Re: [Sidrops] what to do when the CRL is hosed?

Lukas Tribus <lists@ltri.eu> Thu, 02 April 2020 23:05 UTC

Return-Path: <lists@ltri.eu>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9C6B3A1BCB for <sidrops@ietfa.amsl.com>; Thu, 2 Apr 2020 16:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9Yj-HUA5hTL for <sidrops@ietfa.amsl.com>; Thu, 2 Apr 2020 16:05:17 -0700 (PDT)
Received: from smtp-relay2.web-server.biz (smtp-relay2.web-server.biz [137.74.38.202]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74EF73A1BC8 for <sidrops@ietf.org>; Thu, 2 Apr 2020 16:05:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp-relay2.web-server.biz (Postfix) with ESMTP id 93AA71C91F for <sidrops@ietf.org>; Fri, 3 Apr 2020 01:05:15 +0200 (CEST)
Received: from smtp-relay2.web-server.biz ([137.74.38.202]) by localhost (smtp-relay2.web-server.biz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNW9D3Kg3JKR for <sidrops@ietf.org>; Fri, 3 Apr 2020 01:05:13 +0200 (CEST)
Received: from mail5.web-server.biz (www5.web-server.biz [185.181.105.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp-relay2.web-server.biz (Postfix) with ESMTPS id 2C3DB1CA00 for <sidrops@ietf.org>; Fri, 3 Apr 2020 01:05:13 +0200 (CEST)
Received: from mail-il1-f180.google.com (mail-il1-f180.google.com [209.85.166.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail5.web-server.biz (Postfix) with ESMTPSA id 5E30847C77 for <sidrops@ietf.org>; Thu, 2 Apr 2020 23:05:07 +0000 (UTC)
Received: by mail-il1-f180.google.com with SMTP id j9so5408812ilr.7 for <sidrops@ietf.org>; Thu, 02 Apr 2020 16:05:07 -0700 (PDT)
X-Gm-Message-State: AGi0PuYwgSz4fCwiuLg5k+Pyuxcw7F/hT3LAfjW5VUNWhrhrbFSqO0q3 E3hnTlSKe3tr8By0zRr7RjeQQKdd8PVFnV20I8A=
X-Google-Smtp-Source: APiQypLOO3Ydqc/r81rGXCMnaAZHMc1akLBEq7FRxVPShK9r+DLnJ1HBwjXYoEMK5HEep2b/EOXEhmXKCpmsjY9cb94=
X-Received: by 2002:a05:6e02:54e:: with SMTP id i14mr6149983ils.166.1585868706596; Thu, 02 Apr 2020 16:05:06 -0700 (PDT)
MIME-Version: 1.0
References: <20200224151532.GD19221@vurt.meerval.net> <20200224211531.GB60925@vurt.meerval.net> <20200225090338.10464b1a@glaurung.nlnetlabs.nl> <9cc3a6a5-f9c8-23df-588e-48dee5db62d4@verizon.net> <3B7006DE-5366-47E7-9CD6-AF392F9ED0CC@nlnetlabs.nl> <6602d1a7-ecbf-73a0-21d8-1254fb2aff97@verizon.net> <20200226173935.GE72144@vurt.meerval.net> <2db8d19a-6f91-d2fc-36c3-65742ba77e6c@ripe.net> <8B09B96B-432C-4190-9DE0-DC2004AAFCC2@nlnetlabs.nl> <CC64461D-4F34-4367-AD9D-D42B2A476363@ripe.net> <75140927-0b8b-07ab-ad2e-952e32256df1@verizon.net> <24198.20355.168888.506246@oz.mt.att.com>
In-Reply-To: <24198.20355.168888.506246@oz.mt.att.com>
From: Lukas Tribus <lists@ltri.eu>
Date: Fri, 03 Apr 2020 01:04:55 +0200
X-Gmail-Original-Message-ID: <CACC_My-g7bU7FYHiy+3j=HfXBp4+ZEWA96aGOaptROtLg8CSUg@mail.gmail.com>
Message-ID: <CACC_My-g7bU7FYHiy+3j=HfXBp4+ZEWA96aGOaptROtLg8CSUg@mail.gmail.com>
To: Jay Borkenhagen <jayb@braeburn.org>
Cc: sidrops@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vmZJ9eV-rhnfTUyWlsd0DnyFscs>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 23:05:19 -0000

Hello,


On Thu, 2 Apr 2020 at 22:48, Jay Borkenhagen <jayb@braeburn.org> wrote:
> No network operators want to specify any 'local policy' on their RP
> instances to control under which conditions an RPKI object would be
> accepted.  Some network operators in this WG have voiced strong
> opinions about how such acceptance should be decided, but that's not
> because they want the ability to exert local policy there.  Such
> opinions are all toward the goal we share of all implementations
> reliably creating a correct/consistent VRP set.
>
>
> I encourage feedback from other network operators on this one simple
> point.  Hopefully we all see this 'local policy' matter the same way,
> and the WG can turn its attention to consistent handling of the corner
> cases.

As a network operator, and without commenting on low-level aspects, I
expect (TL;DR: all the good and none of the bad stuff please):

- all RP's to produce the same VRP sets, given the same input
(otherwise we slow down detection of bugs, misconfigurations and
attacks), I suggest to NOT implement different code paths and local
policy exceptions.
- the end-result of rsync vs RRDP to be the same, in every case, under
every attack scenario
- no MITM attacks possible that lead to incomplete VRP sets (with the
supported retrieval methods, which still includes rsync)

I wanna be able to run different RP's in my network, without my
routers behaving differently based on whether they are currently
considering RP implementation A or RP implementation B.

I also expect some outages of RPKI infrastructure in the coming years,
just as we had outages in the past and just like other ecosystems have
(DNS, DNSSEC, TLS, etc). I consider that acceptable and realistic,
realizing that there are some scenarios where this will not only cause
NOTFOUNDs, but also false-positive INVALIDs. That's really bad, but it
also will be very rare (losing a subset of ROAs at IRR level). But I
would strongly encourage not to weaken or simplify the checks that are
in place, despite being aware that hosting the repository is hard
(atomic updates and all). Maybe we could come up with some best
practices documentation about setup, maintenance of a repository
(BCP?) for repository operators.

I would like for the ecosystem to stay extendable if someday we want
to add something other than ROA to it, and I would still like it to be
cryptographically reliable and consistent in that (and every other)
case.


I know it's not that black and white, I realize I am grossly
oversimplifying. But if I think about TLS or the WebPKI in general,
lax rules, simplifications and fallbacks always turned out to be a bad
idea in the end.



lukas