[Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker

Ties de Kock <tdekock@ripe.net> Wed, 26 June 2024 15:42 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 099FAC169430 for <sidrops@ietfa.amsl.com>; Wed, 26 Jun 2024 08:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzoJQ49uGiuo for <sidrops@ietfa.amsl.com>; Wed, 26 Jun 2024 08:42:37 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AF7EC16940D for <sidrops@ietf.org>; Wed, 26 Jun 2024 08:42:36 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2e72224c395so79554141fa.3 for <sidrops@ietf.org>; Wed, 26 Jun 2024 08:42:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ripe.net; s=google1; t=1719416555; x=1720021355; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3/HOa3z66AMPfeq6qcuH+LBclfQnva5aRAkstHI9aL4=; b=IAnhz7vZf5AMnf7W37mS5jvrO67ISE68zEt0nLvHPrEy5W8BfcTEDQFlFZYZ9e1G8m mo4aBJuR0G33B1blChRDHQrnJLVURFDnfiwowvKPzg5asfMmm64U1PNrNXnbs0cQFJ2A e6EFO+m5eyWpevO8lT+W43ULRIw6Y+y4EkBxyL33H1Iey+ZGKQOw2TsU7iuqrBkopoAH fXpOooLxmGvXHhxXyNLMPvSvinOOdixWAq/baVAp+yHbqpZRDBAH8Z/T6f4Joq9lC6g8 AIxTciKU/w7kQyF0U+7fHvb7og9dE+vBLnNL4+xJc3sdDdoSpGT7quZUMoeXkHZTjitO blfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719416555; x=1720021355; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3/HOa3z66AMPfeq6qcuH+LBclfQnva5aRAkstHI9aL4=; b=FAzXWyybmS23iHvDr5H/LDlTkiBlTUSMP6FsZ58d47BfS6xoUwMegtTUOLHJs+4bjx oyyRZXrF0LXg0UdsPkWgJpQIJmep+dKBAXqtzl64U8OOMYQY/kYwDwczUIsf67rlQT4w fQGx6sIIWa+RWnqckcDo0mbFISu9WVngmdLr0qWwnJlkA2opqvLR/cUoACPVNdVK1wT3 sCkPnxO9pnZfFp3mPO/OITMuL+RlHtheT+AaTT9QbHTryDmMmdHddQbVfb88/R5WIJzu 51VhoZ6jC8EW4hRA2MlCoxKmMDKOJasYciabW8vjgx2PYCCXdZa6weGQKYlQfha9DUUt T7/w==
X-Forwarded-Encrypted: i=1; AJvYcCWxXoHu2XvMwhcLuQEl3rZbzKVclmVR1U2WXftv958kdrCkeNdY1UvAe6t7/W3Pq2Yr6KDCjaPwA9IqXhHVVf8X
X-Gm-Message-State: AOJu0YzduLZuglAXm4loOimzaXwqKAmrmHSVevfl0bHhioP0NyHelY9G o6EuocWK1dL91Pi5ojf03L8rTq4LwPUWVDpG7aASSQiHiJqckAJbqoehRU32oHj5+D+qOKW0PZ+ w4qUKcCM+HsIEyuN+svywWN49bI834/+BsP4ETw==
X-Google-Smtp-Source: AGHT+IHzVGmziXgpDUxZwcgsmUvQRzPNlXGKkxYVJSNczxRvqhw+JHzZK7q8qtC2+hxafyN12L6lAlUE6TgGt/9uV18=
X-Received: by 2002:a2e:8011:0:b0:2ec:59d8:a7e6 with SMTP id 38308e7fff4ca-2ec5b28ba26mr69790801fa.30.1719416554868; Wed, 26 Jun 2024 08:42:34 -0700 (PDT)
MIME-Version: 1.0
References: <ZnNtl9d7cnkMtK-1@snel> <86AF7299-8541-4652-A699-33AED2F73A60@ripe.net> <ZnP6RJ_Ek5ThsSnQ@snel> <4032C398-9611-4540-B375-DDB8D1E33726@ripe.net> <Znln3-EDsb48hNWa@snel> <20240625120620.60ac7d31@glaurung.nlnetlabs.nl> <Znqkvv29Q2MK11-i@snel> <20240625154415.2479876d@glaurung.nlnetlabs.nl> <ZnrOU_l6xeEaEDWA@snel>
In-Reply-To: <ZnrOU_l6xeEaEDWA@snel>
From: Ties de Kock <tdekock@ripe.net>
Date: Wed, 26 Jun 2024 17:42:23 +0200
Message-ID: <CANPYmgjteiiOgzZXj+h5CZc6BNyzG-Kgh_pkUWH7N5qNL3gFow@mail.gmail.com>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: KQW2URRFRXUC2UYM6LELAKXX5BXYEQZW
X-Message-ID-Hash: KQW2URRFRXUC2UYM6LELAKXX5BXYEQZW
X-MailFrom: tdekock@ripe.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Martin Hoffmann <martin@nlnetlabs.nl>, Tim Bruijnzeels <tbruijnzeels@ripe.net>, sidrops@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Notification for draft-spaghetti-sidrops-rpki-ta-tiebreaker
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/qlkm0FGvcrKTRlMBpcaZtryyHUc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Hi all,


On Tue, 25 Jun 2024 at 17:11, Job Snijders
<job=40fastly.com@dmarc.ietf.org> wrote:
>
> On Tue, Jun 25, 2024 at 03:44:15PM +0200, Martin Hoffmann wrote:
> > Job Snijders wrote:
> > >
> > > An argument in favor of also looking at notAfter is that it is
> > > possible for CAs to 'freeze' the notBefore at a given point in time,
> > > meaning that in subsequent issuances the same notBefore continues to
> > > appear. I've seen some RPKI CAs (unsure about TAs) exhibit this
> > > behaviour.
> >
> > I figure we can reasonably trust (ha!) TA operators to be careful.
>
> I'd like that too, but I figured that aiming for robustness on both
> sides of the TA <> RP communication channel is desirable.
>
> > > I'd also argue that defining a 'complete' tiebreaker procedure at the
> > > small expense of having a handful of sentences and 4 lines of code* is
> > > worth it to cover for the edge case of TAs issuing with identical
> > > notBefore's.
> >
> > It’s not really complete though, since you still have the case that both
> > notBefore and notAfter are identical. So you still need to define what
> > happens if you have two different certificates with identical times.
> >
> > Worse, if you have identical notBefore dates but differing notAfter
> > dates, you need to make an arbitrary choice which one of the two
> > certificates you choose. There just isn’t a “clearly it’s this one”
> > kind of answer.
>
> Based on feedback from Tim Bruijnzeels I incorporated an extra step to
> be published in the next revision of this internet draft:
>
> https://github.com/job/draft-sidrops-rpki-ta-tiebreaker/commit/957080b9c279494564dd06e7bcaf714d7acb4c06
>
> The idea is that if the signature is valid, the public key matches, the
> validity period exactly matches, then the final step is to just use the
> newly-retrieved certificate. In that case we base 'recency' off the
> recency of the network fetch. All things considered equal, use the
> latest one fetched over the network.
>
> > So having this additional check doesn’t provide extra safety. I want to
> > argue that if there’s no benefit, leave it out.
>
> I believe that specifying a preference for shorter validity periods
> helps improve the agility of the system.

I like that this now defines a full order, and allows operators to always
publish a more specific certificate that RPs will prefer.

> Again, I agree with you that in almost all cases just using notBefore is
> sufficient to make a good decision, but in case a notBefore for one
> reason or another is 'frozen in time' can be addressed by looking at the
> notAfter, and if that one also is the same, then and only then just use
> the newly retrieved object (assuming the crypto checks out)
>
> > > Another approach is to pick a random URI from the
> > > TAL (be it HTTPS or rsync), because with the proposed protection
> > > mechanism rsync becomes less risky. Picking a random URI from the TAL
> > > has the benefit that if they are hosted on different FQDNs, overall
> > > resilliency increases.
> >
> > I still wouldn’t want to use rsync unless HTTPS doesn’t work -- if only
> > to keep the rsync load on TA operators at a minimum. Whether we should
> > suggest to randomize URIs (of the same type) is a question I’d would
> > like some input from the TA operators from. Given that currently there
> > is always exactly one HTTPS URI and exactly one rsync URI, it’s all a
> > bit academic. If the operators say that they want to keep it that way,
> > I’d rather not have to have randomizing code that isn’t actually ever
> > used.
>
> I agree, as I mentioned in my previous email, rpki-client prefers HTTPS,
> and if there is an issue at the transport layer will fall back to rsync.
> An open question is whether we should add some trickery that in case
> the HTTPS fetch was successful but the object retrieved was garbage,
> whether to try rsync, or use the locally cached copy and wait for the
> next validation cycle.

I see potential operational situations in which one of the certificates is
updated but the other is not. A TA operator should monitor this. By running an
RP with an empty state, and a TAL with just the rsync, or just the https URL at
a set interval, the operator can check that the currently published
objects make sense.

@Job: This feels obvious, but might be good to add.

Assuming that the monitoring above is done when a successful HTTPS connection
retrieves a certificate that is not valid/not preferred over the current
certificate, I would not retry via rsync. A TA should monitor for the and have
process controls for the operational mistakes. Furthermore, an on-path attacker
(with a valid TLS cert even!) could attack rsync as well.

If this document becomes a -bis, it might be good to consider how we handle TA
certificates in the RRDP publication point the trust anchor certificate points
to. That could prove to be an interesting update mechanism.

Kind regards,
Ties