IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-07.txt

Ties de Kock <tdekock@ripe.net> Fri, 15 October 2021 11:25 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BDA63A1258 for <sidrops@ietfa.amsl.com>; Fri, 15 Oct 2021 04:25:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dA0M3ovmcaOy for <sidrops@ietfa.amsl.com>; Fri, 15 Oct 2021 04:25:15 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D8273A1324 for <sidrops@ietf.org>; Fri, 15 Oct 2021 04:25:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=euWNwPugVfa1Ev74MmFbgFrsgKLrnaeJMJ9GaSzYzro=; b=GufidmtpJW7LM/jmWMDTBavU Z5cTL0yzYofru5nJ0M35Tv4x9sjsP19owcv4Lz8pGMCgog3Ccoo0NBkGlAHUJP+llUwJKzCAO+Wgh hSvNLLqN0QEcRDedQOO0sBuiq73cAfhtKLZ+gX03AGb+5xKamZDGZxtVjyzLJJPE9PhtdQlNWJROY Nw6CV1fdIpYWZAdjOLtyCYQweKUkJC5utQQ39wzIc8iXSY+jer8tOA60In8xYp4u+cxncPKWSv4Tt KObEjyy3+EpT5XcYKWA3L+kXHJ5+AxRzVGiMhP//qH6mcdYoJKP4oiZOrS0lPnSGZOm/ODYGxD7yi HjyiwgKQ7g==;
Received: from allealle.ripe.net ([2001:67c:2e8:23::c100:170c]:33536) by mahimahi.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1mbLKj-00075d-SK; Fri, 15 Oct 2021 13:25:05 +0200
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tdekock@ripe.net>) id 1mbLKj-00066w-Pd; Fri, 15 Oct 2021 13:25:05 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Ties de Kock <tdekock@ripe.net>
In-Reply-To: <YWhZXN//4VVuDc+k@snel>
Date: Fri, 15 Oct 2021 13:25:05 +0200
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F0165AC4-8DAC-454E-98D6-B1FB70CDFB4F@ripe.net>
References: <163422093055.5218.7049827726010929590@ietfa.amsl.com> <C368116D-179F-4A2D-A9D9-613A422F0AE1@ripe.net> <YWhZXN//4VVuDc+k@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e107684ce214f72a64be66f8cec29c5fad
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/jwyWn_ruwrR1K3hnYu9vaYbbV8U>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2021 11:25:20 -0000

Hi Job,

I don't expect changes to the draft this late in the process, but I think
it would be good to share these concerns.


> On 14 Oct 2021, at 18:22, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> On Thu, Oct 14, 2021 at 05:07:33PM +0200, Ties de Kock wrote:
>>> 4.2.1:
>>> 
>>>      This field is an integer that is incremented (by 1) each time a
>>>      new manifest is issued for a given publication point.  This field
>>>      allows an RP to detect gaps in a sequence of published manifests.
>> 
>> I would really like it if we could leave this open and allow arbitrary
>> increments. It's what is out there in the wild, and RPs can not check anything
>> against manifestnumber either: Not all of them are guaranteed to be visible. 
> 
> But isn't that kind of the point though? To be able to detect whether an
> RP saw all of them, because it is not guaranteed an RP will have
> visibility into all of them?

What would an RP learn from this? Are there any attacks that this visibility
can prevent?

Keep in mind that a malicious CA can sign whatever it wants. And that an on-path
attacker or malicious repository can make objects valid/invalid by presenting
different sets of objects (so there is no need to sign objects if you want to
remove objects from validation).

At the same time, there are many legitimate scenarios in which an update is
never externally observable. So RPs can not 'learn' anything from it - it will
happen many times a day. I will describe a straightforward one below:

We consider a CA that processed ~2K updates an hour in a repository. Two objects
on the same manifest are updated in short succession. After each update, a new 
manifest is issued. The CA supports RRDP and rsync.

The updates are sent to a RRDP publication server synchronously (unlikely for
real implementations). The RRDP publication server processes the two publish
(w/ hash, so replace) operations before issuing the next delta. The update is
never visible in RRDP.

The rsync repository is written to disk batch-wise and revisions are kept around
for two hours. The CA does not have the performance (e.g. disk space, IOPS,
iO bandwidth) to write all 2000 revisions an hour to disk. The rsync repository
is written after both updates are processed. The update is never visible in
rsync.

In some scenarios (a lot of updates, or during a key-roll) you can even have
_many_ manifests that are not visible this way.

TLDR: I argue that in the real world, (potentially many) manifest updates will
never be externally observable and that a malicious repository can often cause
the same result for RPs, without signed objects.

At the same time RPKI has a beautiful property compared to the web PKI: an object
needs to be widely visible (and thus easy to detect!) to affect the default free
zone.

If you have an attack scenario where you can detect the behaviour of a malicious
CA this way, while that attack can not be performed by an on-path attacker,
please elaborate.

>> Strict incrementing counters are also a point of contention in implementations
>> due to database locking on the parent CA.
> 
> Can you elaborate on this aspect?

It is an implementation detail about parallelism and fine-grained locking (on DB
level) that does not lend itself well to description on a list. For manifests it
likely is no real concern. For serial numbers our implementation needs arbitary
increments due to this concern.

>> Existence/absense of manifests of a compliant CA is visible through the CRL. And
>> it does not make behaviour of a sloppy CA invisible.
>> 
>> I would also like to revisit 4.2.2.
>> 
>>>  letter extension.  The extension MUST be one of those enumerated in
>>>  the "RPKI Repository Naming Scheme" registry maintained by IANA
>>>  [IANA-NAMING].
>> 
>> Since the content of the registry is dynamic, I think it would be good to
>> clarify that encountering an unknown extension must not result in a failed fetch.
>> If RPs become intolerant to new filenames using an extension not in the
>> registry (for example .asa) would require a flag day. 
>> 
>> While reducing ambiguity in the results that RPs have when processing manifests
>> is good I don't think rejecting unknown types is worth the downside.
> 
> A flag day can be avoided by putting the .asa object in its own
> Publication Point: then the PP fails on older RPs (which is not a
> problem), and works as expected on newer RPs.

This is a lot of implementation work if there is no attack that it prevents.
It also forces a CA to triple (the CA needs to maintain the PP incoming from
parent plus two children) the number of manifests it needs to keep up to date
per CA, or update less often and open a longer window for replay attacks.

What do you think of his strategy:
  * RPs that do not download unknown extensions do not consider those when
	validating a manifest. Unknown files can not result in a failed fetch.
  * If a new object is "safe" (it does not change the meaning of other objects
	such as GBR) we can add the object with the same manifest version.
  * A new object profile that changes, to whatever degree, the effect of objects
	on the current manifest, requires a new (minimal) version of the manifest.

> 
> Since for (for example) the .asa object type the early allocation
> process is used, I think there is sufficient time between
> 'new idea' -> IANA registry update -> 'deployment in the wild'.
> 
> RP implementers need to stay up-to-date on what RPKI object types
> currently exist, which seems reasonable. I think there is value in clear
> guidance on what RPs should expect and not expect.

While I think people should update quickly, given the update rate I see in data
I think this is a tricky route to go. Updates are slow. For example: despite a
lot of effort there are still ~240 active RPKI Validator 3 instances out there
and about half of those appear to be builds from more than a year old [0].

> For example, rpki-client only attempts to sync currently known
> filetypes, this hopefully limits the (potential) garbage RPs pull in:
> https://github.com/openbsd/src/commit/22ca817fdd32d4cc08710821dad014cf18d1cd85

That is a nice local improvement in security! 

Kind regards,
Ties

[0]: Current numbers will differ - I read this from a chart with data up to the
first of september.

> 
> Kind regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email