IETF Logo Mail Archive

Re: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator

George Michaelson <ggm@algebras.org> Wed, 26 July 2017 22:49 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A119131E88 for <sidrops@ietfa.amsl.com>; Wed, 26 Jul 2017 15:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KlHo89Rgvmhe for <sidrops@ietfa.amsl.com>; Wed, 26 Jul 2017 15:49:00 -0700 (PDT)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D1D9131D02 for <sidrops@ietf.org>; Wed, 26 Jul 2017 15:49:00 -0700 (PDT)
Received: by mail-ua0-x235.google.com with SMTP id w45so128038995uac.5 for <sidrops@ietf.org>; Wed, 26 Jul 2017 15:49:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0mXwA7fwKiqdww9P4qka4kqIe2e14U4sdQL6s9CXmRQ=; b=UNLwfvNUkFcOjM0KVdnn1a3x0scDy+BQV+OVRq13EJXunNUmWbhs252ykGQ4imhzHE ubodmu/pDaI7uUKxrvP7AWxfc9WoUAapDYRxDEfmhtaJlaW/Zzs3P7KxueQ0i3xpZrgf HfrJpZT2EjH7tl6Vpr07sthB6nBbEsSK69BacBySVeFaTizdc6IwxPZJaWv7rndWvoSN nTPcO70cgjPc2sklVHE79TSVotRPtbD0aKmcLPDfh5H4FFuupk/QsRUgwQavqz49jVd5 gG0K6aok33GF/Q58ADHvYGiQhIClsBwxVZn1zoOoZGEv3i9fB4TRESfkw/F0Ua1QoPC8 0d0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0mXwA7fwKiqdww9P4qka4kqIe2e14U4sdQL6s9CXmRQ=; b=EiHE46/lXCjbl2W7SVL7OdDow2uCIouFP73RcQupiLDkFxmdhMBiyDMU21OnJJuJok /iI3pW2NfZhJ/FglwtyWKrlyfINYimoZxsYeVA1XGKeFvQ+s59bxGdA/FrzpuMmODYqS y8VJD2OI4g2i7wxQzkn1QtFqxDQjeychn47Cr8gGlfYXF3+aPHZe/OQbPEUcu0ZzCEb4 QQpHmIoHRgkl8qyFuEVyfeChZFCUbJ3oC8JGRxdKd/Gk5zPQ0sl29x0a3po38wgqqF7x Kdbh3AHfyZBSKowFbd/UMG4uuZ4Oxx7UQP5b7Cv6YXF86c/W4rIFUBtnnQOoWG5M1Oki dx4g==
X-Gm-Message-State: AIVw112bErJc3/gIjsRo/71rWusjmCDIoNqMij3lpYqbtRqq8PORxrop eLOH4HaLLkjvCgov6SVF33f9MRi+lH3dI60=
X-Received: by 10.31.50.137 with SMTP id y131mr1433758vky.181.1501109339273; Wed, 26 Jul 2017 15:48:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.68.87 with HTTP; Wed, 26 Jul 2017 15:48:58 -0700 (PDT)
X-Originating-IP: [2001:dc0:2001:210:8de4:97b6:117e:2210]
In-Reply-To: <m260eflzp4.wl-randy@psg.com>
References: <alpine.WNT.2.00.1707171628150.10844@mw-x1> <5ED572DF-AC77-4F54-92DC-F65C86F4E022@gmail.com> <177afbdbb5424f26992196dae0219ff1@XCH-ALN-014.cisco.com> <78F49BAC-F0F2-4712-862A-BCFA1A9DC35D@ripe.net> <96044ca1d98d4cb99fe2dd8e6d3ead08@XCH-ALN-014.cisco.com> <1A84C9BF-68CD-45A2-A933-02A732603FC9@ripe.net> <m260eflzp4.wl-randy@psg.com>
From: George Michaelson <ggm@algebras.org>
Date: Thu, 27 Jul 2017 08:48:58 +1000
Message-ID: <CAKr6gn3hcbSp6i7knOALexegHeecCQiePY_XHj-po3segqk0VA@mail.gmail.com>
To: Randy Bush <randy@psg.com>
Cc: Tim Bruijnzeels <tim@ripe.net>, sidrops@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/bAK7INRCCCnPp6GZ-7srHgZgFmU>
Subject: Re: [Sidrops] Talk: RPKI Deployment: Status, Challenges and the Learning-Validator
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 22:49:03 -0000

I am probably being simplistic, but my memory of this conversation
during happier more innocent days was that a covering prefix's use of
a ROA signalled that RPKI applied to all origin-as assertions made
below it, as more specific. Thats how I understood us to be discussing
it. For this mail, I discount a ROA which fails cryptographic checks:
its being spoofed or is otherwise mechanistically in error and cannot
apply.

The address holder is the sole signatory of a ROA. The address holder
of the covering prefix has a delegation authority over the more
specific. If they had transferred the resources, there would be an
overt 'hole' in their addresses and it would have a different RFC3779
representation, so there is no 'prefix' as such to announce: if they
continue to announce the aggregate covering prefix when there is an
explicit transfer out of the more specific, that wasn't engineered for
in the model. There can be no covering ROA which refers to it since
the 3779 state is not legal under the signing (even under modified
validation, the ROA which overclaims is going to be invalid)

So excluding explicit transfer, I believe the 'reductionist' sense of
a more specific is: either its authorized by an explicit ROA referring
to itself, or its implied as legal in the values specified in a
covering aggregate ROA, or its not actually permissable. I can't see
any other state implied. I do not see this as a tri-state situation:
if the aggregate over it is legal, then all more specifics of that
aggregate require a ROA or implied consent from the aggregate to be
true. (basically, the same AS and a length-permitting setting)

Now, as to intent: if somebody *wants* the more specific to exist,
there is a path out: make a ROA. If this is a timeliness situation,
they haven't published one, thats a transitional fault. if it
persists, its an operational failure. But its not in system to say
"oh, they probably meant this" -Thats not how validation is meant to
work.  Do we really want to move to a world where crypto intent and
declared validation semantics can be _interpreted_ ?

Why do a ROA, for the covering aggregate, if you didn't intend
applying ROA semantics to all addresses in the covering ROA? The
semantics should be concrete. Not inferential.

What am I missing here? What did I not understand? 'inferring' intent,
belief, which is not backed by the literal meaning of the ROAs which
exist, and their cryptographic checks, feels to me like a losing game.

On Thu, Jul 27, 2017 at 6:18 AM, Randy Bush <randy@psg.com> wrote:
>> Accepting more specific announcements leaves one vulnerable though to
>> more specific announcements done with a spoofed AS.
>
> one of the principle goals of the whole effort
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email