Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)
Job Snijders <job@ntt.net> Fri, 28 August 2020 14:40 UTC
Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93C003A0C49 for <sidrops@ietfa.amsl.com>; Fri, 28 Aug 2020 07:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WH2S1QouIoEG for <sidrops@ietfa.amsl.com>; Fri, 28 Aug 2020 07:40:21 -0700 (PDT)
Received: from mail4.dllstx09.us.to.gin.ntt.net (mail4.dllstx09.us.to.gin.ntt.net [IPv6:2001:418:3ff:5::192:26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053153A0BAA for <sidrops@ietf.org>; Fri, 28 Aug 2020 07:40:20 -0700 (PDT)
Received: from bench.sobornost.net (129-vpn.londen03.uk.bb.gin.ntt.net [165.254.197.129]) by mail4.dllstx09.us.to.gin.ntt.net (Postfix) with ESMTPSA id 2C942EE0189; Fri, 28 Aug 2020 14:40:19 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id c2b655fe; Fri, 28 Aug 2020 14:40:17 +0000 (UTC)
Date: Fri, 28 Aug 2020 14:40:17 +0000
From: Job Snijders <job@ntt.net>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: Randy Bush <randy@psg.com>, Jakob Heitz <jheitz=40cisco.com@dmarc.ietf.org>, SIDR Operations WG <sidrops@ietf.org>
Message-ID: <20200828144017.GF88356@bench.sobornost.net>
References: <DE33EFAE-FBD2-478F-92A9-1FBD81CCC43F@arin.net> <727F6FBD-F73C-4F58-AE2D-0276B2A183A3@arin.net> <20200826160001.GF95612@bench.sobornost.net> <20200826202442.232829fc@grisu.home.partim.org> <alpine.DEB.2.20.2008271422560.11025@uplift.swm.pp.se> <BYAPR11MB3207632B2057B4AE6F68DE72C0550@BYAPR11MB3207.namprd11.prod.outlook.com> <m2tuwovv0p.wl-randy@psg.com> <C953A9CE-046E-418A-9188-55E457EF0F2F@nlnetlabs.nl> <m2zh6fugil.wl-randy@psg.com> <7D034AED-89C4-4D94-893E-A95C49739B4B@nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <7D034AED-89C4-4D94-893E-A95C49739B4B@nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pi9v6RNA2kMvEOY9BfOD9VHGJtc>
Subject: Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 14:40:23 -0000
On Fri, Aug 28, 2020 at 02:10:42PM +0200, Tim Bruijnzeels wrote: > > first, you may not know the prefix from the failed pp; it failed. > > second, getting you to think that you do could be a nice attack. > > You were looking at all the objects listed on a manifest you found for > a valid CA certificate. You know which resources the valid CA > certificate holds. Suggested text, feedback welcome: ================ If a CA's publication point's RPKI data is invalid, a Relying Party MUST add all IP address resources listed on the certificate's issuer to a Prefix Filter. The Relying party MUST consider any VRPs derived from any Trust Anchor to match with this Prefix Filter if the VRP prefix is equal to or covered by any of the Prefix Filter prefix. The following prefixes MUST NOT be added to the Prefix Filter: 0.0.0.0 and ::/0 ================ In other words, if a valid current manifest at a publication point demonstrates files are missing, the resources listed in the AIA's sbgp-ipAddrBlock extension become an output filter. If under RIPE's TA a CA delegates authority for 85.xx.0.0/16 to a publication point, and a ROA file is missing, and 85.xx.0.0/16 also exists somewhere under ARIN's TA, the RP should omit to produce VRPs covering 85.xx.0.0/16 or more specific. This is the safest approach. By excluding 0.0.0.0/0 and ::/0 we prevent one TA from taking down another TA, and encourage a (hopefully) healthy approach to operational intermediate certificates which exist to narrow the TA's blast radius. Kind regards, Job
- [Sidrops] Reason for Outage report (was: Re: ARIN… John Curran
- [Sidrops] ARIN RPKI Service Impact - 12 August 20… John Curran
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Christopher Morrow
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… John Curran
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Randy Bush
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Job Snijders
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… John Curran
- Re: [Sidrops] Reason for Outage report (was: Re: … Job Snijders
- Re: [Sidrops] Reason for Outage report (was: Re: … Martin Hoffmann
- Re: [Sidrops] Reason for Outage report (was: Re: … Mikael Abrahamsson
- Re: [Sidrops] Reason for Outage report (was: Re: … John Curran
- Re: [Sidrops] Reason for Outage report Martin Hoffmann
- Re: [Sidrops] Reason for Outage report (was: Re: … Mikael Abrahamsson
- Re: [Sidrops] Reason for Outage report Mikael Abrahamsson
- [Sidrops] weak validation is unfit for production… Job Snijders
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Jakob Heitz (jheitz)
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] weak validation is unfit for produc… Benno Overeinder
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] Reason for Outage report (was: Re: … Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] weak validation is unfit for produc… Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Lukas Tribus
- Re: [Sidrops] weak validation is unfit for produc… Nathalie Trenaman
- Re: [Sidrops] weak validation is unfit for produc… Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels