randy/draft-6486bis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Steve Kent rewrite

Browse source
This commit is contained in:
Randy Bush 2020-05-21 12:56:49 -07:00
parent bea9d48c3f
commit 7e5c5bf25e
2 changed files with 335 additions and 679 deletions
Download patch file Download diff file Expand all files Collapse all files

472
draft-ymbk-sidrops-6486bis.xml
View file

@ -574,378 +574,201 @@
<section title="Relying Party Use of Manifests" anchor="sect-6">
<t>
The goal of an RP is to determine which signed objects to use for
Each RP must determine which signed objects it will use for
validating assertions about INRs and their use (e.g., which ROAs
to use in the construction of route filters). Ultimately, this
selection is a matter of local policy. However, in the following
sections, we describe a sequence of tests that the RP SHOULD
perform to determine the manifest state of the given publication
point. We then discuss the risks associated with using signed
objects in the publication point, given the manifest state; we
also provide suitable warning text that SHOULD be placed in a
user-accessible log file. It is the responsibility of the RP to
weigh these risks against the risk of routing failure that could
occur if valid data is rejected, and to implement a suitable local
policy. Note that if a certificate is deemed unfit for use due to
local policy, then any signed object that is validated using this
certificate also SHOULD be deemed unfit for use (regardless of the
status of the manifest at its own publication point).
to use in the construction of route filters). Manifests are
designed to allow an RP to detect manipulation of repository data
and/or errors by a CA or repository manager. Unless _all_ of the
files enumerated in a manifest can be obtained by an RP (either
from a publication point or from a local cache), an RP MUST ignore
the data associated with the publication point. This stringent
response is needed to prevent an RP from misinterpreting data
associated with a publication point, and thus possibly treating
invalid routes as valid, or vice versa.
</t>
<section title="Tests for Determining Manifest State" anchor="sect-6.1">
<t>
The processing described below is designed to cause all RPs with
access to the same local cache and RPKI repository data to achieve
the same results with regard to validation of RPKI data. However,
in operation, different RPs will access repositories at different
times, and some RPs may experience local cache failures, so there
is no guarantee that all RPs will achieve the same results with
regard to validation of RPKI data
</t>
<t>
Note that there is a "chicken and egg" relationship between the
manifest and the CRL for a given CA instance. If the EE
certificate for the current manifest is revoked, i.e., it appears
in the current CRL, then the CA or publication point manager has
made a serious error. In this case all signed objects associated
with the CA instance MUST be ignored. Similarly, if the CRL is
not listed on a valid, current manifest, all signed objects
associated with the CA instance MUST be ignored, because the CRL
is considered missing.
</t>
<section title="Manifest Processing Overview" anchor="sect-6.1">
<t>
For a given publication point, the RP SHOULD perform the
following tests to determine the manifest state of the
publication point:
For a given publication point, an RP MUST perform a series of
tests to determine which signed object files at the publication
point are acceptable. The tests described below are to be
performed using the manifest identified by the
id-ad-rpkiManifest URI extracted from a CA certificate's SIA.
</t>
<t>
<list style="numbers">
<list style="numbers">
<t>
For each CA using this publication point, select the CA's
current manifest (the "current" manifest is the manifest
issued by this CA having the highest manifestNumber among
all valid manifests, and where manifest validity is defined
in <xref target="sect-4.4"/>).<vspace blankLines="1"/> If
the publication point does not contain a valid manifest, see
<xref target="sect-6.2"/>. Lacking a valid manifest, the
following tests cannot be performed.
</t>
<t>
All of the files referenced by the manifest MUST be be located
at the publication point specified by the id-ad-caRepository URI
from the (same) certificate's SIA. If the manifest and the
files it references do not reside at the same publication point,
an RP MUST *???*
</t>
<t>
To verify completeness, an RP MAY check that every file at
each publication point appears in one and only one current
manifest, and that every file listed in a current manifest
is published at the same publication point as the
manifest.<vspace blankLines="1"/> If there exist files at
the publication point that do not appear on any manifest, or
files listed in a manifest that do not appear at the
publication point, then see <xref target="sect-6.5"/>, but
still continue with the following test.
</t>
<t>
A manifest SHOULD contain exactly one CRL (.crl) file and it
MUST be at the location specified in the CRLDP in the manifest's
EE certificate.
</t>
<t>
Check that the current time (translated to UTC) is between
thisUpdate and nextUpdate.<vspace blankLines="1"/> If the
current time does not lie within this interval, then see
<xref target="sect-6.4"/>, but still continue with the
following tests.
</t>
<t>
If more than one .crl file appears in the manifest, only file
names matching the CRL specified by the CRLDP will be
processed. If more than one .crl entry appears in the manifest,
and matches the CRLDP, the first one encountered MUST be
used. Any other .crl files MUST be ignored and a warning MUST be
issued.
</t>
<t>
Verify that the listed hash value of every file listed in
each manifest matches the value obtained by hashing the file
at the publication point.<vspace blankLines="1"/> If the
computed hash value of a file listed on the manifest does
not match the hash value contained in the manifest, then see
<xref target="sect-6.6"/>.
</t>
<t>
Note that, during CA key rollover [RFC6489], signed objects for
two or more different CA instances will appear at the same
publication point.
</t>
<t>
An RP MAY check that the contents of each current manifest
conforms to the manifest's scope constraints, as specified
in <xref target="sect-2"/>.
</t>
<t>
Manifest processing is to be performed separately for each CA
instance, guided by the SIA id-ad-rpkiManifest URI in each CA
certificate.
</t>
<t>
If a current manifest contains entries for objects that are
not within the scope of the manifest, then the out-of-scope
entries SHOULD be disregarded in the context of this
manifest. If there is no other current manifest that
describes these objects within that other manifest's scope,
then see <xref target="sect-6.2"/>.
<list style="hanging" hangIndent="3">
<t hangText="For each signed object, if all of the following
conditions hold:">
<vspace blankLines="0"/>
<list style="symbols">
<t>
the manifest for its publication and the associated
publication point pass all of the above checks;
</t>
<t>
the signed object is valid; and
</t>
<t>
the manifests for every certificate on the
certification path used to validate the signed
object and the associated publication points pass
all of the above checks;
</t>
</list>
</t>
</list>
</t>
<t>
Note also that the processing described here will be performed
using locally cached files if an RP does not detect newer
versions of the files in the RPKI repository system.
</t>
</list>
</t>
</section>
<section title="Acquiring a Manifest for a CA" anchor="sect-6.2">
<t>
then the RP can conclude that no attack against the repository
system has compromised the given signed object, and the signed
object MUST be treated as valid (relative to manifest
checking).
Acquire the manifest identified by the SIA id-ad-rpkiManifest
URI in the CA certificate. If an RP cannot retrieve a manifest
using this URI, or if the manifest is not valid (Section 4.4),
an RP SHOULD examine the most recent, cached manifest matching
this URI. If that manifest is current (<xref
target="sect-4.4"/>) proceed to <xref target="sect-6.3"/>. If
the publication point does not contain a valid manifest, and the
cached manifest is not current, proceed to <xref
target="sect-6.7"/>.
</t>
</section>
<section title="Missing Manifests" anchor="sect-6.2">
<section title="Detecting Stale and or Prematurely-issued Manifests" anchor="sect-6.3">
<t>
The absence of a current manifest at a publication point could
occur due to an error by the publisher or due to (malicious or
accidental) deletion or corruption of all valid manifests.
</t>
<t>
When no valid manifest is available, there is no protection
against attacks that delete signed objects or replay old
versions of signed objects. All signed objects at the
publication point, and all descendant objects that are validated
using a certificate at this publication point, SHOULD be viewed
as suspect, but MAY be used by the RP, as per local policy.
</t>
<t>
The primary risk in using signed objects at this publication
point is that a superseded (but not stale) CRL would cause an RP
to improperly accept a revoked certificate as valid (and thus
rely upon signed objects that are validated using that
certificate). This risk is somewhat mitigated if the CRL for
this publication point has a short time between thisUpdate and
nextUpdate (and the current time is within this interval). The
risk in discarding signed objects at this publication point is
that an RP may incorrectly discard a large number of valid
objects. This gives significant power to an adversary that is
able to delete a manifest at the publication point.
</t>
<t>
Regardless of whether signed objects from this publication are
deemed fit for use by an RP, this situation SHOULD result in a
warning to the effect that: "No manifest is available for
&lt;pub point name&gt;, and thus there may have been undetected
deletions or replay substitutions from the publication point."
</t>
<t>
In the case where an RP has access to a local cache of
previously issued manifests that are valid, the RP MAY use the
most recently previously issued valid manifests for this RPKI
repository publication collection for each entity that publishes
at this publication point.
Check that the current time (translated to UTC) is between
thisUpdate and nextUpdate. If the current time lies within this
interval, proceed to <xref target="sect-6.4"/>. If the current
time is earlier than thisUpdate, the CA has made an error. If
the RP cache contains a current manifest, use that manifest
instead and issue a warning. If an RP has no access to a current
manifest, processing stops and a warning MUST be issued. If the
current time is later than nextUpdate, then the manifest is
stale. If the RP cache contains a current manifest, use that
manifest instead and issue a warning.If no current manifest is
available, proceed to <xref target="sect-6.7"/>.
</t>
</section>
<section title="Invalid Manifests" anchor="sect-6.3">
<section title="Acquiring Files Referenced by a Manifest" anchor="sect-6.4">
<t>
The presence of an invalid manifest at a publication point could
occur due to an error by the publisher or due to (malicious or
accidental) corruption of a valid manifest. An invalid manifest
MUST never be used, even if the manifestNumber of the invalid
manifest is greater than that of other (valid) manifests.
Acquire all files enumerated in the manifest (fileList) from the
publication point. This includes the CRL, each object containing
an EE certificate issued by the C, and all subordinate CA and EE
certificates. If there are files listed in the manifest that
cannot be retrieved from the publication point, or if they fail
the validity tests specified in <xref target="RFC6488"/>, the RP
SHOULD examine its cache to determine if these files are
available locally. If all of the missing/invalid files are
available from the RP's cache, i.e., each file name matches the
list extracted from the manifest, the RP SHOULD use the cached
files to replace those missing from the publication point, and
proceed to <xref target="sect-6.5"/>. However, if _any_ of the
missing/invalid files cannot be replaced in this fashion, then
proceed to <xref target="sect-6.7"/>.
</t>
</section>
<section title="Matching File Names and Hashes" anchor="sect-6.5">
<t>
There are no risks associated with using signed objects at a
publication point containing an invalid manifest, provided that
valid manifests that collectively cover all the signed objects
are also present.
</t>
<t>
If an invalid manifest is present at a publication point that
also contains one or more valid manifests, this situation SHOULD
result in a warning to the effect that: "An invalid manifest was
found at &lt;pub point name&gt;, this indicates an attack
against the publication point or an error by the publisher.
Processing for this publication point will continue using the
most recent valid manifest(s)."
</t>
<t>
In the case where the RP has access to a local cache of
previously issued (valid) manifests, an RP MAY make use of that
locally cached data. Specifically, the RP MAY use the locally
cached, most recent, previously issued, valid manifest issued by
the entity that (appears to have) issued the invalid manifest.
Verify that the hash value of every file listed in the manifest
matches the value obtained by hashing the file acquired from the
publication point or local cache. If the computed hash value of
a file listed on the manifest does not match the hash value
contained in the manifest, then an RP SHOULD examine its local
cache to determine if the same file is available. The RP SHOULD
use cached files to replace any (damaged) downloaded files, so
long as the hash of the cached file matches the hash from the
manifest. If any of the files with hash mismatches cannot be
replaced in this fashion, proceed to 6.7. Otherwise proceed to
<xref target="sect-6.6"/>.
</t>
</section>
<section title="Stale Manifests" anchor="sect-6.4">
<section title="Out of Scope Manifest Entries" anchor="sect-6.6">
<t>
A manifest is considered stale if the current time is after the
nextUpdate time for the manifest. This could be due to
publisher failure to promptly publish a new manifest, or due to
(malicious or accidental) corruption or suppression of a more
recent manifest.
</t>
<t>
All signed objects at the publication point issued by the entity
that has published the stale manifest, and all descendant signed
objects that are validated using a certificate issued by the
entity that has published the stale manifest at this publication
point, SHOULD be viewed as somewhat suspect, but MAY be used by
the RP as per local policy.
</t>
<t>
The primary risk in using such signed objects is that a newer
manifest exists that, if present, would indicate that certain
objects have been removed or replaced. (For example, the new
manifest might show the existence of a newer CRL and the removal
of one or more revoked certificates). Thus, the use of objects
from a stale manifest may cause an RP to incorrectly treat
invalid objects as valid. The risk is that the CRL covered by
the stale manifest has been superseded, and thus an RP will
improperly treat a revoked certificate as valid. This risk is
somewhat mitigated if the time between the nextUpdate field of
the manifest and the current time is short. The risk in
discarding signed objects at this publication point is that the
RP may incorrectly discard a large number of valid objects.
This gives significant power to an adversary that is able to
prevent the publication of a new manifest at a given publication
point.
</t>
<t>
Regardless of whether signed objects from this publication are
deemed fit for use by an RP, this situation SHOULD result in a
warning to the effect that: "A manifest found at &lt;pub point
name&gt; is no longer current. It is possible that undetected
deletions have occurred at this publication point."
</t>
<t>
Note that there is also the potential for the current time to be
before the thisUpdate time for the manifest. This case could be
due to publisher error or a local clock error; in such a case,
this situation SHOULD result in a warning to the effect that: "A
manifest found at &lt;pub point name&gt; has an incorrect
thisUpdate field. This could be due to publisher error, or a
local clock error, and processing for this publication point
will continue using this otherwise valid manifest."
If a current manifest contains entries for objects that are not
within the scope of the manifest (<xref target="sect-2"/>), then
the out-of-scope entries MUST be disregarded.
</t>
</section>
<section title="Mismatch between Manifest and Publication Point"
anchor="sect-6.5">
<section title="Termination of Processing" anchor="sect-6.7">
<t>
If there exist valid signed objects that do not appear in any
manifest, then, provided the manifest is not stale (see <xref
target="sect-6.4"/>), it is likely that their omission is an
error by the publisher. It is also possible that this state
could be the result of a (malicious or accidental) replacement
of a current manifest with an older, but still valid, manifest.
However, regarding the appropriate interpretation of such
objects, it remains the case that if the objects were intended
to be invalid, then they should have been revoked using whatever
revocation mechanism is appropriate for the signed object in
question. Therefore, there is little risk in using such signed
objects. If the publication point contains a stale manifest,
then there is a greater risk that the objects in question were
revoked, along with a missing Certificate Revocation List (CRL),
the absence of which is undetectable since the manifest is
stale. In any case, the use of signed objects not present on a
manifest, or descendant objects that are validated using such
signed objects, is a matter of local policy.
If an RP cannot acquire a current, valid manifest, or acquire
current, valid instances of all of the objects enumerated in a
current valid manifest, then processing of the signed objects
associated with the CA has failed. The RP MUST issue a warning
indicating the reason(s) for termination of processing with
regard to this CA.
</t>
<t>
Regardless of whether objects not appearing on a manifest are
deemed fit for use by the RP, this situation SHOULD result in a
warning to the effect that: "The following files are present in
the repository at &lt;pub point name&gt;, but are not listed on
any manifest &lt;file list&gt; for &lt;pub point name&gt;."
</t>
<t>
If there exists files listed on the manifest that do not appear
in the repository, then these objects are likely to have been
improperly (via malice or accident) deleted from the repository.
A primary purpose of manifests is to detect such deletions.
Therefore, in such a case, this situation SHOULD result in a
warning to the effect that: "The following files that should
have been present in the repository at &lt;pub point name&gt;
are missing &lt;file list&gt;. This indicates an attack against
this publication point, or the repository, or an error by the
publisher."
</t>
</section>
<section title="Hash Values Not Matching Manifests"
anchor="sect-6.6">
<t>
A file appearing on a manifest with an incorrect hash value
could occur because of publisher error, but it also may indicate
that an attack has occurred.
</t>
<t>
If an object appeared on a previous valid manifest with a
correct hash value, and it now appears with an invalid hash
value, then it is likely that the object has been superseded by
a new (unavailable) version of the object. If the object is
used, there is a risk that the RP will be treating a stale
object as valid. This risk is more significant if the object in
question is a CRL. If the object can be validated using the
RPKI, the use of these objects is a matter of local policy.
</t>
<t>
If an object appears on a manifest with an invalid hash and has
never previously appeared on a manifest, then it is unclear
whether the available version of the object is more or less
recent than the version indicated by the manifest. If the
manifest is stale (see <xref target="sect-6.4"/>), then it
becomes more likely that the available version is more recent
than the version indicated on the manifest, but this is never
certain. Whether to use such objects is a matter of local
policy. However, in general, it is better to use a possibly
outdated version of the object than to discard the object
completely.
</t>
<t>
While it is a matter of local policy, in the case of CRLs, an RP
SHOULD endeavor to use the most recently issued valid CRL, even
where the hash value in the manifest matches an older CRL or
does not match any available CRL for a CA instance. The
thisUpdate field of the CRL can be used to establish the most
recent CRL in the case where an RP has more than one valid CRL
for a CA instance.
</t>
<t>
Regardless of whether objects with incorrect hashes are deemed
fit for use by the RP, this situation SHOULD result in a warning
to the effect that: "The following files at the repository
&lt;pub point name&gt; appear on a manifest with incorrect hash
values &lt;file list&gt;. It is possible that these objects
have been superseded by a more recent version. It is very
likely that this problem is due to an attack on the publication
point, although it also could be due to a publisher error."
Termination or processing means that all of the ROAs and
subordinate certificates (CA and EE) MUST be considered
invalid. This implies that the RP MUST not try to acquire and
validate _subordinate_ signed objects, until the next interval
when the RP is scheduled to process data for this part of the
RPKI repository system.
</t>
</section>
@ -1061,7 +884,8 @@
specification. Additionally, the authors would like to thank Mark
Reynolds and Christopher Small for assistance in clarifying
manifest validation and RP behavior. The authors also wish to
thank Sean Turner for his helpful review of this document.
thank Job Snijders, Oleg Muravskiy, and Sean Turner for their
helpful review of this document.
</t>
</section>