IETF Logo Mail Archive

[Sidrops] Publication Server Checks (was: Re: [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021)

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 30 March 2021 13:12 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 073D83A117E for <sidrops@ietfa.amsl.com>; Tue, 30 Mar 2021 06:12:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgqQzzzQ4EOh for <sidrops@ietfa.amsl.com>; Tue, 30 Mar 2021 06:12:18 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A69B3A11A7 for <sidrops@ietf.org>; Tue, 30 Mar 2021 06:12:17 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id E96F460197; Tue, 30 Mar 2021 13:12:14 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.142]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1617109933; bh=0vwtOXoWEvdbutQIb549z4FAORVisrTnr7ypj+FPfcI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=MoUpou53IugQ0tDROyMGvzz7OS9UHi5OD6MD/0AaqdKbHXyW8z3HRR7Y0XIbJrwAK 5lUo+V55HlBMiFf/gaUkmkeOXCCLg+yl7rhOmfM1nOHRkBS6uOC0YntBhUAdGnpn3N rUFe1dqjuqqomw9jYkibuPPNaHqcWVHiR2OBeTyikkAAGv7qyBhfXyHKpfmAEInu69 H7688dcyOyCAoH7YPGxVDzTtDfaqVXPEQRKXs03NvlFaAK+RLL4Wp4Bdq44bUiphub qNLvFdNYSrvxcc/knOek/Mhl1dCpMSr7vqn/JsVns7iTbpNtZF5xRIUTN8fe63nl9d pIaZeDFQFiMrg==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <7A405712-A4E5-4E05-A2EE-3196BE3F1DA2@ripe.net>
Date: Tue, 30 Mar 2021 15:12:10 +0200
Cc: SIDR Operations WG <sidrops@ietf.org>, Job Snijders <job=40fastly.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <74925412-5E02-406F-BBA9-3EA8A0BD32A5@nlnetlabs.nl>
References: <87lfa94xyj.wl-morrowc@ops-netman.net> <67F48899-3B77-4722-B467-F73D50DF1006@nlnetlabs.nl> <YGL2twQ2eEsMQHPq@snel> <8BA83ECF-3D1A-4057-9E24-46CDA779604B@nlnetlabs.nl> <7A405712-A4E5-4E05-A2EE-3196BE3F1DA2@ripe.net>
To: Ties de Kock <tdekock@ripe.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ounHMyZWuxNhLrz5kCNRb8IhFLU>
Subject: [Sidrops] Publication Server Checks (was: Re: [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 13:12:23 -0000

[trimming recipient list for this side-discussion]

> On 30 Mar 2021, at 14:21, Ties de Kock <tdekock@ripe.net> wrote:
> 
> Hi Tim, all,
> 
>> On 30 Mar 2021, at 13:24, Tim Bruijnzeels <tim@nlnetlabs.nl> wrote:
>> 
>> Hi Job, all,
>> 
>>> On 30 Mar 2021, at 12:00, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
>>> 
>>> Hi Tim, working group,
>>> 
>>> first things first: I support adoption of this draft.
>>> 
>>> On Mon, Mar 29, 2021 at 04:06:56PM +0200, Tim Bruijnzeels wrote:
>>>> = revocation?
>>>> 
>>>>  A large number of experiments for the process of ROA issuance have
>>>>  been made on our RPKI testbed, it is found that the misconfigurations
>>>>  during the issuance may cause the ROAs which have been issued to be
>>>>  revoked.
>>>> 
>>>> I don't see how the ROAs would be revoked in this context.
>>> 
>>> Perhaps 'revoked' is the wrong word, maybe 'withdrawn' or 'unpublished'?
>>> 
>>> I took the third suggestion in 'Section 3' to mean that if the ROA
>>> issuer does not confirm the End-Entity certificate signing the ROA
>>> eContent checks that it is allowed to sign the resources listed in the
>>> eContent, it might end up submitting an invalid object to the
>>> Repository.
>>> 
>>> The Repository deferences any previous ROA with the same filename,
>>> performs validation on the newly submitted ROA, concludes it is invalid
>>> (because the resources in the eContent overclaim compared to the
>>> resources listed as subordinate on the EE cert) and ends up publishing a
>>> CA Repository without the intended ROA.
>> 
>> No, the publication server does not validate content. See RFC 8181:
>> 
>> 5.  Security Considerations
>> 
>>   The RPKI publication protocol and the data it publishes use entirely
>>   separate PKIs for authentication.  The published data is
>>   authenticated within the RPKI, and this protocol has nothing to do
>>   with that authentication, nor does it require that the published
>>   objects be valid in the RPKI.
>> 
>> 
>> That being said.. as yet another aside..
>> 
>> I have been thinking of proposing extensions to the publication protocol (RFC 8181) to make Publication Servers somewhat more responsible. For example they could enforce quota both in terms of number of files, and size. They could also verify objects, e.g. only allow known types, and only allow objects which at least parse. But there is a potential issue then with bugs in verification code. Also, if this is done for security then it may not matter because malicious CAs could 'just' run their own publication server, until they might be revoked by an angry parent CA. Still... I think this is worth a (separate) discussion. Raising the barrier to abuse and mistakes seems like a good idea.
> 
> I would be hesitant to add too much validation to the publication protocol. In
> my opinion the BPKI relationship ensures that the content of the messages is
> what the client intends to publish.
> 
> However, I would welcome the removal of some foot cannons. For example,
> updating an object [and thus changing the hash of] on a manifest that currently
> has entries with matching names and hashes, without also updating the manifest,
> likely is a sign of a bug - not of the intention of the client.

First off, I don't think there is a huge and immediate operational issue with RFC 8181 right now, but it's good to keep an open mind to improvements.

My first take on this would be quota. And when it comes to objects I would not validate them, but just sanity check that they are of a known type and maybe that they can be parsed. I.e. add error codes as Job suggested.

We may want to extend the protocol so that quota information can be communicated. Not sure.. protocol changes are not trivial, even error codes might break things. There may be a way to do this without breaking existing relations if we include capability communication on HTTP headers for example - to help version negotiation. But it's not easy, and we should see if it's really worth it.

For consistency checks I would leave it to the CA to make sure they send all their updates as a single RFC 8181 delta.

On the other end of the possible spectrum a Publication Server could actively validate everything, and even remove things. I think that goes way too far and is dangerous, error prone and harmful. Just saying for the sake of discussion.

But.. perhaps it would be good to draft some text and have structured discussion? And yes, if we are going to discuss extending the publication protocol, then there is of course the risk, or feature, that people will want other changes too.


Tim



> 
> Ties
> 
>> 
>>> I would suggest:
>>> 
>>> """
>>> 3) A safeguard scheme is essential to protect the process of ROA
>>>  issuance. Before committing to the issuance of a ROA object, the
>>>  signer software should confirm the ipAddrBlocks in the To-Be-Signed
>>>  eContent are fully contained by the RFC 3779 extensions listed on the
>>>  End-Entity certificate used to generate the signature. 
>>> """
>>> 
>>> In other words, a signing pipeline would help the operator by performing
>>> RFC 6482 Section 4 validation *before* constructing the ROA, to prevent
>>> constructing ROAs the Repository operator would consider invalid.
>> 
>> 
>> All RPKI CA implementations that I know of already take care to issue objects which do not overclaim. The problem is that a delegated CA may not find out that a parent has shrunk their resources until whenever it happens to send them a "Resource Class List Request" as defined in RFC 6492.
>> 
>> It would be much nicer practice if parent CAs can hold off shrinking resources until a child has had a chance to clean up. I will suggest some text to the ROV timing draft.. not sure that this belongs there, but it may be a start.
>> 
>> Tim
>> 
>> 
>> 
>>> 
>>> Kind regards,
>>> 
>>> Job
>>> 
>>> _______________________________________________
>>> Sidrops mailing list
>>> Sidrops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidrops
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email