Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)

Di Ma <madi@rpstir.net> Mon, 11 May 2020 06:22 UTC

Return-Path: <madi@rpstir.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D14403A083B for <sidrops@ietfa.amsl.com>; Sun, 10 May 2020 23:22:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOt8PronLUpv for <sidrops@ietfa.amsl.com>; Sun, 10 May 2020 23:22:17 -0700 (PDT)
Received: from out20-37.mail.aliyun.com (out20-37.mail.aliyun.com [115.124.20.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55E303A0839 for <sidrops@ietf.org>; Sun, 10 May 2020 23:22:14 -0700 (PDT)
X-Alimail-AntiSpam: AC=CONTINUE; BC=0.103883|-1; CH=green; DM=|CONTINUE|false|; DS=CONTINUE|ham_system_inform|0.0517443-0.00273874-0.945517; FP=0|0|0|0|0|-1|-1|-1; HT=e01a16378; MF=madi@rpstir.net; NM=1; PH=DS; RN=2; RT=2; SR=0; TI=SMTPD_---.HWiXbi8_1589178126;
Received: from 192.168.218.230(mailfrom:madi@rpstir.net fp:SMTPD_---.HWiXbi8_1589178126) by smtp.aliyun-inc.com(10.147.40.7); Mon, 11 May 2020 14:22:07 +0800
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Di Ma <madi@rpstir.net>
In-Reply-To: <20200508180039.GA18937@vurt.meerval.net>
Date: Mon, 11 May 2020 14:21:45 +0800
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B4633D61-E5AD-4E17-8400-3E4C0FF79F54@rpstir.net>
References: <be9450ba-fe9c-465f-98a2-919772b3b32a.ref@verizon.net> <be9450ba-fe9c-465f-98a2-919772b3b32a@verizon.net> <38D78A3D-BB4A-47B6-9507-14C116BC3FE2@rpstir.net> <20200508180039.GA18937@vurt.meerval.net>
To: Job Snijders <job@ntt.net>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/zrUvmwNUJmV_nOYd7sCUoSQx880>
Subject: Re: [Sidrops] rev 4 (corrected CRLDP source changes, thanks to Tim)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 06:22:20 -0000

Job,

> 2020年5月9日 02:00,Job Snijders <job@ntt.net> 写道:
> 
> Dear Di Ma,
> 
> On Sat, May 09, 2020 at 01:33:29AM +0800, Di Ma wrote:
>> Thanks for your efforts for writing MFT update and reflecting the
>> feedback from the mailing list.
>> 
>> I am fine with it except the re-use of previous local cache.
>> 
>> I find it is hard to implement the logic about retrieving objects from
>> local cache with RPSTIR2. 
> 
> Can you elaborate on why it is hard in RSTPIR2? I am not familiar with
> this implementation and can perhaps learn from it, or offer suggestions.

When I say hard, I mean I cannot estimate when ‘a specific object’ will be retrieved from a specific historic version of local cache. 

And we don’t know then we need to cache all the historic versions in case of missing objects. 

And it is even worse when the missing stuff is Resource Certificate, the SIA of which will affect where the RP to find the subordinate repository. This happens in the middle of sync. Accordingly the RP will use a well-designed algorithm to search all the historic versions efficiently.

I am not saying we cannot do that but this is really deserves an effort.

I really look forwards to seeing your big idea or suggestions:-)

> 
>> As I replied to Robert in your discussion with him, in terms of
>> synchronization, RPSTIR2 keeps its incumbent local version exactly the
>> same with global repositories.
> 
> An RP can't know if it is in sync with the global repository. The trust
> derives from the pre-obtained RPKI TALs, through the X509 validation
> procedure and outputs Validated ROA Payloads.
> 
> In this process the data that can be *least* trusted is what came in via
> the untrusted network channel (be it rsync or RRDP). Withholding or
> corruption by issuing 'withdraws' (RRDP)  or '--delete' (rsync) cannot
> be trusted at all. With this in mind, one really really aught to
> reconstruct the original publication point's repository, suppplementing
> it with locally cached data as much as possible.
> 
>> Although RPSTIR2 keeps the historic versions locally, they are stored
>> for diagnose and analysis (maybe to trigger SLURM)
>> 
>> If some RP can retrieve missing objects while others can not, data
>> inconsistence will occur among different RPs.
> 
> This already always is the case, and will not change. RPs pull from the
> CA's publication point from different places on the Internet, at
> different times.


I have to admit that keep all the RP throughout the Internet keep in pace for sync is over-ideal. 


> 
>> I think we just need to keep RP in alignment with PP and then can
>> perform some analysis and diagnose (if necessary) to ascertain errors
>> (RFC 8211) to give warning or make use of SLURM (RFC8416) if the RP
>> operator is confident enough that he catch the wrong data and knows
>> how to remedy locally.
> 
> How will the RP stay in alignment with the PP when the RP is under
> attack? Intercepting and corrupting rsync connections is trivial and the
> RRDP protocol does not offer protections against unauthorised
> modification of the data presented to the RP.

I am considering deploying multiple RP instances by diversifying its locations to avoid MITM attack. 

> 
>> To sum up, I would like to see :
>> 
>> 1) RPs are encouraged to store historic versions locally especially
>> the validated RTR-output
> 
>> 2) If the RP finds some missing objects (not in the CRL, still in the
>> MFT) , it is suggested to issue warning to operators and SLURM can be
>> used by the historic data.
> 
> What is the 'timing' of the process you describe under (2)? I cannot
> imagine any manual intervention in the validation process to scale for
> the purpose of the Internet routing system. Perhaps I'm
> misunderstanding.

I expect this work this way:

1) A missing object found;
2) Warning issued to RP operator, indicating which VRP will be adversely affected and providing suggested SLURM Assertion;
3) SLURM acknowledged to add this Assertion to the validated cache affected by the missing object (ROA for example)

> 
>> I therefore really look forwards to hearing from folks of other RP
>> software to comment on this.
> 
> It is my intention to provide the working group with an implementation
> report of OpenBSD's current rpki-client version in relation to the text
> that Stephen Kent provided today as 'rev 4'. I hope to be able to do
> that next week. My report will be usable as a template for other
> implementation maintainers. Comparing and sharing implementation notes
> is fun, stay tuned!

Always glad to see someone sharing RP implementation notes :-)

Di