IETF Logo Mail Archive

Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021

Tim Bruijnzeels <tim@nlnetlabs.nl> Tue, 30 March 2021 11:24 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84CA53A0C57; Tue, 30 Mar 2021 04:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlSAzenXhpAe; Tue, 30 Mar 2021 04:24:40 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2A63A0C56; Tue, 30 Mar 2021 04:24:39 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id B70FD602AF; Tue, 30 Mar 2021 11:24:36 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1617103475; bh=ykmQRAb1OxjxS4ySo6WorkoLmnp7NvrFK/30yh+F3oE=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=lsDdMGKuHuq7vi4WNpq7QACKWf/gYnRxORt3dxbVyB4BjiJPy4FhQWK9sEwya6ba3 kILGM9We7dntokv9g51yts+4zuCDmybGw/f+UPNvXJSofpZWwPwva9LnPYQTmT2Uk6 gOQuUkAPSzVDuk+JgO6mLpy9MUd+LAw72sgO0SZTLht2UY5KMKB2TxsdVQ6ZCOM4+I CYXHyuV05MSPskJGk6342AYYH9jarcXouv/pOc9f+I1jsZO/o4FpQckrJ45wiW6BZU TZrk3PU3iRiDb2u4anzRFnmHLCXWF3rBrSccujFjs2Iyu+gd8c9Wm0+TcGK0Ej7kdB aWNDAyu6KKecw==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <YGL2twQ2eEsMQHPq@snel>
Date: Tue, 30 Mar 2021 13:24:32 +0200
Cc: Chris Morrow <morrowc@ops-netman.net>, SIDROps Chairs <sidrops-chairs@ietf.org>, sidrops@ietf.org, sidrops-ads@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BA83ECF-3D1A-4057-9E24-46CDA779604B@nlnetlabs.nl>
References: <87lfa94xyj.wl-morrowc@ops-netman.net> <67F48899-3B77-4722-B467-F73D50DF1006@nlnetlabs.nl> <YGL2twQ2eEsMQHPq@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/tMtG16wQxVaYH__dFFIqV1l1DUo>
Subject: Re: [Sidrops] [WG ADOPTION] draft-yan-sidrops-roa-considerations - 04/16/2021
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 11:24:45 -0000

Hi Job, all,

> On 30 Mar 2021, at 12:00, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Hi Tim, working group,
> 
> first things first: I support adoption of this draft.
> 
> On Mon, Mar 29, 2021 at 04:06:56PM +0200, Tim Bruijnzeels wrote:
>> = revocation?
>> 
>>   A large number of experiments for the process of ROA issuance have
>>   been made on our RPKI testbed, it is found that the misconfigurations
>>   during the issuance may cause the ROAs which have been issued to be
>>   revoked.
>> 
>> I don't see how the ROAs would be revoked in this context.
> 
> Perhaps 'revoked' is the wrong word, maybe 'withdrawn' or 'unpublished'?
> 
> I took the third suggestion in 'Section 3' to mean that if the ROA
> issuer does not confirm the End-Entity certificate signing the ROA
> eContent checks that it is allowed to sign the resources listed in the
> eContent, it might end up submitting an invalid object to the
> Repository.
> 
> The Repository deferences any previous ROA with the same filename,
> performs validation on the newly submitted ROA, concludes it is invalid
> (because the resources in the eContent overclaim compared to the
> resources listed as subordinate on the EE cert) and ends up publishing a
> CA Repository without the intended ROA.

No, the publication server does not validate content. See RFC 8181:

5.  Security Considerations

   The RPKI publication protocol and the data it publishes use entirely
   separate PKIs for authentication.  The published data is
   authenticated within the RPKI, and this protocol has nothing to do
   with that authentication, nor does it require that the published
   objects be valid in the RPKI.


That being said.. as yet another aside..

I have been thinking of proposing extensions to the publication protocol (RFC 8181) to make Publication Servers somewhat more responsible. For example they could enforce quota both in terms of number of files, and size. They could also verify objects, e.g. only allow known types, and only allow objects which at least parse. But there is a potential issue then with bugs in verification code. Also, if this is done for security then it may not matter because malicious CAs could 'just' run their own publication server, until they might be revoked by an angry parent CA. Still... I think this is worth a (separate) discussion. Raising the barrier to abuse and mistakes seems like a good idea.

> I would suggest:
> 
> """
> 3) A safeguard scheme is essential to protect the process of ROA
>   issuance. Before committing to the issuance of a ROA object, the
>   signer software should confirm the ipAddrBlocks in the To-Be-Signed
>   eContent are fully contained by the RFC 3779 extensions listed on the
>   End-Entity certificate used to generate the signature. 
> """
> 
> In other words, a signing pipeline would help the operator by performing
> RFC 6482 Section 4 validation *before* constructing the ROA, to prevent
> constructing ROAs the Repository operator would consider invalid.


All RPKI CA implementations that I know of already take care to issue objects which do not overclaim. The problem is that a delegated CA may not find out that a parent has shrunk their resources until whenever it happens to send them a "Resource Class List Request" as defined in RFC 6492.

It would be much nicer practice if parent CAs can hold off shrinking resources until a child has had a chance to clean up. I will suggest some text to the ROV timing draft.. not sure that this belongs there, but it may be a start.

Tim



> 
> Kind regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email