Re: [Sidrops] what to do when the CRL is hosed?
Claudio Jeker <cjeker@diehard.n-r-g.com> Mon, 23 March 2020 12:56 UTC
Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DF173A077A for <sidrops@ietfa.amsl.com>; Mon, 23 Mar 2020 05:56:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vc2JggrXY0Ps for <sidrops@ietfa.amsl.com>; Mon, 23 Mar 2020 05:56:50 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2030E3A0766 for <sidrops@ietf.org>; Mon, 23 Mar 2020 05:56:49 -0700 (PDT)
Received: (qmail 41383 invoked by uid 1000); 23 Mar 2020 12:56:47 -0000
Date: Mon, 23 Mar 2020 13:56:47 +0100
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: sidrops@ietf.org
Message-ID: <20200323125647.GA6421@diehard.n-r-g.com>
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <20200226173935.GE72144@vurt.meerval.net> <2db8d19a-6f91-d2fc-36c3-65742ba77e6c@ripe.net> <8B09B96B-432C-4190-9DE0-DC2004AAFCC2@nlnetlabs.nl> <CC64461D-4F34-4367-AD9D-D42B2A476363@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CC64461D-4F34-4367-AD9D-D42B2A476363@ripe.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/mZSuwzhVysRvJgl747F-XSZ0vRI>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 12:56:53 -0000
On Mon, Mar 23, 2020 at 11:34:43AM +0100, Nathalie Trenaman wrote: > Hi, > > > Op 27 feb. 2020, om 10:50 heeft Tim Bruijnzeels <tim@nlnetlabs.nl> het volgende geschreven: > > > > Hi, > > > >> On 27 Feb 2020, at 09:59, Robert Kisteleki <robert@ripe.net> wrote: > >> > >> > >> > >> On 2020-02-26 18:39, Job Snijders wrote: > >>> I think the entire repository should be considered invalid if a single > >>> file is missing but was referenced in the manifest. One can't produce > >>> rules based upon false or incomplete data, and one can't protect against > >>> hijacks using unsigned data. > >> > >> I'm not sure that'd be wise. Knowing you're missing something does not > >> invalidate the other bits that you can verify. Exactly what you keep > >> using can depend on what's missing (a CRL, a CA cert, a ROA, ...) though. > > > > I am not saying that I have the complete answer here, but I think it's worthwhile to discuss this further - if the WG is willing to consider updates to the manifest RFC. > > > > It gets complicated. > > > > ROAs at the parent level have the ability to invalidate announcements by children that run delegated CAs. If their CA cert is missing, then this can impact ROV to the point that announcements by children are considered invalid. > > > > In such cases it might be better to mark objects the ROA objects as invalid so that ROV yields not found. It is probably okay to recurse any other CA cert and use ROAs found under it. Probably, because probably they are more specific, and ROAs there would not invalidate covering, presumably, less specific announcements done by the parent (yes, lots of assumptions here). For BGPSec certificates things get more complicated, because at the MFT level they are indistinguishable from delegate CA certificates. Also BGPSec does not have a soft-landing, so invalidating certificates (rather than ROAs) might be quite harmful. > > > > Note, I think this should be applied only to *missing* objects as that indicates either a failure to publish things properly, or possibly a partial withhold attack where the RP receives incomplete information. And even then, there may be ways to recover if an RP still has prior copies of all missing objects (check hash). > > > > If objects are found and accounted for, but they turn out to be invalid, then I believe that other objects should not be impacted. > > > > I would still welcome discussion on this. For our Validator, we > currently issue warnings if there is something wrong with the CRL. Some > other RP (validator tools) invalidate the chain, one ignores the CRL. > This is not a good situation. > From the mailing list, I didn’t see a clear consensus (yet?) for RP > (validator tools). Any ideas? Thoughts? Did I miss something? > I think the current discussion did show that RP tools should do the proper validations and not skip steps. As for rpki-client we still believe that doing strict checks of the certificates is the right thing. rpki-client will exclude certs and the data they protect if they do not validate (this includes not-valid before and after timestamps of both the certificate and the CRL (if any)). Additionally all hash values in mft files are verified and again objects failing validation are excluded. The result is that only fully valid VRP are exported and all others are skipped but a warning is logged. -- :wq Claudio
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush