IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

Lukas Tribus <lists@ltri.eu> Fri, 03 April 2020 07:32 UTC

Return-Path: <lists@ltri.eu>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9A523A1366 for <sidrops@ietfa.amsl.com>; Fri, 3 Apr 2020 00:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gG7nnW8BuLFi for <sidrops@ietfa.amsl.com>; Fri, 3 Apr 2020 00:32:49 -0700 (PDT)
Received: from smtp-relay2.web-server.biz (smtp-relay2.web-server.biz [137.74.38.202]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AAFE3A1333 for <sidrops@ietf.org>; Fri, 3 Apr 2020 00:32:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp-relay2.web-server.biz (Postfix) with ESMTP id EF93C1CD42 for <sidrops@ietf.org>; Fri, 3 Apr 2020 09:32:46 +0200 (CEST)
Received: from smtp-relay2.web-server.biz ([137.74.38.202]) by localhost (smtp-relay2.web-server.biz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FQ9Y0erH58Z for <sidrops@ietf.org>; Fri, 3 Apr 2020 09:32:44 +0200 (CEST)
Received: from mail5.web-server.biz (www5.web-server.biz [185.181.105.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-relay2.web-server.biz (Postfix) with ESMTPS id 0F2051CD19 for <sidrops@ietf.org>; Fri, 3 Apr 2020 09:32:44 +0200 (CEST)
Received: from mail-io1-f47.google.com (mail-io1-f47.google.com [209.85.166.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail5.web-server.biz (Postfix) with ESMTPSA id 8E60C47C77 for <sidrops@ietf.org>; Fri, 3 Apr 2020 07:32:39 +0000 (UTC)
Received: by mail-io1-f47.google.com with SMTP id i3so6439124ioo.13 for <sidrops@ietf.org>; Fri, 03 Apr 2020 00:32:39 -0700 (PDT)
X-Gm-Message-State: AGi0Pua9SB5sDBvW1HPXyVyPnlicKhWd100aZXhzRTwwo032jZ/Hcn/7 gHjfXCCyT5FB7jhjuWGLvCN5GWj77cX9+iz1Gk0=
X-Google-Smtp-Source: APiQypKqYeQ+J8zU/ntUkf1dnpxTxAAPEy0iAC354aFeJOF29B2WYB5DKdzwxHigpZOzmzbx91eOtE35rda4UD28gpY=
X-Received: by 2002:a02:b616:: with SMTP id h22mr7290162jam.126.1585899157861; Fri, 03 Apr 2020 00:32:37 -0700 (PDT)
MIME-Version: 1.0
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <20200226173935.GE72144@vurt.meerval.net> <2db8d19a-6f91-d2fc-36c3-65742ba77e6c@ripe.net> <8B09B96B-432C-4190-9DE0-DC2004AAFCC2@nlnetlabs.nl> <CC64461D-4F34-4367-AD9D-D42B2A476363@ripe.net> <75140927-0b8b-07ab-ad2e-952e32256df1@verizon.net> <24198.20355.168888.506246@oz.mt.att.com> <CACC_My-g7bU7FYHiy+3j=HfXBp4+ZEWA96aGOaptROtLg8CSUg@mail.gmail.com> <m2mu7to1jk.wl-randy@psg.com>
In-Reply-To: <m2mu7to1jk.wl-randy@psg.com>
From: Lukas Tribus <lists@ltri.eu>
Date: Fri, 03 Apr 2020 09:32:26 +0200
X-Gmail-Original-Message-ID: <CACC_My9PwS7fSZD-50zCW8q2BtDMGbJA38SYfq+Efqzez_GMzQ@mail.gmail.com>
Message-ID: <CACC_My9PwS7fSZD-50zCW8q2BtDMGbJA38SYfq+Efqzez_GMzQ@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Jay Borkenhagen <jayb@braeburn.org>, sidrops@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/aKHQxrk06G9loCElVV7V1ZV4NOY>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 07:33:00 -0000

Hello Randy,

On Fri, 3 Apr 2020 at 02:28, Randy Bush <randy@psg.com> wrote:
>
> > - no MITM attacks possible that lead to incomplete VRP sets (with the
> >   supported retrieval methods, which still includes rsync)
>
> you are asking for transport security.  we chose not to take that path.
> if an evil monkey gets in the middle, it should be detectable.  but the
> design does not prevent mitm.

What I'm trying to say is something different:

We promised transport agnostic security. I'm asking that we maintain
that promise.


But if we are unable to maintain that promise and start relying on
transport security, then we need to actually fully admit that and drop
rysnc.

This is because I read some arguments on this list akin to "well this
attack will not work against RRDP, so only rsync ...". What I am
saying is that: we should maintain the same guarantees and
consistencies at the end of the day with both retrieval methods.


I understand MITM - as in denying the *entire* service - is an attack
that affects both retrieval methods. That's ok. What would be
unacceptable for me is that a repository retrieved via rsync could be
affected by a partial withhold attack, withholding some VRP's.


The TL;DR here is, as a network operator, I expect both retrieval
methods to provide the same kind of assurances, consistencies and
security guarantees. On the other hand, if rsync is a second class
citizen, then we need big fat warnings about rsync.


Lukas

v2.23.0 | Report a Bug | By Email