Re: [Sidrops] feedback on draft-michaelson-rpki-rta

Tim Bruijnzeels <tim@nlnetlabs.nl> Mon, 11 January 2021 09:54 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63B743A044A for <sidrops@ietfa.amsl.com>; Mon, 11 Jan 2021 01:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62bMhBBD9bRU for <sidrops@ietfa.amsl.com>; Mon, 11 Jan 2021 01:53:57 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C58D3A0418 for <sidrops@ietf.org>; Mon, 11 Jan 2021 01:53:56 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 4AB5160118; Mon, 11 Jan 2021 09:53:54 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1610358833; bh=JlpevwCjSTYgQQeUQ9y1IKfAHdvzrp1gFOtGSopsrKU=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=bJmob/UXwPn/5DRibvM1zQ9j4uKa0wjFx+U/yc6kY1LPDmvQyPHG1RysFwr/LAhdy 9ADfVdFZPT3XGV/SYQNQQI/LnvpTmMhxjWnvoq2pxBwtlPJMJlKX5EibSy9ODpEI4n 30EHnGNoN1OwZ0lVGMujkna60YEz2vlzmC9PTHtGGg2pSSISACkmTNDTqybbIX9U6L rzfPbKfo2uC35Gcxhiuhq5iUCUfFJSgHhhKF1m+ttD6CE7lqS1Il6O8a5N4QhTJxqb RRJc9bbOsWuwJFjPBFp8g7I81X46garV9tnEAKSqYx+ep8yReEKnXPn1DtU5TUUqOJ /V3nmB/ozjiqw==
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <20201230144836.ytg4u2gobkv4uzqn@benm-laptop>
Date: Mon, 11 Jan 2021 10:53:51 +0100
Cc: Job Snijders <job@sobornost.net>, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3BA339C3-EADC-449E-B5B2-7A4880E16EDA@nlnetlabs.nl>
References: <X+d3+e5Rj/Q7Dchv@bench.sobornost.net> <20201229101412.GA56136@diehard.n-r-g.com> <X+scpsd6kDQ72nLa@bench.sobornost.net> <49a8e314-7b3f-0e8d-6e20-7d055fb1a076@verizon.net> <20201229151639.GD56136@diehard.n-r-g.com> <X+tR06kF3aPZ4+18@bench.sobornost.net> <20201230144836.ytg4u2gobkv4uzqn@benm-laptop>
To: SIDR Operations WG <sidrops@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pSIibdv-x7NgV1D9tDBx1HvYTTo>
Subject: Re: [Sidrops] feedback on draft-michaelson-rpki-rta
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2021 09:54:00 -0000

Dear all,

Apologies for top-posting, but I wanted to send a readable response highlighting the motivations for the RTA draft and the implementation experience so-far by the co-authors of this draft.


- Use-cases

Please bear in mind that this document is specifically intended as a generic profile, without constraining use cases. This is why it includes the following flexibility:
 - multiple signatures
 - publish in the RPKI, or not
 - option to include the full validation path CAs and CRLS in the CMS
   (think TLS, where validation does not require the assembly of a local cache of signed objects)

The use case is intentionally _not_ limited to secure routing and publishing in the RPKI may not be necessary in envisaged cases.


- Publishing in the RPKI

If the RTA is to be published in the RPKI then indeed the filename extension for the detached signature '.rta' as suggest by Job makes sense. However, in many cases there will be no need to publish these RTA files in the global RPKI. The RTA is in essence a detached signature, and as such they are meaningless if an RP does not know which file they were supposed to sign. The file (or object) which has been signed with a detached signature has no role in a CA’s publication point of signed objects and SHOULD NOT (MUST NOT?) be published in a CA’s publication point.


- Need for multiple signatures

One case here is that an organisation which operates under multiple parents, e.g. two RIRs or an RIR and an NIR, will receive resources on different CA certificates. Similarly organisations under a single RIR may receive multiple certificates if they hold resources transferred from another region, or if they hold so-called legacy resources where another RIR is the majority holder in the IANA registry. Yet, these organisations may wish to make statements about a set of resources that crosses these boundaries. 

There can also be cases where different organisations want to make a joint statement about shared resources. We do not know what case that might be, but as said above - in this phase the profile allows for arbitrary use cases.


- Multi-signing vs multiple single-signing

It is true that requiring single signing for RTAs simplifies the specification. And for some use cases where multiple signatures would be required - multiple single signed RTAs would do fine.

However, with multi-signing relying parties can be sure they have seen the complete set of resources, and expected signatures based on a single file. There is no guessing for the RP as to whether they have seen everything relevant.

Question is of course whether this justifies the additional complexity.


- Multi-sign: Complexity for CA

Having implemented this in Krill I believe that the complexity is not that bad. Essentially this boils down to letting CAs generate keypairs for the EE certificates and agree on a set of resources. Note that the SET of SKIs of these EE certificates and the agreed resource set are part of the signed content. Then one CA can be the first to add their EE certificate containing its resources and sign with the associated private key, and then the next CA (which may be another CA cert held by the same organisation) can add their signature.

For use cases where only a single signature is needed the CA can of course just sign things without the need to synchronise with other parties.

- Multi-sign: Complexity for RPs

(note, I will use an informal description here)

For single signed the RP needs to verify that all resources on the RTA are contained by the EE certificate, which is validly signed all the way back up to a known TA. The RTA MAY include CAs and CRLs needed for this verification. If they are, and if the CRLs are not stale, they will be used for validation. If they are not present, stale or invalid, then the RP can look at the public RPKI and find CA certificates and CRLs there.

For multi signed the process is not changed much. But rather than doing this once, the RP will need to do this N times *and* it will need to verify that the union of resources in the EE certificates used for signing include the described resources.

If N == 1 then this does not increase the complexity. If N > 1 then there may be some fragility, because any of the paths can fail, but it is reasonable to state that if multiple signatures are required then it is a requirement that the RTA MUST be considered invalid if the validation of any signature or EE certificate fails.


Tim


> On 30 Dec 2020, at 15:48, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org> wrote:
> 
> On 12/29, Job Snijders wrote:
>> On Tue, Dec 29, 2020 at 04:16:39PM +0100, Claudio Jeker wrote:
>>> Up until now all objects only had a single EE cert and a single SID and
>>> all the linking done with the SKI was a 1-to-1 mapping resulting in a
>>> simple tree structure with the trust anchor as root.
>>> This draft allows for multiple EE certs and so multiple paths up to the
>>> trust anchors. This makes handling RTA a lot more complex than any other
>>> object under RPKI. It also results in a lot more failure conditions since
>>> there are more EE certs involved in the validation process.
>> 
>> <snip/>
>> 
>> It is possible the RTA authors forsee use cases where the 'multiple
>> signatures' offers irreplaceable value, I'm not sure.
> 
> FWIW, all the use cases that I have in mind for RTA need only a single
> signer.
> I have been trying to think of some creative uses that can't be solved
> by separate objects, and I can't think of any.
> 
> Thus, if this change can speed up implementation then I'm all for it.
> 
> Cheers,
> 
> Ben
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops