[Sidrops] Re: [WGLC] draft-ietf-sidrops-rrdp-same-origin-00 - Ends 1/July/2024

Alberto Leiva <ydahhrk@gmail.com> Tue, 18 June 2024 01:41 UTC

Return-Path: <ydahhrk@gmail.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B62A8C1D5306 for <sidrops@ietfa.amsl.com>; Mon, 17 Jun 2024 18:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQp4iUB6HWtq for <sidrops@ietfa.amsl.com>; Mon, 17 Jun 2024 18:40:58 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC892C1CAE70 for <sidrops@ietf.org>; Mon, 17 Jun 2024 18:40:58 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-57c923e03caso5657470a12.3 for <sidrops@ietf.org>; Mon, 17 Jun 2024 18:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718674857; x=1719279657; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hbZd0xrcwsBQ28YlndatOIsGSX1y2l7TNPnMbX+YCd8=; b=PTnRt76vIeWfYOwqQ66Qm87xJrEGjoqtpi5C5/hsxv7OeLbYg+ZgPSlflXYVBAGZk5 6jdfu2PDoqzD7QXRZLxYhBrVH4HpdNpVk948n+BlsPCPgEfJxSk4lMq2Ho8CSAyXGZ6M m39lfFHh/h30c8mn0Pk4tNEi2M4jlE0lvPOxxWah6Puhwv/Ph4scjmhyrvOK4bIoX2MV T4C7EmVUfrt3BwoDdjWrDU/GrfHq1GTnwxxxOWni7n9RFQemuHC1yi0/ytruMIO9fEiZ RswSttYXY2isRH3PWkAbCjlkdgbVxwtt0nTuyxWvCrytsQzuhGqn5ZKa9BAg87FKdwTx WucA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718674857; x=1719279657; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hbZd0xrcwsBQ28YlndatOIsGSX1y2l7TNPnMbX+YCd8=; b=L5idU7dav2ya5R0cnwDnxr9cFI753OCPUIaozoUat4cR0STahOClHjc8DBc9WeYVtf 3EG28DmRqkLejO09DULfgg1Bve1e/Ggu+7FpcyUwHHk5GqBi3YvsW3hyAB66T81uD0tv QHy48PFXcvAIu5cQ3TP9mFCBK0txpxT4mGTbMNPUcHgo0iNzjLzetZ0eHkz0T7fkowcN Ac4nL0rG6ciRfNKyKHaKnGxw2EZAV4ukrsqKlpZr32QTO7fg75SnLdq2oGI5NcGFuVUm BbTPkRgyueHy3kUNbdToNTOYHe0KqPIk6EhewSwrU0rWnX5BPjUA2sxPKY1P9UXPOisM RHeg==
X-Forwarded-Encrypted: i=1; AJvYcCVNqzv4IPbg8jv7K73++NgDhIgI7AXUC7K3kFtHXFlrYQNecxceQo80afwrNe+SMmEzb5nDNNBM0hSpmLAOQYKa
X-Gm-Message-State: AOJu0YyAIjAfgWRVb8yRKvDa9v/vaejQffx5EKbjzp2fSpifiB8nBPR6 AsZ9JM6GCt4lmcfH8HqHHjREZ5MF2kr0P8i7jK6fiMqh16EQa8Z3Gmkp7iNqmAdZK222dPcjtC5 DLng/GZ0DA7WBa+GfUTiejq8Es5s=
X-Google-Smtp-Source: AGHT+IGLZMiYuJKglQcgNkqJ/0R8uKK+4SBThC7K8SHnYVRLv6IMGbypZVm/RsxQLYBc2/Png7AlrS4cESbTE7BIkvU=
X-Received: by 2002:a05:6402:33c7:b0:57c:c6f0:e229 with SMTP id 4fb4d7f45d1cf-57cc6f0e2b0mr6156470a12.0.1718674856602; Mon, 17 Jun 2024 18:40:56 -0700 (PDT)
MIME-Version: 1.0
References: <9E606C18-78F2-408F-8180-A0ED27FBACE8@arrcus.com> <CALTLbCEu6wxnWqUKj1_3rFrHTKN4Jpf-ix44ZtnAYD0p+rZZpA@mail.gmail.com>
In-Reply-To: <CALTLbCEu6wxnWqUKj1_3rFrHTKN4Jpf-ix44ZtnAYD0p+rZZpA@mail.gmail.com>
From: Alberto Leiva <ydahhrk@gmail.com>
Date: Mon, 17 Jun 2024 19:40:45 -0600
Message-ID: <CAA0dE=WBTE9m6x5HrvR1wbO_0hvUEZNJGDvXagugC5jz2JnNFw@mail.gmail.com>
To: Nimrod Levy <nimrodl@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 6KUSR3M5O7T63DCKOACZBO7TECN4ARRD
X-Message-ID-Hash: 6KUSR3M5O7T63DCKOACZBO7TECN4ARRD
X-MailFrom: ydahhrk@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Keyur Patel <keyur=40arrcus.com@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: [WGLC] draft-ietf-sidrops-rrdp-same-origin-00 - Ends 1/July/2024
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/kD4Ntkcz24SWQ4CGPGIS8RzQhLk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Well,

I noticed the latest version of the draft doesn't elaborate on some of
the notes raised in the other thread, which I think are important.

Tim proposed

> and possible disallowing the use of get parameters
> in URIs, seems prudent.

I understand that this was ultimately agreed against, but I feel the
RFC should explain why, because the problem explained in section 2
aggressively invites this solution.

And Ties mentioned:

>> This solution means that if the adversary wants to feed large files into
>> RPs, they have to host the data themselves, and pay for the network
>> bandwidth cost themselves. This seems reasonable to me.
>
> This is a good mitigation and we should make sure that this line of reasoning is captured somewhere.

As far as I can tell, the draft does not capture this reasoning.

------------------------------

> RPs cannot avoid scheduling a new download per Section 3.4.1 of
> [RFC8182] because Delta file, Snapshot file, session_id and serial
> are significant only in scope of the referring SIA AccessDescription.
> In other words, SIAs are globally unique and can be deduplicated
> before scheduling fetches, but RRDP session_ids are not globally
> unique, contrary to what Section 3.1 of [RFC8182] suggests.

I still have some beef with this paragraph. I imagine part of this is
just my lack of creativity, and I apologize for that, but I would
prefer if the RFC's reasoning didn't leave holes for the reader to
fill.

1. Why "Delta *file*" and "Snapshot *file*"?

If an RP wants an index to prevent a file redownload... wouldn't using
the *file* itself as an index defeat the entire purpose?

Don't you mean "Delta URL" and "Snapshot URL"?

2. The tissue that connects this paragraph to the surrounding ones is
camouflaged by the SIA detour, which doesn't seem very relevant to me,
and raises a question.

I feel like the document should elaborate on "SIAs are globally unique
and can be deduplicated before scheduling fetches" at some point. The
sentence sounds incorrect without context, and the entire paragraph
seems to orbit around it.

What is enforcing SIAs to be globally unique? Suppose:

- Certificate A has rpkiNotify SIA "https://example.com/a/notif.xml"
- Certificate B (elsewhere in the tree, or even in another tree) has
rpkiNotify SIA "https://example.com/a/notif.xml?a=b"

Given that the draft seems reluctant to advocate for parameter
removal... how do you deduplicate those?

3. I'm not actually sure if we understand the same concept from the
word "deduplicate," because it's not defined in the draft, and it's
also not defined in any of the RFCs it references. (I didn't search
deeper, though.)
4. Isn't there a "the" missing between "in" and "scope"?
5. The "in other words" second half of the paragraph doesn't seem
equivalent to the first, adding more confusion.

It's not equivalent because it only elaborates on session_id, leaving
"Snapshot file," "Delta file" and serial in limbo. Furthermore, the
logic that explains why session_id is not indexable doesn't seem to
extend to the other fields.

--------------------

Maybe I should propose an alternate version of the paragraph:

> RPs cannot recognize they have already downloaded the file, because
> the attacker has effectively morphed the Snapshot's URL into a
> different Uniform Resource Identifier [URI], and nothing enforces
> session_id (and/or serial) to be globally unique (despite what Section
> 3.1 of [RFC8182] suggests).

And then maybe explain the SIA quirk in a separate paragraph:

> This is all in contrast to the SIA AccessDescription field, which
> doesn't suffer this problem because [...].

---------------------------

> If the adversary increments the serial in tandem with RIPE NCC
> incrementing their RRDP serial, every next request to
> _https://badhost/notification.xml_ causes another large file download
> on the RIPE NCC servers, exacerbating the issue.

Aaaaaaah. I don't like this paragraph either.

(First: Maybe change "another large file download" into "another large
snapshot download," because otherwise it kind of sounds like you're
talking about the notification.)

The paragraph seems to imply that, if the adversary doesn't increment
the serial along with RIPE, the RP will not download the file again.
That the adversary needs to keep incrementing the serial to sustain
the attack. Ok, makes sense.

But it invites a deformation of the argument: If the adversary
increments the serial *regardless* of RIPE, what's stopping the RP
from downloading the snapshot again? Is there a requirement somewhere
that states that the RP has to detect this type of RRDP session
desynchronization? (Different serial, same snapshot.)

(Yes, I'm aware rpki-client will discard the snapshot as soon as it
notices the serial mismatch during transfer, but I'm talking about a
generic RFC-compliant RP here. I know the "streaming RRDP file"
feature is outside of the scope of your draft, but my point is that
the paragraph doesn't really make sense in the context of the present
RFC ecosystem as I understand it.)

Alternate (slightly more generic) attack proposal:

Making sure the serial always matches the snapshot, point to a
different available snapshot every time. The serial will always
change, which means RPs will always have to download the snapshot,
either because a new one is available (and there are no deltas), or
because the lower serial will trigger an RRDP reset. You will not
attack RIPE when they switch snapshots, you will guarantee RPs attack
RIPE during every validation cycle.

Proposal:

> If the adversary keeps changing the notification's session metadata,
> every next request to _https://badhost/notification.xml_ causes
> another large snapshot download on the RIPE NCC servers, exacerbating
> the issue. (For several popular RP implementations, this presently
> requires that the malicious notification's session metadata always
> matches the snapshot's session metadata.)

Sorry for being so pedantic
Alberto

On Mon, Jun 17, 2024 at 6:20 PM Nimrod Levy <nimrodl@gmail.com> wrote:
>
>
> On Sun, Jun 16, 2024 at 6:12 PM Keyur Patel <keyur=40arrcus.com@dmarc.ietf.org> wrote:
>>
>> Hi Folks,
>>
>>
>>
>> A working group last call has been issued for  “Same-Origin Policy for the RPKI Repository Delta Protocol (RRDP)” https://datatracker.ietf.org/doc/draft-ietf-sidrops-rrdp-same-origin/.
>>
>>
>>
>> Please send your comments to the list. The adoption call will end on July 1, 2024.
>>
>>
>> Job please reply indicating whether you’re aware of any relevant IPR that hasn’t been disclosed.
>>
>>
>>
>> Best Regards,
>>
>> Chris, Russ & Keyur
>>
>> _______________________________________________
>> Sidrops mailing list -- sidrops@ietf.org
>> To unsubscribe send an email to sidrops-leave@ietf.org
>
>
> I have read the draft and support publication.
>
> Nimrod
> _______________________________________________
> Sidrops mailing list -- sidrops@ietf.org
> To unsubscribe send an email to sidrops-leave@ietf.org