ROA Contents & Format Proposal Brian Weis Overview An - - PowerPoint PPT Presentation

▶

Apr 11, 2024 5 likes •147 views

ROA Contents & Format Proposal Brian Weis Overview An informal study was conducted considering ROA Contents Based on Steve Kents earlier presentations ROA Format Design Considerations Three possible formats

SLIDE 1

ROA Contents & Format Proposal

Brian Weis

SLIDE 2

MSEC WG IETF67 2

Overview

An informal study was conducted

considering

– ROA Contents

Based on Steve Kent’s earlier presentations

– ROA Format

Design Considerations
Three possible formats studied

SLIDE 3

MSEC WG IETF67 3

ROA Contents

Data necessary to have a fully specified ROA:

– Object type (I.e., “ROA”)

Plan ahead for other object types (e.g., signed AS policy)

– Object version (I.e., “1”) – Address prefix(es)

May be a subset of addresses in the EE set?

– AS number(s) authorized to advertise the address prefixes in the ROA – Validity interval (I.e., start/stop times)

May be shorter than the EE validity period in an emergency?

– Signature list

Including certificate pointers and other necessary parameters

SLIDE 4

MSEC WG IETF67 4

ROA Design Considerations

Design Considerations

– Size. Distribution through a network protocol may be advantageous in some cases – Extensibility. Format should allow standards- track additions to the format. – Open source tool availability. Tool availability is crucial to adoption. – Clearly defined canonicalization rules. Needed to support reliable digital signatures

SLIDE 5

MSEC WG IETF67 5

ROA Format

Three data formats considered

– Simple TLVs

Header + Type-Length-Value attributes

representation of the data

– ASN.1 – XML

SLIDE 6

MSEC WG IETF67 6

TLV Format

Object Header Auth AS

Type Len

Validity

Type Len

Signature

Type Len

Header

– Object Type – Version – Object Length

Attributes

SLIDE 7

MSEC WG IETF67 7

ASN.1 Format

Imports many definitions from RFC

3280 and RFC 3779

– No reason to re-specify common fields – ASN.1 open source tools already contain support for these definitions

New ASN.1 definitions create an ROA

framework for imported definitions.

SLIDE 8

MSEC WG IETF67 8

ASN.1 Format (Abridged)

so OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 40 } so-roa OBJECT IDENTIFIER ::= { so 1 } SO ::= SEQUENCE { sObject SObject, signatures SEQUENCE OF Signatures } SObject ::= SEQUENCE { signedObjectType Type, version [0] EXPLICIT SOVersion DEFAULT v1, validity Validity, ipAddrBlocks SEQUENCE OF IPAddressFamily, asIdentifiers SEQUENCE OF ASIdentifiers } Type ::= INTEGER { roa(1) } SOVersion ::= INTEGER { v1(0) } Signatures ::= SEQUENCE { certificatePointer AuthorityKeyIdentifier, authorityInfo AuthorityInfoAccessSyntax, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }

SLIDE 9

MSEC WG IETF67 9

XML Format

Basic ROA Document Type Definition

(.dtd file) is simple

The digital signature specification is

taken from RFC 3275

– Signature XML elements are added during the signature process

SLIDE 10

MSEC WG IETF67 10

XML ROA

<!ELEMENT SO (sObject)> <!ELEMENT sObject (signedObjectType,version, validity, ipAddrBlocks*, asIdentifiers*)> <!ELEMENT signedObjectType (#PCDATA)> <!ELEMENT version (#PCDATA)> <!ELEMENT validity (notBefore,notAfter)> <!ELEMENT notBefore (uctTime)> <!ELEMENT notAfter (uctTime)> <!ELEMENT uctTime (#PCDATA)> <!ELEMENT ipAddrBlocks (IPAddressFamily,addressPrefix)> <!ELEMENT IPAddressFamily (addressFamily)> <!ELEMENT addressFamily (#PCDATA)> <!ELEMENT addressPrefix (#PCDATA)> <!ELEMENT asIdentifiers (id*)> <!ELEMENT id (#PCDATA)>

SLIDE 11

MSEC WG IETF67 11

Sample ROA

Comparison of an ROA in the three

formats

– Type: ROA – Version: 1 – Two prefixes – Two authorized ASes – One signature (RSA 1024-bit)

SLIDE 12

MSEC WG IETF67 12

Design Considerations

Yes (RFC 3275) Yes (DER) TBD

Canonicalizaton?

Yes (XMLSec) Yes (asn1c) No

Open Source Tools?

Yes Yes Yes

Extensible

1654 445 286

Size (bytes) of sample ROA XML ASN.1 TLV

SLIDE 13

MSEC WG IETF67 13

Conclusion: ASN.1 is the best compromise

While DER is substantially larger than a simple

TLV format (35% larger) it remains manageable.

ASN.1 is easily extensible.
Canonicalization rules are well defined.
Use of ASN.1 has some synergy with Resource

Certificates.

Open source ASN.1 compiler tools appear to hide

much of ASN.1 required knowledge from tools developers.

SLIDE 14

MSEC WG IETF67 14

Next steps

Get consensus on the content & format
Generate a -00 draft describing the

ROA Contents & Format Proposal

Brian Weis

Overview

considering

– ROA Contents

– ROA Format

ROA Contents

ROA Design Considerations

ROA Format

– Simple TLVs

representation of the data

– ASN.1 – XML

TLV Format

Object Header Auth AS

Validity

Signature

– Object Type – Version – Object Length

ASN.1 Format

3280 and RFC 3779

– No reason to re-specify common fields – ASN.1 open source tools already contain support for these definitions

framework for imported definitions.

ASN.1 Format (Abridged)

XML Format

(.dtd file) is simple

taken from RFC 3275

– Signature XML elements are added during the signature process

XML ROA

Sample ROA

formats

– Type: ROA – Version: 1 – Two prefixes – Two authorized ASes – One signature (RSA 1024-bit)

Design Considerations

Canonicalizaton?

Open Source Tools?

Extensible

Size (bytes) of sample ROA XML ASN.1 TLV

Conclusion: ASN.1 is the best compromise

TLV format (35% larger) it remains manageable.

Certificates.

much of ASN.1 required knowledge from tools developers.

Next steps

ROA prior to IETF 68