[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
Job Snijders <job@fastly.com> Tue, 25 June 2024 11:06 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688A2C15152F for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 04:06:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 82N3wjp83oxM for <sidrops@ietfa.amsl.com>; Tue, 25 Jun 2024 04:06:42 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A56F3C1519B4 for <sidrops@ietf.org>; Tue, 25 Jun 2024 04:06:42 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-424720e73e1so44095895e9.1 for <sidrops@ietf.org>; Tue, 25 Jun 2024 04:06:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1719313601; x=1719918401; darn=ietf.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=i+5/AdYDPzfXlcKbCmA6aaXyzYWWbnScc+o7rXBf3UQ=; b=GRQykPe+Yeb+AJIEHZkD9AMHNUqn33+OHOapmJu0T7kbHDg1UUMC5sugvDIBhbPlVV 7+bIgK6eCrvWFi5IhIYI9YfCtp4Cc9wKLjmm18El2jOHRDwf8fbyzeGyKKTYaC5NHjI0 MaNbNc8BbYdBY8zwWytLzzvU93DqFSOADEmcQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719313601; x=1719918401; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=i+5/AdYDPzfXlcKbCmA6aaXyzYWWbnScc+o7rXBf3UQ=; b=PWbroFKVT69ZUB+9z/9htm8BfADgaWdy1joXsjHZgi0ONOCiFvNl0u1tkM0DBz6IOZ 262IaCjBOYUtKgVz6mC/gYZbQYqbAB5tCSyeJBEnuTMh+5KOHhb0SEpQNaMuZ0sytXm8 Njjm053NIQzwCCcQ5sb5b9incx8y+hHzOnpIQV5uBBeOwkFX8VCFPLhjyn6kKsFCNT8B HUJZ/9M+9yZgoMrFwONL8qW/mwHiz+KD8Xtbp8OqN8h8E4BoTuj+cqVIws+cSZvkWABf gB43hEfAL2iE4kxpudUIxDjzrjYlImZD/4Yx6BELkuhlHEbktzP8zdIGPQEeUOKktHc6 ACCA==
X-Forwarded-Encrypted: i=1; AJvYcCXOEXXv1/37S17P4KWpZ6nJzR8ue6BXmW5TdS1bLV+buEpN0X7yvXUvWM1Tk7dPpqCYgxpgRpvjD3/Th4ChdpEk
X-Gm-Message-State: AOJu0YxLM5NS2IpPryvAFPtel3tIb5YberfaSd2fTYs+7DMDX30xFZGG tBicRO9mhi0sUxySzREKH07geM5Vhbp0kdFpwxKgzhpqGKy8i9jMZRKHR6TlUAQ=
X-Google-Smtp-Source: AGHT+IEScCzfb+At2asW+iwKqNUDEB8i/gBcbm3eke8028BZduHg704/YY7912bhxU7QjBp3ZOzmcQ==
X-Received: by 2002:a05:600c:1792:b0:421:8345:7891 with SMTP id 5b1f17b1804b1-4248cc27194mr47292005e9.16.1719313600801; Tue, 25 Jun 2024 04:06:40 -0700 (PDT)
Received: from snel ([2a10:3781:276:0:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4247d2122e7sm212089695e9.40.2024.06.25.04.06.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Jun 2024 04:06:40 -0700 (PDT)
Date: Tue, 25 Jun 2024 13:06:38 +0200
From: Job Snijders <job@fastly.com>
To: Martin Hoffmann <martin@nlnetlabs.nl>
Message-ID: <Znqkvv29Q2MK11-i@snel>
References: <ZnNtl9d7cnkMtK-1@snel> <86AF7299-8541-4652-A699-33AED2F73A60@ripe.net> <ZnP6RJ_Ek5ThsSnQ@snel> <4032C398-9611-4540-B375-DDB8D1E33726@ripe.net> <Znln3-EDsb48hNWa@snel> <20240625120620.60ac7d31@glaurung.nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20240625120620.60ac7d31@glaurung.nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID-Hash: XP2UXWTGZFXUT5VZHEA3KXWHL2HXQA4X
X-Message-ID-Hash: XP2UXWTGZFXUT5VZHEA3KXWHL2HXQA4X
X-MailFrom: job@fastly.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tim Bruijnzeels <tbruijnzeels@ripe.net>, sidrops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/m3wnwlFORxCZExQPB3vgfmhHGhk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Dear Martin, On Tue, Jun 25, 2024 at 12:06:20PM +0200, Martin Hoffmann wrote: > Job Snijders wrote: > > > > Tim and I had a meeting and talked this draft over, Tim suggested to > > remove the notion of 'local policy' (as this introduces ambiguity). > > Instead: if the validity period is considered equal, and the signature > > is good, use the newly-retrieved cert (if it differs from the locally > > cached copy). > > Given that the aim here is to avoid replaying (either maliciously or > accidentally) an older certificate and that we can trust that TA > operators take a fair amount of care, I think only looking at notBefore > time and using the new certificate if it is greater or equal should be > good enough. As a safeguard, you could add a line instructing TA > operators to never issue TA certificates with identical notBefore. An argument in favor of also looking at notAfter is that it is possible for CAs to 'freeze' the notBefore at a given point in time, meaning that in subsequent issuances the same notBefore continues to appear. I've seen some RPKI CAs (unsure about TAs) exhibit this behaviour. I'd also argue that defining a 'complete' tiebreaker procedure at the small expense of having a handful of sentences and 4 lines of code* is worth it to cover for the edge case of TAs issuing with identical notBefore's. *4 lines, ymmv: https://github.com/openbsd/src/blob/master/usr.sbin/rpki-client/parser.c#L619-L622 I don't see downside to using both notBefore and notAfter, but yes, strictly speaking notBefore probably is sufficient most of the time. This is why the notBefore tiebreaker should be the first tiebreaker. > One thing to possibly consider to make it more unlikely that a new > certificate is withheld (again either maliciously or accidentally) is > to require trying different URIs listed on the TAL if the fetched > certificate is rejected for any of the reasons in the list and only use > the stored certificate if all of them are rejected. > > Routinator currently doesn’t do that -- it uses a stored certificate > for that particular URI if fetching a new one fails --, but that’s > mostly because we don’t want to fall back from the safer HTTPS > transport to rsync where replaying an old certificate is easier. But > with the proposed protection mechanism, this won’t be necessary any > more. That's a nice idea. Rpki-client tries HTTPS first, if HTTPS fails (TLS error, HTTP error) it will try rsync. But it won't try rsync if the HTTP code was 200. Another approach is to pick a random URI from the TAL (be it HTTPS or rsync), because with the proposed protection mechanism rsync becomes less risky. Picking a random URI from the TAL has the benefit that if they are hosted on different FQDNs, overall resilliency increases. So I guess we have 2 options: - try different URI if the newly fetched TA cert has an issue (regression or siganture-wise) - try a random URI, and if there was an issue use the local cache Do you have a preference? Kind regards, Job
- [Sidrops] Notification for draft-spaghetti-sidrop… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Russ Housley
- [Sidrops] Re: Notification for draft-spaghetti-si… Tim Bruijnzeels
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Dale W. Carder
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Martin Hoffmann
- [Sidrops] Re: Notification for draft-spaghetti-si… Job Snijders
- [Sidrops] Re: Notification for draft-spaghetti-si… Ties de Kock