[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
Job Snijders <job@fastly.com> Tue, 25 June 2024 15:11 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FBDBC14F5ED for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 08:11:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRfp4cmR2IjX for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 08:11:10 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B0DC14EB19 for <sidrops@ietf.org>; Tue, 25 Jun 2024 08:11:10 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id ffacd0b85a97d-3627ef1fc07so4229857f8f.3 for <sidrops@ietf.org>; Tue, 25 Jun 2024 08:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1719328268; x=1719933068; darn=ietf.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=wDo3Ky59mkfLTaUa7Up77xfqBvh5FMvgvLGWpGpkm3Y=; b=HI8XUOolPtoWm3p3LW3l07obrPkKyCyuhcFYn63P9WnQVqOpPxQg+xM3sUh0YRU5J/ 481dSNnDFUZnUGGBJ7EBY8Gk05PnEHJ0ppwOcqVay6jlD2SCYgtUX7EvEwiCZmB95Go1 UUQ8gFiRiBOWGOa1vFgQXJjA6wFhapHXolIKw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719328268; x=1719933068; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wDo3Ky59mkfLTaUa7Up77xfqBvh5FMvgvLGWpGpkm3Y=; b=mCgkCAaGDDvf8r4Scul4czFKNb+JfkECXE5IEGhcwHJAKHbbmub5hJc+U090wUZj6u LVbJJ/MhjPXsHqNUogmKivb8IMunWKaHFri+tGyN/4HoYhwjjIg79CMBrFwRB86yetme CNkKMUvwWseBNw8c9R/Y50TfsBWp1ZenRsgGIKBB5/L0w9DiFpGslk47WBuo6X5lp/nm WL5cgJuj/cnQjUxT62tiFSngbL4ZkmHiBoBYOhJBH01+Rer9mDFE7AA4OjzZN85qE9OQ a2nd0P44z02TZHXnkpMPWFSFZsrWdlUZgdmD//jGzFzKv7PlmsbPzs9MQUsjlJ2gGwHL VedQ==
X-Forwarded-Encrypted: i=1; AJvYcCVzovVLoMOEgGnWq4msQ6pCab8w6PNS0CieuRZeULZfephMRtaatILkMr8Icc5fGbG23z0LikGMNbj2AGyEA90R
X-Gm-Message-State: AOJu0YwjCi5hfIU0LqRaRhZ2yJYgHA+uycE1xoyRbH/5bQGGxPHdUWLl BQKM+R2aY4gyahXGGW13KyB4tA4bCy84AfBWlSAPKgpoNjUEcpn0idm+rYJTNe50sMT6QK8Rb2k J
X-Google-Smtp-Source: AGHT+IFuS0p4WzsOoeVUQMmoiB3pRw5E/Tp2HNNKDYADoQlvY9PyTX+WlwZW+1iP91k/uFfeipvB/g==
X-Received: by 2002:a17:906:2a5b:b0:a6f:1785:d18 with SMTP id a640c23a62f3a-a7245cf2ee7mr457201366b.44.1719324245968; Tue, 25 Jun 2024 07:04:05 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a7261c5bc2asm130544366b.186.2024.06.25.07.04.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Jun 2024 07:04:05 -0700 (PDT)
Date: Tue, 25 Jun 2024 16:04:03 +0200
From: Job Snijders <job@fastly.com>
To: Martin Hoffmann <martin@nlnetlabs.nl>
Message-ID: <ZnrOU_l6xeEaEDWA@snel>
References: <ZnNtl9d7cnkMtK-1@snel> <86AF7299-8541-4652-A699-33AED2F73A60@ripe.net> <ZnP6RJ_Ek5ThsSnQ@snel> <4032C398-9611-4540-B375-DDB8D1E33726@ripe.net> <Znln3-EDsb48hNWa@snel> <20240625120620.60ac7d31@glaurung.nlnetlabs.nl> <Znqkvv29Q2MK11-i@snel> <20240625154415.2479876d@glaurung.nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20240625154415.2479876d@glaurung.nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: FOE4VRWWOTPPO2LMTKMOZEJZLCQ6E2YO
X-Message-ID-Hash: FOE4VRWWOTPPO2LMTKMOZEJZLCQ6E2YO
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Bruijnzeels <tbruijnzeels@ripe.net>, sidrops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/dEniJv2uBf_jpY3-sgtfkUMRSLY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
On Tue, Jun 25, 2024 at 03:44:15PM +0200, Martin Hoffmann wrote: > Job Snijders wrote: > > > > An argument in favor of also looking at notAfter is that it is > > possible for CAs to 'freeze' the notBefore at a given point in time, > > meaning that in subsequent issuances the same notBefore continues to > > appear. I've seen some RPKI CAs (unsure about TAs) exhibit this > > behaviour. > > I figure we can reasonably trust (ha!) TA operators to be careful. I'd like that too, but I figured that aiming for robustness on both sides of the TA <> RP communication channel is desirable. > > I'd also argue that defining a 'complete' tiebreaker procedure at the > > small expense of having a handful of sentences and 4 lines of code* is > > worth it to cover for the edge case of TAs issuing with identical > > notBefore's. > > It’s not really complete though, since you still have the case that both > notBefore and notAfter are identical. So you still need to define what > happens if you have two different certificates with identical times. > > Worse, if you have identical notBefore dates but differing notAfter > dates, you need to make an arbitrary choice which one of the two > certificates you choose. There just isn’t a “clearly it’s this one” > kind of answer. Based on feedback from Tim Bruijnzeels I incorporated an extra step to be published in the next revision of this internet draft: https://github.com/job/draft-sidrops-rpki-ta-tiebreaker/commit/957080b9c279494564dd06e7bcaf714d7acb4c06 The idea is that if the signature is valid, the public key matches, the validity period exactly matches, then the final step is to just use the newly-retrieved certificate. In that case we base 'recency' off the recency of the network fetch. All things considered equal, use the latest one fetched over the network. > So having this additional check doesn’t provide extra safety. I want to > argue that if there’s no benefit, leave it out. I believe that specifying a preference for shorter validity periods helps improve the agility of the system. Again, I agree with you that in almost all cases just using notBefore is sufficient to make a good decision, but in case a notBefore for one reason or another is 'frozen in time' can be addressed by looking at the notAfter, and if that one also is the same, then and only then just use the newly retrieved object (assuming the crypto checks out) > > Another approach is to pick a random URI from the > > TAL (be it HTTPS or rsync), because with the proposed protection > > mechanism rsync becomes less risky. Picking a random URI from the TAL > > has the benefit that if they are hosted on different FQDNs, overall > > resilliency increases. > > I still wouldn’t want to use rsync unless HTTPS doesn’t work -- if only > to keep the rsync load on TA operators at a minimum. Whether we should > suggest to randomize URIs (of the same type) is a question I’d would > like some input from the TA operators from. Given that currently there > is always exactly one HTTPS URI and exactly one rsync URI, it’s all a > bit academic. If the operators say that they want to keep it that way, > I’d rather not have to have randomizing code that isn’t actually ever > used. I agree, as I mentioned in my previous email, rpki-client prefers HTTPS, and if there is an issue at the transport layer will fall back to rsync. An open question is whether we should add some trickery that in case the HTTPS fetch was successful but the object retrieved was garbage, whether to try rsync, or use the locally cached copy and wait for the next validation cycle. I too would love to hear TA operator preferences in this regard. Kind regards, Job
- [Sidrops] Notification for draft-spaghetti-sidrop… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Dale W. Carder
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock