IETF Logo Mail Archive

Re: [Sidrops] what to do when the CRL is hosed?

George Michaelson <ggm@algebras.org> Tue, 31 March 2020 22:21 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67F853A0BE9 for <sidrops@ietfa.amsl.com>; Tue, 31 Mar 2020 15:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRW0lZUL-Fio for <sidrops@ietfa.amsl.com>; Tue, 31 Mar 2020 15:21:06 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E03E3A0BEF for <sidrops@ietf.org>; Tue, 31 Mar 2020 15:21:06 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id g15so21081909ilj.10 for <sidrops@ietf.org>; Tue, 31 Mar 2020 15:21:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yIcHb0sEKOwt9NNclIumomimheVqH9C4jLsyubBYlOk=; b=jjNSJo/3WrcoW0PE9ZpWx80mFZRAWlgvtuSxNpPqXSibtA9Fbvmxlzq3aCn2FDX9Pi J4h/8GjRgNu+AqzubHm5nXPQyk3bvm7OehDDzgAthTvPynW6jXI5Hc/ipYqOboiGBz6D kqKL3lxn4JyXMEUre4Aug2hYyVqMSYoCvn33JEq2idRzGnkgLFLP7e2FYx7tcA4HvkoU woCUnYm6pTiayJr88IMLpgWY9S5MPKCyLD7+GKncTfk2ChzOdEVOSusDPoqqdDbtESm8 t+ht4WQFRpMFvEg0f//cjqYiCcc8p39qSPLA08VpRr2wxx8IXT55PefGOpccJHXPFnso NoKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yIcHb0sEKOwt9NNclIumomimheVqH9C4jLsyubBYlOk=; b=d4aQz4CoFOl/z5ZBUZjoON02fhn3tPiOaxuJyYN6Wfb3RiqGfdlDGhqG4ogq03DAJb nVFkKUrmKb/tDUmaPsVOEkbLOAVKxLr9cTFA9wvhQHUp9bczIOWwkTiEcPwBVgrPz4H3 Vp3KjeukY7crdvLYKfP1RlYi6hOeQofYoLfnkPciE6ittoC8GxtevchEdMqOv9WHM9hk CVPpoVQwf/WFH/ByqTqwBoHSPHcHsqvasu3HvMtEYGDtDEKo1/69ZsXQPxtscI42cgp1 +GuPB7BbyZ3i6L7takrJOXBQO51XhUL1OP3mXKFFolBrupTqiBsz2d7Pt9QC3X5Jhp9k lhxA==
X-Gm-Message-State: ANhLgQ2KNuv4oeJckzyXM3p7OcVilriBV5NqmYKknL7YZqrB0qRFORoJ 4P54StjCNvuRlIBNpH7eES34PS0d/9cH5jfDpVyJsA==
X-Google-Smtp-Source: ADFU+vuDI+0kj5K5QgPJFfMH5koXJO1qCG2fNTkvFs241PXnV7UOm2kPFvK9p1FSk3YQyvNmWrP9lPIle02PeOgIGXA=
X-Received: by 2002:a92:8517:: with SMTP id f23mr19629731ilh.106.1585693265139; Tue, 31 Mar 2020 15:21:05 -0700 (PDT)
MIME-Version: 1.0
References: <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl> <20200324135828.GG60268@vurt.meerval.net> <20200324152009.6e6a2c3f@glaurung.nlnetlabs.nl> <20200324151101.GH60268@vurt.meerval.net> <7f54a255-643f-cd2d-12c2-da19562bbffa@verizon.net> <7465c59f-fa10-4083-8e52-291cb47587f6@www.fastmail.com> <ed15512c-4fac-f8b1-f616-4dcf7afbf396@verizon.net> <CAL9jLab_tLDwh8=thqPfWw29g+LK__T2MUfCZmLDv1v_Z77x+w@mail.gmail.com>
In-Reply-To: <CAL9jLab_tLDwh8=thqPfWw29g+LK__T2MUfCZmLDv1v_Z77x+w@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Date: Wed, 01 Apr 2020 08:20:53 +1000
Message-ID: <CAKr6gn2VN8kXB2KS5LUkuSkihoE5KqUqfD+NTLuopnTVYF1QQA@mail.gmail.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pWOMHASmG03bIqjeJJJcj8CBO-Q>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 22:21:17 -0000

I think you did capture the spirit.

I would remind people that *all* the products in a repository are
signed objects. To arrive at a state where a manifest is "wrong"
demands two things: it doesn't reflect some real-world situation
regarding contents of the repository *and* its signed by keys you can
validate back to a trust anchor. If you cannot validate the manifest,
then its not "wrong" its forged, or invalid cryptographically.  To me,
a  "wrong" manifest checks out cryptographically but somehow is not
coherent with the state of the repository. If objects are on the
manifest but cannot be fetched, you are probably suffering either from
hiding of objects, or a transitional state of publication. If objects
can be found which are not on the manifest, you may be seeing
artifacts which are not defined as critical (must be found) or, the
manifest has not yet been updated.

There are potentially transitional states in the production of a large
repository under eventually consistent production (e.g. multiple
asynchronous cooperating processes, dual-redundant signing models)
where what can be fetched and what is on manifest do not align.  If we
wish to demand that the manifest and a given state of the repository
*always* align, we need to formalise that in a way which makes it
clear we publish repository state in as close to atomic-update as
possible. (copying a repo to a new dir, modifying the contents of the
new dir, and (re)publishing the change through the rename() call in
UNIX is one such model)

A missing manifest is not a "wrong" manifest -its a sign of data being
hidden from you either because of transitional effect in publishing
the repository, or for persisting state a problem in the repository
(diskfull?) or, production systems, or a MITM attack. Which do you
think is actually most likely at this current time? This is no
different to a missing CRL in that regard. Which do you think is the
most likely reason, because you cannot a-priori know that its a MITM
attack, or a failure in networks, or storage systems, or production
systems.

During the early design phases of the system, we determined that since
the products were all cryptographically signed, there was no strict
requirement for cryptographic protections on transport. If that
decision needs to be revised I think it should be done in standards
work, here, as a discussion. I do not yet see a document which says
that. I don't see formalisms which go to a normative change in SHOULD
to MUST on this.

So these comments aside, my plea is that people clearly state when
they say "wrong" or "bad" if they mean that it is cryptographically
valid, but does not align with some external reality, or some other
meaning. (Which btw, is complex because the part which none of this
can adequately capture is *intentionality* -Just because you think a
publication of RPKI state is nonsensical does not mean its not
intentional)

Attack models need to state clearly how they acheve the state. An
attack on the integrity of the manifest needs to explain coherently
how it creates a manifest which checks out cryptographically, and yet
hides or legitemates something which should not exist. They also need
to explain how the specific attack on the manifest in these situation
outweighs other considerations: If they have the keys, then surely the
attack vector is to make validly signed things which cannot be
detected as an attack?

-George

On Wed, Apr 1, 2020 at 1:42 AM Christopher Morrow
<christopher.morrow@gmail.com> wrote:
>
> first, apologies for getting back around to this so late :(
>
> On Thu, Mar 26, 2020 at 10:57 AM Stephen Kent
> <stkent=40verizon.net@dmarc.ietf.org> wrote:
>
> > So, I think discussing MITM attacks is a distraction, unless we have examples of how
> > such attacks can affect RPs in ways different from attacks on repositories. Maybe re-reading
> > RFC 8211 would be useful, as it tries to analyze a range of possible "adverse actions"  by CAs or
> > repository managers in the RPKI context, and discusses how RPKI mechanisms are intended to
> > detect/counter these actions.
>
> In the case of the incident which started this thread we ended up
> publishing part of the content a
> repository needs to publish such that the relying parties can verify
> properly that the content in the
> repository is correct/valid/usable. The discussion then went along a path like:
>    1) "well... maybe we shouldn't have belt and suspenders?" (manifest AND crl)
>    2) "what happens if we don't publish this pesky CRL? and rely only
> on the manifest?"
>    3) "what if we don't publish the manifest and only rely on the CRL?"
>    4) "CRL + Manifest has made 'rp software' hard/buggy"
>
> In the world where the protections specified for RPKI exist:
>   1) self contained content protection (roa / ee-certs / etc are
> packaged securely)
>   2) crl signed and available in the repository for revocation actions
> on objects in the repository
>   3) manifest signed and listing all objects of interest in the repository
>
> Steve (kent!) is right mitm is harder to see as a threat.
>   "All objects you get are signed by a ca-cert which is signed by the
> root.. which is in the list of TAL you have. You can't have missing
> objects and you cant' remove objects without affecting the signed
> manifest"
>
> In a world where we remove one/some of the protections:
>    A) no more manifest
>    B) no more crl
>    C) both
>
> I think mitm problems are much harder to detect/deal with :(
> It sounds like WG folk (RP users and RP/CA software authors) are
> asking for guidance on handling the problem(s) discussed here.
> It sounds, to me, like a chat at the upcoming interim meeting would be
> a great place to start that with some slideware and a proposal to use
> as kindling.
>
> I think the shape of the conversation is roughly:
>   "What would be the effect (on the routing system) for RelyingParties
> if we decided to be less strict about CRL existence?"
>   "What would be the effect (on the routing system) for Relying
> Parties if we decided to be less strict about repository contents vs
> Manifest contents?"
>   "What happens to the routing system if the manifest and crl are
> either/both 'broken' in a repository?"
>
> I don't think it matters much to the routing system where the breakage
> occurs (my repository or RIPE/ARIN/etc) certainly there's more fallout
> from ARIN/RIPE/etc, but... you can't get to me either way :)
> (possibly) until repair and propogation.
>
> Thoughts on some slideware and discussion?
> Did I about capture the meat of the sandwich here?
>
> -chris
> co-chair but asking as a regular chemical engineer at this party.
>
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email