IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-prefer-rrdp-01.txt

Koen van Hove <k.w.vanhove@student.utwente.nl> Tue, 30 November 2021 22:17 UTC

Return-Path: <k.w.vanhove@student.utwente.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 743863A15F5 for <sidrops@ietfa.amsl.com>; Tue, 30 Nov 2021 14:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=student.utwente.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Vtwsf8jy1fu for <sidrops@ietfa.amsl.com>; Tue, 30 Nov 2021 14:17:32 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 242243A15EF for <sidrops@ietf.org>; Tue, 30 Nov 2021 14:17:31 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id x6so92643641edr.5 for <sidrops@ietf.org>; Tue, 30 Nov 2021 14:17:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=student.utwente.nl; s=google; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=8uYPtHxinqxZoOgX44ETRutA7pZJQ2mCGtL/nk53cAI=; b=uS4A3VAjf3xYNJXoZqJp/fQRvehSShZ+v/pHVaAjA9teqU/kAFJYkgLyagbkn6MoGQ P/umejgyhEqOVyputUu+b1XZse75mS5imu6IMWze17ZhYA4713QWgNb/QGuBHxIySWmj 35QvZnX6MP+l8iDjDBnD/xejaiL08OqbPN5p1Pr+QJ8sNZv7Lb4kSRXjHWf//wc00bj5 lb4ifsAbSCrzqMGDIm9W+xlShQ15m2WFeOihrzDWjw9/Jp5ErTH36M2ZlBqFYAbLPxUF APUgzqbskcnVZ1UMxwBccm9wWnG7T2uKDUxZvqs8dqRLHRztaq1GzEOmbxzKvgbXT1C5 b9oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=8uYPtHxinqxZoOgX44ETRutA7pZJQ2mCGtL/nk53cAI=; b=ceQVyyU2tZlZy3OwwvhbLAzfBTUbe2XOtzssZ1PvAj/tp11hwEBCvHEOs6/bkcIAkd yH9RHxBAPkpAnfhyxqRsTbyWkxWgXFODWnSU03FpseCGsp9zS5apKNHrPN0B4NXsHy0w GjsUkz+7qh9Q0cTv6LOuKRPbfp6g5xxn5aS73xOOEasJECrQI5Kwgl3jh0BF93BQKbWv AKbqEHjIXmYWVdyU4M+AjbcOSWJSoaCFm5hI3yMdQ8Le2M5hNglUa8SMypW+4gxi7c6A o1pZJyzyxIo4gxoIfOlzj0a3lwxmG9jD7u+8GSjBXFUAwzrb2kZ2VAXHUMnjXXzQBYoR hZlg==
X-Gm-Message-State: AOAM532wdL/Q+xFh83zO8A04N4k6vlwyGnI2WUuIKQ666j0vPnkOUnRE 1hLvCLUbqLEjIungyUqfDOVwT4N9Bxd+B/QVbLIUPr9YIesPzb4uOjo9lNh/WrmwiTIPCX38xMh 2Cv9LveBRAhbaq/YKmVdQfevyKrhhoC6hB91oqCqJgAbAr4E64ZWfjt0jTC+mabnpG4HEnqR9Pn zo
X-Google-Smtp-Source: ABdhPJy01+HSNUV5HApyzXe7cKObiiUdcDe4OwyVc/N+NaxiCcjDeSGQxVU6N2PPM1tp1wGN85ldjw==
X-Received: by 2002:a50:d741:: with SMTP id i1mr2620405edj.37.1638310648858; Tue, 30 Nov 2021 14:17:28 -0800 (PST)
Received: from DELTA (219-190-177-143.ftth.glasoperator.nl. [143.177.190.219]) by smtp.gmail.com with ESMTPSA id de37sm9531995ejc.60.2021.11.30.14.17.28 for <sidrops@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Nov 2021 14:17:28 -0800 (PST)
From: Koen van Hove <k.w.vanhove@student.utwente.nl>
To: 'SIDR Operations WG' <sidrops@ietf.org>
References: <163489282491.21742.16231692563458154079@ietfa.amsl.com> <C80AF40F-7F86-4156-8915-5694D745AD31@nlnetlabs.nl>
In-Reply-To: <C80AF40F-7F86-4156-8915-5694D745AD31@nlnetlabs.nl>
Date: Tue, 30 Nov 2021 23:17:27 +0100
Message-ID: <001b01d7e638$0f34baf0$2d9e30d0$@student.utwente.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG5KyS5O66QVqbINo4wVlHfa5ecZwF0ktdArE5gq7A=
Content-Language: nl
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/qv016OrLCOlEe8uezw7MIBOwpKw>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-prefer-rrdp-01.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 22:17:38 -0000

Dear Tim, all,

I have looked at your motivation, particularly:
>    *  rsync is CPU and memory heavy on the server side, and easy to DoS

I decided to test your hypothesis, as RFC 6480 says otherwise, and created a
small program that aims to DoS an rsync daemon using many simultaneous
connections from different IP addresses (but the same machine). My
conclusion is the same as yours - with the old computer (4 cores, 16 GB of
RAM, home fiber connection) underneath my desk I can currently take down my
own test rsync server (8 cores, 16 GB RAM, 1 Gbps connection, different
network). Discussions with operators from RIRs seem to show that this would
also work for their rsync servers.  I believe this would even allow one to
take down all rsync servers currently running in the RPKI with a handful of
computers, but I have not tested that as I do not want to disrupt actual
operations. For this reason, running only rsync strikes me as problematic,
especially if one wishes to adhere to "The publication repository SHOULD be
hosted on a highly available service and high-capacity publication
platform." from RFC 6481, and thus believe that making RRDP a MUST is a good
idea. Of course, one can block the IP addresses used for the DoS attack, but
that turns into a cat and mouse game, where the rsync server operator has a
serious disadvantage (especially compared to RRDP).

What I further want to draw the attention to, and I did not see mentioned in
the draft, is that apart from rsync being an extra protocol that can be used
to receive data (which is useful if RRDP fails), it is also an additional
attack vector. I am thus opposed to the addition of: 
>    Relying Parties MUST attempt to use alternative repository access
mechanisms, if they are available, according to the accessMethod element
value(s) specified in the SIA of the associated certificate (see Section
4.8.8 of [RFC6487]).

Rsync was not created to be used with a possibly malicious server.
Therefore, there are currently simple things everyone could do that would
disrupt a relying party over rsync, which are difficult to solve:
1. One can set a motd file that is several gigabytes in size. Rsync will
wait until this is received (the --no-motd switch only hides it on the
client) and the timeout set in rsync does not affect the maximum time this
may take.
2. One can create an rsync repository with many folders (I tested it with 27
million folders). This fills up the maximum amount of inodes on most Linux
and *BSD filesystems within minutes whilst bypassing any size limits or
--includes and --excludes, as a folder has a size of 0, and folders are used
in non-malicious repositories. 
Both can be done when one is part of an RPKI tree, or using MITM, or a DNS
hijack - serving the actual files as well is not a problem, and you do not
need to sign anything new. Solving the first one can probably be easily done
by setting a timeout outside the rsync program, but the second one seems
more difficult to solve. I believe the impact could be quite substantial.
There is probably more an attacker can do - I did not look extensively into
it.

As both the server and the client can easily be attacked, I believe that in
this case "less is more", and to re-evaluate whether rsync support is an
asset or a burden. I believe availability of the RPKI ecosystem can be
better guaranteed without rsync, and believe a post-rsync section is
justified.

Koen van Hove

-----Oorspronkelijk bericht-----
Van: Tim Bruijnzeels <tim@nlnetlabs.nl> 
Verzonden: vrijdag 22 oktober 2021 11:03
Aan: SIDR Operations WG <sidrops@ietf.org>
Onderwerp: Re: [Sidrops] I-D Action: draft-ietf-sidrops-prefer-rrdp-01.txt

Dear working group,

We just uploaded a new version of the prefer-rrdp draft.

The document has had some updates based on working group member comments and
discussion between the co-authors. The uploaded version still lacks final
review by my co-authors, but.. after discussing we decided that it would be
good to replace the now expired -00 with this. This also makes it easier for
WG members to comment.

This version is not intended to be final. It's intended to support further
discussion. So feel free!

Important changes compared to -00:
- We no longer talk about post-rsync in this document
   (this can be done as a later and separate exercise)
- We included some more text on rsync fallback

I would like to ask you all to give it a read provide feedback.

Kind regards
Tim




> On 22 Oct 2021, at 10:53, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts
directories.
> This draft is a work item of the SIDR Operations WG of the IETF.
> 
>        Title           : Resource Public Key Infrastructure (RPKI)
Repository Requirements
>        Authors         : Tim Bruijnzeels
>                          Randy Bush
>                          George Michaelson
> 	Filename        : draft-ietf-sidrops-prefer-rrdp-01.txt
> 	Pages           : 10
> 	Date            : 2021-10-22
> 
> Abstract:
>   This document formulates a plan of a phased transition to a state
>   where RPKI repositories and Relying Party software performing RPKI
>   Validation will use the RPKI Repository Delta Protocol (RRDP)
>   [RFC8182] as the preferred access protocol, and require rsync as a
>   fallback option only.
> 
>   In phase 0, today's deployment, RRDP is supported by most, but not
>   all Repositories, and most but not all RP software.
> 
>   In the proposed phase 1 RRDP will become mandatory to implement for
>   Repositories, in addition to rsync.  This phase can start as soon as
>   this document is published.
> 
>   Phase 2 will start once the proposed updates are implemented by all
>   compliant Repositories.  In this phase RRDP will become mandatory to
>   implement for all compliant RP software, and rsync will be required
>   as a fallback option only.
> 
>   It should be noted that although this document currently includes
>   descriptions and updates to RFCs for each of these phases, we may
>   find that it will be beneficial to have one or more separate
>   documents for these phases, so that it might be more clear to all
>   when the updates to RFCs take effect.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sidrops-prefer-rrdp/
> 
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-prefer-rrdp-0
> 1
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-sidrops-prefer-rrdp-01
> 
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email