Re: [Sidrops] 6486bis: referenced object validation

Ties de Kock <tdekock@ripe.net> Fri, 04 December 2020 10:57 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8419F3A0949; Fri, 4 Dec 2020 02:57:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgNSXS7Ty_zw; Fri, 4 Dec 2020 02:57:35 -0800 (PST)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 631273A0940; Fri, 4 Dec 2020 02:57:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Cc:Date:Subject:Mime-Version:Content-Type:Message-Id: From; bh=QHDSHNk3RxnKtg4weDNLPUGJtEJoC7ZkfGeOcy0pExc=; b=fGcuhA3UDNHZKVbmXrax A/eTl/nvt7W7PUr/4or8sa2lwmLHvhicPbkZ2MY/LcYZUgBp8eRFKwcfiGrje0MjnHoJNmHLVdn0I los3Cnkoep13uy14+eRbcx2vX0TccJM5/dxMlDLMfzlGRkFYg0p6JVrvCiLyapH9CyZRNWap3b+bJ Yey2cN/hawo2cthnQ0MAaaXguwrhupo6B7Ng/kMfs7BFRBMhe5bhwkQ/SalLsdHwdDSuzZ7+umD8i vdo8UTAN8hBDHcaauDny3FoTNri66HG6pdsvM06n+3K39LIczMKHPFt0iWb4mVF83oeuk/iUksY7J Sq9fostd5Mcc0Q==;
Received: from allealle.ripe.net ([193.0.23.12]:36434) by molamola.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <tdekock@ripe.net>) id 1kl8mL-000CIs-Rh; Fri, 04 Dec 2020 11:57:33 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::91f]) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <tdekock@ripe.net>) id 1kl8mL-0000zE-Ok; Fri, 04 Dec 2020 11:57:33 +0100
From: Ties de Kock <tdekock@ripe.net>
Message-Id: <78C30B6C-820E-49E9-BE88-6137A26F38E2@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DEBF7422-0E3D-4D82-8B3F-FC886F95BB8C"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Fri, 04 Dec 2020 11:57:33 +0100
In-Reply-To: <X8oUr+zsCbHk0Q3a@bench.sobornost.net>
Cc: sidrops@ietf.org, Martin Hoffmann <martin@opennetlabs.com>, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
To: Job Snijders <job@ntt.net>
References: <20201203224213.gnb2nawujxm7a32q@benm-laptop> <20201204111651.4e865d7d@glaurung.nlnetlabs.nl> <X8oSBlR1pDhX83nH@bench.sobornost.net> <EF03D4E0-83EE-4C70-8E81-002DC8C38B95@ripe.net> <X8oUr+zsCbHk0Q3a@bench.sobornost.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-ACL-Warn: Delaying message
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e19f65609ae4fd83633b92f7f7626a4298
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/_YdNTC-iAgqx_B3HBFr1NGInFFE>
Subject: Re: [Sidrops] 6486bis: referenced object validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 10:57:38 -0000

> On 4 Dec 2020, at 11:51, Job Snijders <job@ntt.net> wrote:
> 
> On Fri, Dec 04, 2020 at 11:47:17AM +0100, Ties de Kock wrote:
>>> On 4 Dec 2020, at 11:40, Job Snijders <job@ntt.net> wrote:
>>> On Fri, Dec 04, 2020 at 11:16:51AM +0100, Martin Hoffmann wrote:
>>>> Under this approach, the manifest expresses which objects the CA
>>>> intended to publish. If all the objects listed on the manifest are
>>>> present with a matching hash, the publication point reflects the
>>>> intent of the CA and can be processed. If it contains invalid objects,
>>>> these can be discarded individually.
>>> 
>>> Indeed, I believe you've now captured the essence of why manifests
>>> exists at all. This is what rpki-client & FORT seem to have implemented.
>>> 
>>> Other than the hashes matching & files being present, additional
>>> conditions apply: the manifest & EE certificate need to be valid,
>>> current, latest, correctly encoded, part of the cert chain, CRL present,
>>> etc.
>> 
>> However, validating these requirements for just CMS objects (as per
>> -03, instead of for CAs as well as per -00) leaves open the situation
>> where only part of the objects for a CA apply. When the ROAs are
>> correct, but the sub-CA is not, this can cause outages.
>> 
>> I don't have a preference on which way to go, but I would propose that
>> we treat invalidation (time, c.f. because of semantic errors) for both
>> CA certificates and other objects similarly.
> 
> I am not sure I follow, can you construct an example data set where the
> 'situation left open' you describe appears?
> 

Thanks for asking for clarification. I'll try to explain the scenario:

CA certificate with <AS64496, 192.0.2.0/24>
  * Manifest, containing
	  * ROA: AS0, 192.0.2.0/24
	  * sub-CA, resources: <AS64496, 192.0.2.0/24>
	  	* Manifest, containing:
			  * ROA: <AS64496, 192.0.2.0/24>

We have "all or nothing" for ROAs. I argue that a similar situation is present
for sub-CAs if the sub-CA expires.

Kind regards,
Ties