Re: [Sidrops] Manifest entry filename validation

Job Snijders <job@ntt.net> Thu, 19 November 2020 16:47 UTC

Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B6E3A0A50 for <sidrops@ietfa.amsl.com>; Thu, 19 Nov 2020 08:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57XWOiLMH3Hn for <sidrops@ietfa.amsl.com>; Thu, 19 Nov 2020 08:47:07 -0800 (PST)
Received: from mail4.dllstx09.us.to.gin.ntt.net (mail4.dllstx09.us.to.gin.ntt.net [128.241.192.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D2C3A0A4E for <sidrops@ietf.org>; Thu, 19 Nov 2020 08:47:07 -0800 (PST)
Received: from bench.sobornost.net (mieli.sobornost.net [45.138.228.4]) by mail4.dllstx09.us.to.gin.ntt.net (Postfix) with ESMTPSA id 132D2EE00F6; Thu, 19 Nov 2020 16:47:05 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id 0a32f49f; Thu, 19 Nov 2020 16:47:03 +0000 (UTC)
Date: Thu, 19 Nov 2020 16:47:03 +0000
From: Job Snijders <job@ntt.net>
To: Erik Rozendaal <erozendaal@ripe.net>
Cc: sidrops@ietf.org
Message-ID: <X7ahh3zPgfI2C6dI@bench.sobornost.net>
References: <18CC986C-97FA-41F6-A530-F782D3104A31@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <18CC986C-97FA-41F6-A530-F782D3104A31@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/x3cxwOyKgiWXNEhSu51m5hOuzKs>
Subject: Re: [Sidrops] Manifest entry filename validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 16:47:09 -0000

On Thu, Nov 19, 2020 at 10:03:53AM +0100, Erik Rozendaal wrote:
> Summary:
> 
> We think the manifest RFC 6486 should define rules used for the
> filename entries in a manifest.

I dont think one would want to go as far as to "make rpki work on case
insensitive filesystems like some versions of macosx or windows".

RPKI objects map to RPKI files. Paths and filenames are considered from
the IEEE Std 1003.1-2008 / POSIX.1 interface perspective to improve
portability.

Filesystems with with an assortment of capability limitations (example
FAT32's case insensitivity or small filename length limits) just aren't
suitable.

> Our proposal is to only allow a minimal set of characters from the
> ASN.1 IA5String type: a-z, A-Z, 0-9, . (dot), - (dash), _
> (underscore).  Furthermore blank entries, ".", and ".." must not be
> allowed. Filename extensions should be matched in a case insensitive
> manner when determining object type (ROA, CRL, etc).

Or alternatively the spec requires all RPKI filename extensions to be
lower case? At the moment of writing all published rpki files seem to
use lower case anyhow.

> These rules validate all current objects from the major trust anchors
> (all RIRs and APNIc AS0). They avoid special URI characters and
> characters that may be used to navigate file system directories.
> 
> We may also want to add rules such as:
> 
> - Avoid illegal (Windows) filenames such as PRN, NUL, or CON (see
>  https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file

I consider attempting to protect against windows-specific bugs very much
out of scope for this working group :-)

> - Require that all entries have a three letter filename extension.

ack

> - Prohibit entries that only differ by upper or lower case (FOO.CER vs
> foo.cer).

Requiring filename extensions to be lowercase addresses some of this,
but 'FOO.cer' and 'foo.cer' really are separate paths.

Regards,

Job