| < draft-ietf-opsawg-finding-geofeeds-14.txt | draft-ietf-opsawg-finding-geofeeds-15.txt > | |||
|---|---|---|---|---|
| Network Working Group R. Bush | Network Working Group R. Bush | |||
| Internet-Draft IIJ & Arrcus | Internet-Draft IIJ & Arrcus | |||
| Intended status: Standards Track M. Candela | Intended status: Standards Track M. Candela | |||
| Expires: November 22, 2021 NTT | Expires: November 23, 2021 NTT | |||
| W. Kumari | W. Kumari | |||
| R. Housley | R. Housley | |||
| Vigil Security | Vigil Security | |||
| May 21, 2021 | May 22, 2021 | |||
| Finding and Using Geofeed Data | Finding and Using Geofeed Data | |||
| draft-ietf-opsawg-finding-geofeeds-14 | draft-ietf-opsawg-finding-geofeeds-15 | |||
| Abstract | Abstract | |||
| This document specifies how to augment the Routing Policy | This document specifies how to augment the Routing Policy | |||
| Specification Language inetnum: class to refer specifically to | Specification Language inetnum: class to refer specifically to | |||
| geofeed data CSV files, and describes an optional scheme to use the | geofeed data CSV files, and describes an optional scheme to use the | |||
| Routing Public Key Infrastructure to authenticate the geofeed data | Routing Public Key Infrastructure to authenticate the geofeed data | |||
| CSV files. | CSV files. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 22, 2021. | This Internet-Draft will expire on November 23, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 6 ¶ | skipping to change at page 5, line 6 ¶ | |||
| multiple inetnum: objects. Files with geofeed references from | multiple inetnum: objects. Files with geofeed references from | |||
| multiple inetnum: objects are not compatible with the signing | multiple inetnum: objects are not compatible with the signing | |||
| procedure in Section 4. | procedure in Section 4. | |||
| When geofeed references are provided by multiple inetnum: objects | When geofeed references are provided by multiple inetnum: objects | |||
| which have identical address ranges, then the geofeed reference on | which have identical address ranges, then the geofeed reference on | |||
| the inetnum: with the most recent last-modified: attribute SHOULD be | the inetnum: with the most recent last-modified: attribute SHOULD be | |||
| preferred. | preferred. | |||
| As inetnum: objects form a hierarchy, Geofeed references SHOULD be at | As inetnum: objects form a hierarchy, Geofeed references SHOULD be at | |||
| the lowest applicable inetnum: object covering the relevant prefixes | the lowest applicable inetnum: object covering the relevant address | |||
| in the referenced geofeed file. When fetching, the most specific | ranges in the referenced geofeed file. When fetching, the most | |||
| inetnum: object with a geofeed reference MUST be used. | specific inetnum: object with a geofeed reference MUST be used. | |||
| It is significant that geofeed data may have finer granularity than | It is significant that geofeed data may have finer granularity than | |||
| the inetnum: which refers to them. For example an INETNUM object for | the inetnum: which refers to them. For example an INETNUM object for | |||
| a prefix P could refer to a geofeed file in which P has been sub- | an address range P could refer to a geofeed file in which P has been | |||
| divided into one or more longer prefixes. | sub-divided into one or more longer prefixes. | |||
| Currently, the registry data published by ARIN is not the same RPSL | Currently, the registry data published by ARIN is not the same RPSL | |||
| as that of the other registries (see [RFC7485] for a survey of the | as that of the other registries (see [RFC7485] for a survey of the | |||
| whois Tower of Babel); therefore, when fetching from ARIN via FTP | whois Tower of Babel); therefore, when fetching from ARIN via FTP | |||
| [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the | [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the | |||
| "NetRange" attribute/key MUST be treated as "inetnum" and the | "NetRange" attribute/key MUST be treated as "inetnum" and the | |||
| "Comment" attribute MUST be treated as "remarks". | "Comment" attribute MUST be treated as "remarks". | |||
| 4. Authenticating Geofeed Data | 4. Authenticating Geofeed Data | |||
| skipping to change at page 5, line 35 ¶ | skipping to change at page 5, line 35 ¶ | |||
| is valid, i.e. is authorized by the 'owner' of the IP address space | is valid, i.e. is authorized by the 'owner' of the IP address space | |||
| and is authoritative in some sense. The inetnum: which points to the | and is authoritative in some sense. The inetnum: which points to the | |||
| [RFC8805] geofeed file provides some assurance. Unfortunately, the | [RFC8805] geofeed file provides some assurance. Unfortunately, the | |||
| RPSL in many repositories is weakly authenticated at best. An | RPSL in many repositories is weakly authenticated at best. An | |||
| approach where RPSL was signed a la [RFC7909] would be good, except | approach where RPSL was signed a la [RFC7909] would be good, except | |||
| it would have to be deployed by all RPSL registries, and there is a | it would have to be deployed by all RPSL registries, and there is a | |||
| fair number of them. | fair number of them. | |||
| A single optional authenticator MAY be appended to a [RFC8805] | A single optional authenticator MAY be appended to a [RFC8805] | |||
| geofeed file. It is a digest of the main body of the file signed by | geofeed file. It is a digest of the main body of the file signed by | |||
| the private key of the relevant RPKI certificate for the covering | the private key of the relevant RPKI certificate for a covering | |||
| address range. One needs a format that bundles the relevant RPKI | address range. One needs a format that bundles the relevant RPKI | |||
| certificate with the signature of the geofeed text. | certificate with the signature of the geofeed text. | |||
| The canonicalization procedure converts the data from its internal | The canonicalization procedure converts the data from its internal | |||
| character representation to the UTF-8 [RFC3629] character encoding, | character representation to the UTF-8 [RFC3629] character encoding, | |||
| and the <CRLF> sequence MUST be used to denote the end of a line of | and the <CRLF> sequence MUST be used to denote the end of a line of | |||
| text. A blank line is represented solely by the <CRLF> sequence. | text. A blank line is represented solely by the <CRLF> sequence. | |||
| For robustness, any non-printable characters MUST NOT be changed by | For robustness, any non-printable characters MUST NOT be changed by | |||
| canonicalization. Trailing blank lines MUST NOT appear at the end of | canonicalization. Trailing blank lines MUST NOT appear at the end of | |||
| the file. That is, the file must not end with multiple consecutive | the file. That is, the file must not end with multiple consecutive | |||
| skipping to change at page 6, line 18 ¶ | skipping to change at page 6, line 18 ¶ | |||
| then padded BASE64 encoded (as per [RFC4648] Section 4), and line | then padded BASE64 encoded (as per [RFC4648] Section 4), and line | |||
| wrapped to 72 or fewer characters. The same digest algorithm MUST be | wrapped to 72 or fewer characters. The same digest algorithm MUST be | |||
| used for calculating the message digest on content being signed, | used for calculating the message digest on content being signed, | |||
| which is the geofeed file, and calculating the message digest on the | which is the geofeed file, and calculating the message digest on the | |||
| SignerInfo SignedAttributes [RFC8933]. The message digest algorithm | SignerInfo SignedAttributes [RFC8933]. The message digest algorithm | |||
| identifier MUST appear in both the SigenedData | identifier MUST appear in both the SigenedData | |||
| DigestAlgorithmIdentifiers and the SignerInfo | DigestAlgorithmIdentifiers and the SignerInfo | |||
| DigestAlgorithmIdentifier [RFC5652]. | DigestAlgorithmIdentifier [RFC5652]. | |||
| The address range of the signing certificate MUST cover all prefixes | The address range of the signing certificate MUST cover all prefixes | |||
| in the geofeed file it signs; and therefore must be covered by the | in the geofeed file it signs. | |||
| range of the inetnum:. | ||||
| An address range A 'covers' address range B if the range of B is | An address range A 'covers' address range B if the range of B is | |||
| identical to or a subset of A. 'Address range' is used here because | identical to or a subset of A. 'Address range' is used here because | |||
| inetnum: objects and RPKI certificates need not align on CIDR prefix | inetnum: objects and RPKI certificates need not align on CIDR prefix | |||
| boundaries, while those of the CSV lines in the geofeed file do. | boundaries, while those of the CSV lines in a geofeed file do. | |||
| As the signer specifies the covered RPKI resources relevant to the | As the signer specifies the covered RPKI resources relevant to the | |||
| signature, the RPKI certificate covering the inetnum: object's | signature, the RPKI certificate covering the inetnum: object's | |||
| address range is included in the [RFC5652] CMS SignedData | address range is included in the [RFC5652] CMS SignedData | |||
| certificates field. | certificates field. | |||
| Identifying the private key associated with the certificate, and | Identifying the private key associated with the certificate, and | |||
| getting the department that controls the private key (which might be | getting the department that controls the private key (which might be | |||
| trapped in a Hardware Security Module, HSM) to sign the CMS blob is | trapped in a Hardware Security Module, HSM) to sign the CMS blob is | |||
| left as an exercise for the implementor. On the other hand, | left as an exercise for the implementor. On the other hand, | |||
| skipping to change at page 8, line 25 ¶ | skipping to change at page 8, line 21 ¶ | |||
| [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax | [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax | |||
| (CMS) profile for a general purpose Resource Tagged Attestation (RTA) | (CMS) profile for a general purpose Resource Tagged Attestation (RTA) | |||
| based on the RPKI. While this is expected to become applicable in | based on the RPKI. While this is expected to become applicable in | |||
| the long run, for the purposes of this document, a self-signed root | the long run, for the purposes of this document, a self-signed root | |||
| trust anchor is used. | trust anchor is used. | |||
| 5. Operational Considerations | 5. Operational Considerations | |||
| To create the needed inetnum: objects, an operator wishing to | To create the needed inetnum: objects, an operator wishing to | |||
| register the location of their geofeed file needs to coordinate with | register the location of their geofeed file needs to coordinate with | |||
| their RIR/NIR and/or any provider LIR which has assigned prefixes to | their RIR/NIR and/or any provider LIR which has assigned address | |||
| them. RIRs/NIRs provide means for assignees to create and maintain | ranges to them. RIRs/NIRs provide means for assignees to create and | |||
| inetnum: objects. They also provide means of [sub-]assigning IP | maintain inetnum: objects. They also provide means of | |||
| address resources and allowing the assignee to create whois data, | [sub-]assigning IP address resources and allowing the assignee to | |||
| including inetnum: objects, and thereby referring to geofeed files. | create whois data, including inetnum: objects, and thereby referring | |||
| to geofeed files. | ||||
| The geofeed files MUST be published via and fetched using HTTPS | The geofeed files MUST be published via and fetched using HTTPS | |||
| [RFC2818]. | [RFC2818]. | |||
| When using data from a geofeed file, one MUST ignore data outside the | When using data from a geofeed file, one MUST ignore data outside the | |||
| referring inetnum: object's inetnum: attribute address range. | referring inetnum: object's inetnum: attribute address range. | |||
| If and only if the geofeed file is not signed per Section 4, then | If and only if the geofeed file is not signed per Section 4, then | |||
| multiple inetnum: objects MAY refer to the same geofeed file, and the | multiple inetnum: objects MAY refer to the same geofeed file, and the | |||
| consumer MUST use only lines in the geofeed file where the prefix is | consumer MUST use only lines in the geofeed file where the prefix is | |||
| skipping to change at page 10, line 5 ¶ | skipping to change at page 9, line 49 ¶ | |||
| It is generally prudent for a consumer of geofeed data to also use | It is generally prudent for a consumer of geofeed data to also use | |||
| other sources to cross-validate the data. All the Security | other sources to cross-validate the data. All the Security | |||
| Considerations of [RFC8805] apply here as well. | Considerations of [RFC8805] apply here as well. | |||
| As mentioned in Section 4, many RPSL repositories have weak if any | As mentioned in Section 4, many RPSL repositories have weak if any | |||
| authentication. This allows spoofing of inetnum: objects pointing to | authentication. This allows spoofing of inetnum: objects pointing to | |||
| malicious geofeed files. Section 4 suggests an unfortunately complex | malicious geofeed files. Section 4 suggests an unfortunately complex | |||
| method for stronger authentication based on the RPKI. | method for stronger authentication based on the RPKI. | |||
| For example, if an inetnum: for a wide prefix (e.g. a /16) points to | For example, if an inetnum: for a wide address range (e.g. a /16) | |||
| an RPKI-signed geofeed file, a customer or attacker could publish an | points to an RPKI-signed geofeed file, a customer or attacker could | |||
| unsigned equal or narrower (e.g. a /24) inetnum: in a whois registry | publish an unsigned equal or narrower (e.g. a /24) inetnum: in a | |||
| which has weak authorization, abusing the rule that the most-specific | whois registry which has weak authorization, abusing the rule that | |||
| inetnum: object with a geofeed reference MUST be used. | the most-specific inetnum: object with a geofeed reference MUST be | |||
| used. | ||||
| If signatures were mandatory, the above attack would be stymied. But | If signatures were mandatory, the above attack would be stymied. But | |||
| of course that is not happening anytime soon. | of course that is not happening anytime soon. | |||
| The RPSL providers have had to throttle fetching from their servers | The RPSL providers have had to throttle fetching from their servers | |||
| due to too-frequent queries. Usually they throttle by the querying | due to too-frequent queries. Usually they throttle by the querying | |||
| IP address or block. Similar defenses will likely need to be | IP address or block. Similar defenses will likely need to be | |||
| deployed by geofeed file servers. | deployed by geofeed file servers. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| End of changes. 11 change blocks. | ||||
| 23 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||