Re: [Sidrops] Paul Wouters' Yes on draft-ietf-sidrops-cms-signing-time-07: (with COMMENT)
Job Snijders <job@fastly.com> Wed, 17 April 2024 17:42 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 060F8C14F5F6 for <sidrops@ietfa.amsl.com>; Wed, 17 Apr 2024 10:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Qf_o653Enq4 for <sidrops@ietfa.amsl.com>; Wed, 17 Apr 2024 10:42:49 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D450CC14F5F9 for <sidrops@ietf.org>; Wed, 17 Apr 2024 10:42:49 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-516ef30b16eso7092234e87.3 for <sidrops@ietf.org>; Wed, 17 Apr 2024 10:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1713375768; x=1713980568; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=4fZGg8qI8ob6mZjI6wAMuv2iEvbmNi9/4Ah04/HYMSc=; b=npvsTurew0aBtqHKyX6dF3Z/yCJCZCZgEwqR7mqZBOAyD7DG4dTchMJu6Rn2yIO5yc fW6ddtWn7gxIbDlws1Hbl28KU0IC5glLx5uXkbwFVxasnNo8A9SfrzANk7J1p2h5gaie jmovqttSOe/8A0aZzkJvNvTjCL12zCo3lvNV0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713375768; x=1713980568; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4fZGg8qI8ob6mZjI6wAMuv2iEvbmNi9/4Ah04/HYMSc=; b=e7lqve+hZF/VJ+p48Y3gc/YTFmRtBdBBPFO8j5h3A/DYV2o+O47lbe3lJxl/Cc4UgG J0e23U2kHSgNlZhBKPcea1WHFqKhyIa1Fw97H72KIO0xv7ipXGRYm1DgcUfY3XWwTcNJ UuE1Zh97wjoNnbg3ha621frM8PdIY3KASRFnCsu11HTjUNVs9QSqi1Ww/bTIBUGbd6C5 EfmaxtJJ8hddj+MEhskcTD73Qs3bMKkAifpvFt2JJJdilmPBK7n8ow7kYL1z00Evbj7L 5x2PZbQVTDCj6jPzfhBvKAQil4Q+KYUBoB5jW+jqiIyteU4WUNvrZQWkuGlN/Zvipjbr +MQw==
X-Forwarded-Encrypted: i=1; AJvYcCXh+vQhJ+ewa5QRZdl7LOxFsL4AqcA/VnWGOAg4hg7s+g8b7mmGMBDI/Hy0hwHVoVjqV0Ygb5Ree+TEaA1k90jV
X-Gm-Message-State: AOJu0YwsNNtuHvLMAeQ/r86QO+tXpCN8oMc7kffkk3cWc04y42Nb4LHN BQVIhaOahJUX1XrhIL10wpAgpOveEWNFGNX49vaxnFR8jY5Lhs8y8RYXB/GXgqw=
X-Google-Smtp-Source: AGHT+IEj3RelXnMOXd2sDCQuem4KgySoYjROIAIxS/fnabE+lRyEAaBTkPhHHFTkjUuDCovmNKAEcw==
X-Received: by 2002:ac2:4982:0:b0:518:9cbf:cd6b with SMTP id f2-20020ac24982000000b005189cbfcd6bmr8783192lfl.13.1713375767618; Wed, 17 Apr 2024 10:42:47 -0700 (PDT)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id v3-20020aa7dbc3000000b0057000659ed6sm6265883edt.46.2024.04.17.10.42.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 10:42:47 -0700 (PDT)
Date: Wed, 17 Apr 2024 19:42:45 +0200
From: Job Snijders <job@fastly.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sidrops-cms-signing-time@ietf.org, sidrops-chairs@ietf.org, sidrops@ietf.org, housley@vigilsec.com
Message-ID: <ZiAKFcqx-TLWVf4P@snel>
References: <171337370446.17968.11321812442824686242@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <171337370446.17968.11321812442824686242@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/j6DkWr2HJP0-QY84MX5bXF1jINI>
Subject: Re: [Sidrops] Paul Wouters' Yes on draft-ietf-sidrops-cms-signing-time-07: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2024 17:42:54 -0000
Dear Paul, Thank you for taking the time to review this document! On Wed, Apr 17, 2024 at 10:08:24AM -0700, Paul Wouters via Datatracker wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The abstract seems overly long and best moved to the Introduction. I would only > keep the last paragraph of the Abstract. Although it seems already mostly > repeated in the Introduction so just removing the first two paragraphs would > probably be good as well. Based on earlier feedback from your colleagues I updated the abstract yesterday. Please see here for the difference. https://author-tools.ietf.org/iddiff?url1=draft-ietf-sidrops-cms-signing-time-06&url2=draft-ietf-sidrops-cms-signing-time-07&difftype=--html Does this work for you? > This document advances the aforementioned concept > > Advance from what to what? I think you mean "from optional to mandatory" ? The intention was to signal there is an 'innovation' in this document: I-D.timbru-sidrops-publication-server-bcp suggests to only update the timestamp if the file is changed, note that it doesn't matter what timestamp is used. However, draft-ietf-sidrops-cms-signing-time takes this one step further and suggests to use a specific timestamp (calculated from a timestamp inside the file), because that allows RPs to do a seamless switchover from RRDP to rsync, without needless retransfers, without ever haven synchronized via rsync before. > In section 2.2, it talks about omitting transfers and sparse backups, but it > does not mention it creates hardlinks for files that need no transfering from > the reference directory, at least how I use rsync, eg with --archive which > means "-rlptgoD". (this is fact the way I still do backups, creating daily > trees that are full directory sets per day all using hardlinks for unmodified > files). With this option, it does the things the document talks about, like > using original datestamp, perms, modes, etc. Using '-a' in context of the RPKI would be *strongly* inadvisable, as this would could lead to rsync to copying executable files, perhaps even with the suid bit set as root. Combined with another issue, this could easily lead to privilege escalation. The rsync --compare-dest option does not create hardlinks. Keep in mind that the copy happens across trust domain boundaries: from the RP's perspective, the remote rsync server represents untrusted, potentially hostile, network input. The OpenBSD RP implementation uses these rsync options: $ rsync -rtO --no-motd --min-size=100 --max-size=4000000 \ --contimeout=15 --timeout=30 \ --include=* --include=*.cer --include=*.crl --include=*.gbr \ --include=*.mft --include=*.roa --include=*.asa --include=*.tak \ --include=*.spl --exclude=* \ --compare-dest ../../../rpki.ripe.net/repository \ rsync://rpki.ripe.net/repository .rsync/rpki.ripe.net/repository The result of the above command is that the *difference* between the (previously validated) content in '../../../rpki.ripe.net/repository' and the remote server, is stored in '.rsync/rpki.ripe.net/repository'. Additionally, the command helps transfer only files that the validator can actually parse (RPs don't want to download .iso files), and helps reject files that are too small or too large, and avoids transferring empty directories. '--delete' is not used, because filesystem cleanup can be performed using cryptographically signed data derived from the RPKI itself. The validator will then validate the data in '.rsync/rpki.ripe.net/repository' according to the RPKI standards, and optionally move files from .rsync/rpki.ripe.net/repository to ../../../rpki.ripe.net/repository if they present a valid newer version, or continue use the 'older' (valid) version in ../../../rpki.ripe.net/repository, if there is some issue with the newly transferred version of a given file. See RFC 9286 section 6 and https://www.ietf.org/archive/id/draft-harrison-sidrops-manifest-numbers-01.html#name-walkthrough-of-the-rpki-cli a more elaborate description of how RPs can decide between accepting the purported new version from the remote side, or continue using a locally cached object. In short, the only thing worth preserving from the remote side are the timestamp on files, the directory hierarchy (but not the directory timestamps), and the file data itself. Does the above elaboration help clarify? Kind regards, Job
- [Sidrops] Paul Wouters' Yes on draft-ietf-sidrops… Paul Wouters via Datatracker
- Re: [Sidrops] Paul Wouters' Yes on draft-ietf-sid… Job Snijders