAL' software implementation changeset can be found here: https://marc.info/?l=openbsd-tech&m=166635746808783&w=2 Please add to Section 12 "Implementation Status": Responsible Organization: Job Snijders Location: https://marc.info/?l=openbsd-tech&m=166635746808783&w=2 Description: A relying party implementation which can validate TAKs. Level of Maturity: Mature. Trust Anchor operators are encouraged to use rpki-client as part of smoke testing to help ensure high levels of standards compliance when introducing changes, and use rpki-client in a continuous monitoring fashion to help maintain high levels of operational excellence. Coverage: implementation includes all features except TAK acceptance timers. Contact information: Job Snijders <job@fastly.com> Feedback: Overall I found the document easy to read and straight-forward to implement. Tom Harrison's testbed was very useful in producing the above mentioned changeset. I very much appreciate the quick back-and-forths which helped resolve bugs on either side. Notes to the internet-draft authors: 1/ Section 10.2 "TA Compromise" makes no sense to me. I'd like to suggest to remove section 10.2 entirely. There is no such thing as an adversary 'temporarily' being in control of Trust Anchor private key material. Once a TA is discovered to be compromised, this discovery should be widely announced (NANOG, RIPE Routing-WG, SIDROPS, etc); and the community immediately should get to work to remove all TALs pointing to the compromised TA (both in RP implementations, as well in operating systems that bundle RPKI roots in a generic fashion such as Debian/Ubuntu/OpenBSD/etc). However, organisation of responses to TA compromise are out-of-scope for the signed-tal internet-draft. 2/ Section 10.3: s/can be complementary/are complementary/ 3/ Section 11 lacks a Media Type registration. See RSC for an example: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-rsc#section-10.5 4/ Section 10.1 should also mention certified destruction of previously-current keypair materials. 5/ Section 9 states "can only be relied on once a majority of RPs support it". I don't believe concepts like 'herd immunity' apply in this case, for example in the case of OpenBSD or Debian (where RPKI roots are available to the system operator as non-RP-specific manner); only the packager of the RPKI roots needs to be able to support, and all Debian/OpenBSD users subsequently benefit from that support being downstream. In other words, there are benefits to TAK even if only a very small percentage of RPs support it. Kind regards, Job
- [Sidrops] Implementation report for draft-ietf-si… Job Snijders
- Re: [Sidrops] Implementation report for draft-iet… Tom Harrison
- Re: [Sidrops] Implementation report for draft-iet… Ties de Kock