Re: [Sidrops] Multiple publication points in certificate
Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 28 July 2022 19:11 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F963C15C501 for <sidrops@ietfa.amsl.com>; Thu, 28 Jul 2022 12:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGj5LwBEK-Vi for <sidrops@ietfa.amsl.com>; Thu, 28 Jul 2022 12:11:00 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a10:de80:1:4091:b9e9:2215:0:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 664FFC15C504 for <sidrops@ietf.org>; Thu, 28 Jul 2022 12:10:59 -0700 (PDT)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 4Lv0bz61DfzNS; Thu, 28 Jul 2022 19:10:55 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1659035455; bh=xlx9P1eYBLXP2xFXgjMRyRe20t4eCm+VcXjjYuHCDhk=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=R01jLqdkC+H9gs+DXoPzb3D1+JTyE3ymNUNxr8KMU2Cng/FtTOhY0dfgo70/dZt2a 7OkRRIi73HKL/3KTocMwX95g+PmMjhsjotLPRpcNzgb903y+uqaGyDG+s6P915YX6B se+JIMp7cGbdL9Tq5ydcaX/7UpiBbzLKyeVLRCB2qiYhYXvtMmBW1sSWVNAuqDwZGv PkKEIKVQfBGZcVNWMMGtw6HKHtWmsaau9OqwZFHTvi1S85HRGHliyX/T97yoUzvUJX 5f6NV1qTSwOU4T+g84xpGz6UqH2D0OGxRipkDT1ZRajNxn4BJPr45H/LlS8u0h0gGS IDvP06sz34zPQ==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <YuKwTwCF8TTqk9Yu@snel>
Date: Thu, 28 Jul 2022 15:10:48 -0400
Cc: Geoff Huston <gih@apnic.net>, "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3090C78C-1F16-4AF3-BD4B-1A0F23F6FAA3@nlnetlabs.nl>
References: <DB9P195MB1420D2ABBBC3111449F141BB8C979@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM> <YuGlK4hrITxZx+4v@snel> <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM> <51D3C8D2-1364-4975-A7EC-A01B6C5A71D9@apnic.net> <YuKwTwCF8TTqk9Yu@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/uEWy5mLMAHYiXTYuy6GOiCTzOIU>
Subject: Re: [Sidrops] Multiple publication points in certificate
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 19:11:05 -0000
Hi Job, all, > On 28 Jul 2022, at 11:50, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: > > Dear Koen, Geoff, others, > > On Thu, Jul 28, 2022 at 12:20:09PM +0000, Geoff Huston wrote: >> RFC6487: SIA (sec 4.8.8.1) >> >> Other accessDescription elements with >> an accessMethod of id-ad-caRepository MAY be present. In such cases, >> the accessLocation values describe alternate supported URI access >> mechanisms for the same directory. The ordering of URIs in this >> accessDescription sequence reflect the CA's relative preferences for >> access methods to be used by RPs, with the first element of the >> sequence being the most preferred by the CA. >> >>> So far it seems that: >>> - Routinator only visits the first >>> - OctoRPKI only visits the second >>> - rpki-client outputs "RFC 6487 section 4.8: SIA: rpkiNotify already specified" and visits neither >>> - FORT outputs "Extension 'SIA' has multiple 'rpkiNotify' HTTPS URIs." and visits neither > > Thanks Koen, I appreciate you testing this. It seems there is room for > improvement in rpki-client, I'll take a stab at visiting *at least one* > RRDP Access Description (if multiple are specified). I think that fallback to a secondary RRDP 'rpkiNotify' URI should be feasible. Fallback to secondary rsync URIs for 'id-ad-caRepository'/'id-ad-rpkiManifest' would be more problematic for RPs - if they rely on these URI to build their idea of the RPKI tree(*). Fallback to a secondary 'rpkiNotify' would incur a cost (download snapshot) but presumably the rsync URIs associated with the contained <publish> objects retrieved this way would match those of the primary. (*): alternatively one could use a URI agnostic approach - e.g. based on key identifiers and hashes as was done by the RIPE NCC RPKI Validator 2 series. See: RFC 8488. >> Seems that the relevant standard specifies that a relying party should >> work with the entire list of URIs listed in the certificate’s SIA >> field and work through them until success or until all locally >> supported URI access methods have been tried. The CA provides the >> CA-preferred order to test the URI list, but the Relying Party can >> apply its own preference to the list of course. > > Right. To some degree all validators (I know of) already do this: first > rpkiNotify is followed, and if there is a HTTP error code or TLS error, > the RPs fall back to RSYNC. > > At the start of this thread Koen mentioned investigating hosting ROAs at > multiple places to improve robustness / availability; I'd argue that > with the "RRDP first, RSYNC second" pattern that has established in the > last 2 years we achieved a well working flavor of duplicity. > > I've noticed that some repository operators at times end up deploying > TLS configurations which either lack intermediate TLS certs, or perhaps > a lack of common HTTPS trust anchors between RP and Repo; in such > cases I think there is merit to attempt to use a vastly different > protocol (rsync) which has no dependency on WebPKI. I think that listing dozens of backup URIs would not be helpful, and it might even give (malicious) CAs more tools to attack RPs by giving them lots of bad repositories to check. That said, having the option of specifying say 2 'rpkiNotify' URIs would help to solve issues in my opinion. If I were to use this, I would most likely have the primary 'rpkiNotify' point to a CDN backed infrastructure. While the secondary could be pointing to either my own infrastructure, or a secondary CDN. It would be good if both systems relied on different web TAs and different https server implementations. Tim > At the bottom of https://console.rpki-client.org/ there is a terminal > output under "comm -3 vrps-rrdp-rsync.csv vrps-rsync-only.csv" which > shows the difference in VRPset when synchronizing over RRDP+RSYNC vs > "RSYNC only"; it seems that most of the time there is minute differences > (which probably can be explained by transient/timing differences, the > RPKI is a distributed database of course). By and large the RRDP and > RSYNC worlds seem to be very much in sync with each other, to me that > seems a good sign. > > Kind regards, > > Job > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] Multiple publication points in certific… Hove, K.W. van (Koen, Student M-CS)
- Re: [Sidrops] Multiple publication points in cert… Job Snijders
- Re: [Sidrops] Multiple publication points in cert… Hove, K.W. van (Koen, Student M-CS)
- Re: [Sidrops] Multiple publication points in cert… Geoff Huston
- Re: [Sidrops] Multiple publication points in cert… Job Snijders
- Re: [Sidrops] Multiple publication points in cert… Tim Bruijnzeels
- Re: [Sidrops] Multiple publication points in cert… Ties de Kock
- Re: [Sidrops] Multiple publication points in cert… Hove, K.W. van (Koen, Student M-CS)