constraining RPKI Trust Anchors

Tue Sep 26 18:49:04 UTC 2023

Job,

This looks fantastic, thank you!

For my edification and clarification, the reason you don't need a

deny 2000::/3

or

deny 0::/0

at the bottom of the ARIN list of allows is that every file comes with an
implicit "deny all", is that correct?

Is there a drawback to adding the explicit "deny 0::/0" at the bottom of
the file, to make it clear that everything else will return "invalid"?
I tend to prefer being explicit in my configurations, rather than depending
upon implicit behaviours which might change with future versions of
software releases.

Thanks!

Matt

On Tue, Sep 26, 2023 at 9:57 AM Job Snijders via NANOG <nanog at nanog.org>
wrote:

> Dear all,
>
> Two weeks ago AFRINIC was placed under receivership by the Supreme Court
> of Mauritius. This event prompted me to rethink the RPKI trust model and
> associated risk surface.
>
> The RPKI technology was designed to be versatile and flexible to
> accommodate a myriad of real-world deployment scenarios including
> multiple trust anchors existing, inter-registry transfers, multiple
> transports, and permissionless innovation for signed objects, for
> example. All good and well ... but ofcouse there is a fine print. :-)
>
> Over the years various people have expressed astonishment about each RIR
> having issued so-called 'all-resources' (0.0.0.0/0 + ::/0) trust anchor
> certificates, but this aspect often is misunderstood: the risk is not
> necessarily in the listing of 'all-resources' itself, it is in the RIR
> being able to issue an 'all-resources' certificate in the first place.
> RPKI trust anchor operators indeed can voluntarily reduce the scope of
> subordinate Internet Number Resources, but just as easily increase the
> scope of their authority. In other words, a trust anchor cannot truly
> constrain itself.
>
> Upon reconsideration on how exactly RPKI hooks into the real world; I
> concluded trust anchors do not require unbounded trust in order to
> provide constructive services in the realm of BGP routing security.
>
> Some examples: ARIN does not support inter-RIR IPv6 transfers, so it
> would not make any sense to see a ROA subordinate to ARIN's trust anchor
> covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense
> to observe a ROA covering ARIN-managed IPv6 space under APNIC's,
> LACNIC's, or RIPE's trust anchor - even if a cryptographically valid
> certificate path existed. Along these lines AFRINIC doesn't support
> inter-RIR transfers of any kind; and none of the RIRs have authority
> over private resources like 10.0.0.0/8 or AS 65535. It seems feasible to
> paint constraints around RPKI trust anchors in broad strokes.
>
> Over the last two weeks I've diligently worked with Theo Buehler to
> research RIR transfer policies, untangle the history of the IANA->RIR
> and RIR->RIR allocation spaghetti, design & implement a maintainable
> constraints mechanism for rpki-client(8), and publicly document the
> concept of applying operator-defined policy to derived trust arcs.
>
> Please take a moment to read
>
> https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-anchors-00.html
>
> Your feedback is appreciated.
>
> Kind regards,
>
> Job
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230926/12faba56/attachment.html>