Re: [Sidrops] what to do when the CRL is hosed?
George Michaelson <ggm@algebras.org> Tue, 31 March 2020 22:21 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67F853A0BE9 for <sidrops@ietfa.amsl.com>; Tue, 31 Mar 2020 15:21:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRW0lZUL-Fio for <sidrops@ietfa.amsl.com>; Tue, 31 Mar 2020 15:21:06 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E03E3A0BEF for <sidrops@ietf.org>; Tue, 31 Mar 2020 15:21:06 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id g15so21081909ilj.10 for <sidrops@ietf.org>; Tue, 31 Mar 2020 15:21:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yIcHb0sEKOwt9NNclIumomimheVqH9C4jLsyubBYlOk=; b=jjNSJo/3WrcoW0PE9ZpWx80mFZRAWlgvtuSxNpPqXSibtA9Fbvmxlzq3aCn2FDX9Pi J4h/8GjRgNu+AqzubHm5nXPQyk3bvm7OehDDzgAthTvPynW6jXI5Hc/ipYqOboiGBz6D kqKL3lxn4JyXMEUre4Aug2hYyVqMSYoCvn33JEq2idRzGnkgLFLP7e2FYx7tcA4HvkoU woCUnYm6pTiayJr88IMLpgWY9S5MPKCyLD7+GKncTfk2ChzOdEVOSusDPoqqdDbtESm8 t+ht4WQFRpMFvEg0f//cjqYiCcc8p39qSPLA08VpRr2wxx8IXT55PefGOpccJHXPFnso NoKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yIcHb0sEKOwt9NNclIumomimheVqH9C4jLsyubBYlOk=; b=d4aQz4CoFOl/z5ZBUZjoON02fhn3tPiOaxuJyYN6Wfb3RiqGfdlDGhqG4ogq03DAJb nVFkKUrmKb/tDUmaPsVOEkbLOAVKxLr9cTFA9wvhQHUp9bczIOWwkTiEcPwBVgrPz4H3 Vp3KjeukY7crdvLYKfP1RlYi6hOeQofYoLfnkPciE6ittoC8GxtevchEdMqOv9WHM9hk CVPpoVQwf/WFH/ByqTqwBoHSPHcHsqvasu3HvMtEYGDtDEKo1/69ZsXQPxtscI42cgp1 +GuPB7BbyZ3i6L7takrJOXBQO51XhUL1OP3mXKFFolBrupTqiBsz2d7Pt9QC3X5Jhp9k lhxA==
X-Gm-Message-State: ANhLgQ2KNuv4oeJckzyXM3p7OcVilriBV5NqmYKknL7YZqrB0qRFORoJ 4P54StjCNvuRlIBNpH7eES34PS0d/9cH5jfDpVyJsA==
X-Google-Smtp-Source: ADFU+vuDI+0kj5K5QgPJFfMH5koXJO1qCG2fNTkvFs241PXnV7UOm2kPFvK9p1FSk3YQyvNmWrP9lPIle02PeOgIGXA=
X-Received: by 2002:a92:8517:: with SMTP id f23mr19629731ilh.106.1585693265139; Tue, 31 Mar 2020 15:21:05 -0700 (PDT)
MIME-Version: 1.0
References: <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <253D1ED7-52D8-4A00-9D69-095E61D09C9F@nlnetlabs.nl> <db920115-e188-700f-ceb2-08cd2996046a@verizon.net> <3a683da4-42f9-28c6-f0dd-4d11d3c67857@ripe.net> <4fe26a30-4a08-41a5-be7f-0c5997230d0a@www.fastmail.com> <3B072025-68C5-4E62-9466-5122D483F691@nlnetlabs.nl> <20200324135828.GG60268@vurt.meerval.net> <20200324152009.6e6a2c3f@glaurung.nlnetlabs.nl> <20200324151101.GH60268@vurt.meerval.net> <7f54a255-643f-cd2d-12c2-da19562bbffa@verizon.net> <7465c59f-fa10-4083-8e52-291cb47587f6@www.fastmail.com> <ed15512c-4fac-f8b1-f616-4dcf7afbf396@verizon.net> <CAL9jLab_tLDwh8=thqPfWw29g+LK__T2MUfCZmLDv1v_Z77x+w@mail.gmail.com>
In-Reply-To: <CAL9jLab_tLDwh8=thqPfWw29g+LK__T2MUfCZmLDv1v_Z77x+w@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Date: Wed, 01 Apr 2020 08:20:53 +1000
Message-ID: <CAKr6gn2VN8kXB2KS5LUkuSkihoE5KqUqfD+NTLuopnTVYF1QQA@mail.gmail.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pWOMHASmG03bIqjeJJJcj8CBO-Q>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 22:21:17 -0000
I think you did capture the spirit. I would remind people that *all* the products in a repository are signed objects. To arrive at a state where a manifest is "wrong" demands two things: it doesn't reflect some real-world situation regarding contents of the repository *and* its signed by keys you can validate back to a trust anchor. If you cannot validate the manifest, then its not "wrong" its forged, or invalid cryptographically. To me, a "wrong" manifest checks out cryptographically but somehow is not coherent with the state of the repository. If objects are on the manifest but cannot be fetched, you are probably suffering either from hiding of objects, or a transitional state of publication. If objects can be found which are not on the manifest, you may be seeing artifacts which are not defined as critical (must be found) or, the manifest has not yet been updated. There are potentially transitional states in the production of a large repository under eventually consistent production (e.g. multiple asynchronous cooperating processes, dual-redundant signing models) where what can be fetched and what is on manifest do not align. If we wish to demand that the manifest and a given state of the repository *always* align, we need to formalise that in a way which makes it clear we publish repository state in as close to atomic-update as possible. (copying a repo to a new dir, modifying the contents of the new dir, and (re)publishing the change through the rename() call in UNIX is one such model) A missing manifest is not a "wrong" manifest -its a sign of data being hidden from you either because of transitional effect in publishing the repository, or for persisting state a problem in the repository (diskfull?) or, production systems, or a MITM attack. Which do you think is actually most likely at this current time? This is no different to a missing CRL in that regard. Which do you think is the most likely reason, because you cannot a-priori know that its a MITM attack, or a failure in networks, or storage systems, or production systems. During the early design phases of the system, we determined that since the products were all cryptographically signed, there was no strict requirement for cryptographic protections on transport. If that decision needs to be revised I think it should be done in standards work, here, as a discussion. I do not yet see a document which says that. I don't see formalisms which go to a normative change in SHOULD to MUST on this. So these comments aside, my plea is that people clearly state when they say "wrong" or "bad" if they mean that it is cryptographically valid, but does not align with some external reality, or some other meaning. (Which btw, is complex because the part which none of this can adequately capture is *intentionality* -Just because you think a publication of RPKI state is nonsensical does not mean its not intentional) Attack models need to state clearly how they acheve the state. An attack on the integrity of the manifest needs to explain coherently how it creates a manifest which checks out cryptographically, and yet hides or legitemates something which should not exist. They also need to explain how the specific attack on the manifest in these situation outweighs other considerations: If they have the keys, then surely the attack vector is to make validly signed things which cannot be detected as an attack? -George On Wed, Apr 1, 2020 at 1:42 AM Christopher Morrow <christopher.morrow@gmail.com> wrote: > > first, apologies for getting back around to this so late :( > > On Thu, Mar 26, 2020 at 10:57 AM Stephen Kent > <stkent=40verizon.net@dmarc.ietf.org> wrote: > > > So, I think discussing MITM attacks is a distraction, unless we have examples of how > > such attacks can affect RPs in ways different from attacks on repositories. Maybe re-reading > > RFC 8211 would be useful, as it tries to analyze a range of possible "adverse actions" by CAs or > > repository managers in the RPKI context, and discusses how RPKI mechanisms are intended to > > detect/counter these actions. > > In the case of the incident which started this thread we ended up > publishing part of the content a > repository needs to publish such that the relying parties can verify > properly that the content in the > repository is correct/valid/usable. The discussion then went along a path like: > 1) "well... maybe we shouldn't have belt and suspenders?" (manifest AND crl) > 2) "what happens if we don't publish this pesky CRL? and rely only > on the manifest?" > 3) "what if we don't publish the manifest and only rely on the CRL?" > 4) "CRL + Manifest has made 'rp software' hard/buggy" > > In the world where the protections specified for RPKI exist: > 1) self contained content protection (roa / ee-certs / etc are > packaged securely) > 2) crl signed and available in the repository for revocation actions > on objects in the repository > 3) manifest signed and listing all objects of interest in the repository > > Steve (kent!) is right mitm is harder to see as a threat. > "All objects you get are signed by a ca-cert which is signed by the > root.. which is in the list of TAL you have. You can't have missing > objects and you cant' remove objects without affecting the signed > manifest" > > In a world where we remove one/some of the protections: > A) no more manifest > B) no more crl > C) both > > I think mitm problems are much harder to detect/deal with :( > It sounds like WG folk (RP users and RP/CA software authors) are > asking for guidance on handling the problem(s) discussed here. > It sounds, to me, like a chat at the upcoming interim meeting would be > a great place to start that with some slideware and a proposal to use > as kindling. > > I think the shape of the conversation is roughly: > "What would be the effect (on the routing system) for RelyingParties > if we decided to be less strict about CRL existence?" > "What would be the effect (on the routing system) for Relying > Parties if we decided to be less strict about repository contents vs > Manifest contents?" > "What happens to the routing system if the manifest and crl are > either/both 'broken' in a repository?" > > I don't think it matters much to the routing system where the breakage > occurs (my repository or RIPE/ARIN/etc) certainly there's more fallout > from ARIN/RIPE/etc, but... you can't get to me either way :) > (possibly) until repair and propogation. > > Thoughts on some slideware and discussion? > Did I about capture the meat of the sandwich here? > > -chris > co-chair but asking as a regular chemical engineer at this party. > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Francisco Javier Moreno Arana
- Re: [Sidrops] what to do when the CRL is hosed? Ben Maddison
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Louis Poinsignon
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Jared Mauch
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Nathalie Trenaman
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Rob Austein
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Oleg Muravskiy
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? George Michaelson
- Re: [Sidrops] what to do when the CRL is hosed? Di Ma
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Claudio Jeker
- Re: [Sidrops] what to do when the CRL is hosed? Job Snijders
- Re: [Sidrops] what to do when the CRL is hosed? Christopher Morrow
- Re: [Sidrops] what to do when the CRL is hosed? Jay Borkenhagen
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Lukas Tribus
- Re: [Sidrops] what to do when the CRL is hosed? Tim Bruijnzeels
- Re: [Sidrops] what to do when the CRL is hosed? Robert Kisteleki
- Re: [Sidrops] what to do when the CRL is hosed? Martin Hoffmann
- Re: [Sidrops] what to do when the CRL is hosed? Stephen Kent
- Re: [Sidrops] what to do when the CRL is hosed? Randy Bush