IETF Logo Mail Archive

Re: [Sidrops] draft-ietf-sidrops-6486bis-04.txt

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 11 June 2021 13:36 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B5483A37C9 for <sidrops@ietfa.amsl.com>; Fri, 11 Jun 2021 06:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5OA20b76ZgZ for <sidrops@ietfa.amsl.com>; Fri, 11 Jun 2021 06:36:50 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B6DC3A37DB for <sidrops@ietf.org>; Fri, 11 Jun 2021 06:36:44 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 8C0D96062D; Fri, 11 Jun 2021 13:36:41 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1623418600; bh=Zcub47pLdJATWslGAoONnaisPdu2smBSZGv6gzZd/Eo=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=C+qjfrz6MihZHeqiM+zg7WsLgym/4HiT2KSV9NKN84GBseCvb6ytmntY+EtVZndBA OEl67ZYnfx2cEs1aGfMPR3rwQJF3aZXToz8xKlrfMhZxnw8FSIXqLqYZGS/NysLtBd EHeOj4Ek068yvCKngDBH+c/H+9yLQMk2nMu2YwRGJrOG9xEAUfM9nj+3gHXl/xwDE7 4Blsdshc6urFnqCaKhPPNE4QY0I17Te1Gp7cg3uoxy/Wk/7Xc+up+HtmNBnsyq7Vsk fEMac7ETTyblRiFlQY5a+XUhPadyKkmozJwTCBCzK0ABi9eZimoFikO15K4o/EJi6t N7c8uJmLjKx/A==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <4576a83c-4118-9e4e-aec1-e8e9b0a1a069@verizon.net>
Date: Fri, 11 Jun 2021 15:36:38 +0200
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <1EF06618-5BF8-46CE-A25C-37D98867EADF@nlnetlabs.nl>
References: <4576a83c-4118-9e4e-aec1-e8e9b0a1a069.ref@verizon.net> <4576a83c-4118-9e4e-aec1-e8e9b0a1a069@verizon.net>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/kHMEAOJHU6LQoaI9jsAMjuKd7j8>
Subject: Re: [Sidrops] draft-ietf-sidrops-6486bis-04.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 13:36:57 -0000

Dear Steve,

Thank you for taking this effort!

I have some comments / questions I would like to bring up.


- Section 2 Manifest Scope

This section may benefit from a reference to RFC 6481. In particular, it may not be clear to the reader now that there MUST be only one CRL issued under a CA (certificate). Perhaps replace:
 
   o  the most recent CRL issued by this CA, and

With:

   o  the single, most recent, CRL issued by this CA [RFC 6481], and


- Section 3 Manifest Signing

Job talked a bit about this as well. From my point of view, I believe that all CA implementations use single-use EE certificates for manifests. I don't see a use-case for multi-use in this context.

This is not a showstopper to me, but I think that we have an opportunity to say the single use EE certificates MUST be used, and if we have just one option then this will make the document easier to parse and reason about. E.g. section 4.2.1 can be simplified.


- Section 5 Manifest Generation

There is no text here that says that the single use EE certificate for the previous manifest (if single-use applies) should be revoked. Although later it is implied that a manifest can be revoked. Is this intentional?

Currently my CA implementation revokes old manifests. It is trying to be thorough.

That said, I think there is little point in doing this. The reason is that if an RP would find the new CRL, but still have the old manifest because of some timing issue - then it would find that the CRL hash does not match what is said on the manifest. It would be a failed fetch as described in section 6. Revoking the current manifest on its current CRL is possible, but somewhat hard to achieve with single-use EEs (assuming random serials are used) as well as obviously ill-advised.

One could therefore argue that rather than revoking previous manifest, the 'thisUpdate' or possibly 'manifestNumber' should be leading in selecting an eligible manifest - should an RP have multiple validly signed and current manifests for the same CA somehow. Not revoking previous manifests would help to avoid the "chicken and egg" issue raised in section 6. It is not clear to me that this would really be less safe.

But look, really, rather than trying to pick an argument over this, I raise this because I would like to see explicit text in the document that says what's expected here :)


- Section 6

I believe we have had discussions as a WG and concluded that any current RPKI object (such as ROAs) which are NOT on a manifest can be considered out-of-scope and de-facto invalid by RP software. Notable exception to this would be objects which are never intended to be published inside the regular RPKI such as RSC and RTA objects in future. 

If I misunderstood please let me know. But otherwise might I suggest updating the first sentence:

Current:
 
   Each RP must determine which signed objects it will use for
   validating assertions about INRs and their use (e.g., which ROAs to
   use in the construction of route filters). ...

Suggest:

   Each RP MUST use the current manifest of a CA and add each listed
   file to the set of signed objects it will use for validating assertions
   about INRs and their use (e.g., which ROAs to use in the construction
   of route filters). Any files not listed on the manifest MUST NOT be
   used for validation, unless the profile of its RPKI object type
   explicitly states otherwise. ...


Tim


> On 1 Jun 2021, at 15:36, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> wrote:
> 
> I revised the text in Section 6 to reflect the suggestion Ties de Kock made in an off-list exchange in late December of last year. Although our esteemed chairs said that someone else would assume responsibility for this I-D early this year, that has not happened. Moreover, there has been no more on-list discussion of this topic, so I elected to complete the agreed-upon changes and publish an update before the old version expired.
> 
> Steve
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email