diff --git a/draft-dekater-scion-pki.md b/draft-dekater-scion-pki.md index de4e705..9973d89 100644 --- a/draft-dekater-scion-pki.md +++ b/draft-dekater-scion-pki.md @@ -154,7 +154,7 @@ SCION has been developed with the following goals: *Availability* - to provide highly available communication that can send traffic over paths with optimal or required characteristics, quickly handle inter-domain link or router failures (both on the last hop or anywhere along the path) and provide continuity in the presence of adversaries. -*Security* - to provide higher levels of trust in routing information in order to prevent IP prefix hijacking/leaks, denial-of-service and other attacks. Endpoints can decide the trust roots they wish to rely on, routing information can be unambiguously attributed to an AS, and packets are only forwarded along authorized path segments. A particular use case is to enable geofencing. +*Security* - to introduce a new approach to inter-domain path security that leverages path awareness in combination with a unique trust model. The goal is to provide higher levels of trust in routing information to prevent traffic hijacking, and enable users to decide where their data travels based on routing information that can be unambiguously attributed to an AS, ensuring that packets are only forwarded along authorized path segments. A particular use case is to enable geofencing. *Scalability* - to improve the scalability of the inter-domain control plane and data plane, avoiding existing limitations related to convergence and forwarding table size. The advertising of path segments is separated into a beaconing process within each Isolation Domain (ISD) and between ISDs which incurs minimal overhead and resource requirements on routers. @@ -168,7 +168,7 @@ SCION relies on three main components: This document describes the SCION PKI component used by the Control Plane. It should be read in conjunction with the other components {{I-D.dekater-scion-controlplane}} and {{I-D.dekater-scion-dataplane}}. -The SCION architecture was initially developed outside of the IETF by ETH Zurich with significant contributions from Anapaya Systems. It is deployed in the Swiss finance sector to provide resilient connectivity between financial institutions. The aim of this document is to document the existing protocol specification as deployed, and to introduce new concepts that can potentially be further improved to address particular problems with the current Internet architecture. +The SCION architecture was initially developed outside of the IETF by ETH Zurich with significant contributions from Anapaya Systems. It is deployed in the Swiss finance sector to provide resilient connectivity between financial institutions. The aim of this document is to document the existing protocol specification as deployed, to encourage additional implementations, and to introduce new concepts that can potentially be further improved to address particular problems with the current Internet architecture. This document is not an Internet Standards Track specification; it does not have IETF consensus and it is published for informational purposes. Note (to be removed before publication): this document, together with the other components {{I-D.dekater-scion-controlplane}} and {{I-D.dekater-scion-dataplane}}, deprecates {{I-D.dekater-panrg-scion-overview}}. @@ -444,68 +444,63 @@ The RECOMMENDED **maximum validity period** of a sensitive voting certificate is (2) Recommended maximum validity period.
(3) A validity of 11 days with 4 days overlap between two CA certificates is RECOMMENDED to enable the best possible operational procedures when performing a CA certificate rollover. -{{figure-2}} illustrates, at a high level, the relationship between a TRC and the five types of certificates. +{{figure-2}} shows the content of a base/initial TRC, and the relationship between a TRC and the five types of certificates. The initial signatures are replaced by those of the Regular Voting Certificates with the first regular update to the base TRC. ~~~~ - +--------------------+ +--------------------+ +--------------+ +---------------+ - | TRC 1 +---->| TRC 2 -+------>╳ | TRC 3 +---->| TRC 4 | - | (base, initial) | | (regular update) | | (base, trust | | (sensitive | -+--+--------------------+ +--------------------+------+ | reset) | | update) | -| | +--------------+ +---------------+ -| | -+--------------------------------------------+ +---+----------------------------------------+ -| TRC 1 (base, initial) | | TRC 2 (regular update) | -|+------------------------------------------+| |+------------------------------------------+| -||- Version - Core ASes || ||- Version - Core ASes || -||- ID - Description || ||- ID - Description || -||- Validity - No Trust Reset || ||- Validity - No Trust Reset || -||- Grace Period - Voting Quorum || ||- Grace Period - Voting Quorum || -||- ... || ||- ... || -|+------------------------------------------+| |+------------------------------------------+| -|+--------------------++--------------------+| |+--------------------++--------------------+| -||Votes (cert.indices)|| Regular Voting || ||Votes (cert.indices)|| Regular Voting || -|| || Certificates || || || Certificates || -|| (empty) || || || (1),(2)... || || -|| ||+-----+ +-----+ || || ||+-----+ +-----+ || -|| ||| (1) | | (2) | || || ||| (1) | | (2) | || -|| |||C | |C | ... || || |||C | |C | ... || -|| ||| reg | | reg | || || ||| reg | | reg | || -|+--------------------+|+--+--+ +--+--+ || |+--------------------+|+-----+ +-----+ || -|+--------------------+| | | || |+--------------------+| || -|| || | +--------++-----+ || || || -|| || +----------------++-+ | || || || -|| Signatures |+--------------------+| | | || Signatures |+--------------------+| -|| |+--------------------+| | | || |+--------------------+| -||+------------------+|| Sensitive Voting || | | ||+------------------+|| Sensitive Voting || -|||73 A9 4E AO 0D ...||| Certificates || | +--+>|48 AE E4 80 DB ...||| Certificates || -||+------------------+||+-----+ +-----+ || | ||+------------------+||+-----+ +-----+ || -||+------------------+||| (3) | | (4) | || | ||+------------------+||| (3) | | (4) | || -|||53 B7 7C 98 56 ...||||C | |C | || +------+>|7E BC 75 98 25 ...||||C | |C | || -||+------------------+||| sens| | sens| ... || ||+------------------+||| sens| | sens| ... || -|| ... ||+-----+ +-----+ || || ... ||+-----+ +-----+ || -|+--------------------++--------------------+| |+--------------------++--------------------+| -|+------------------------------------------+| |+------------------------------------------+| -|| CP Root Certificates || || CP Root Certificates || -|| || || || -|| +-----+ +-----+ +-----+ +-----+ || || +-----+ +-----+ +-----+ +-----+ || -|| | (5) | | (6) | | (7) | | (8) | || || | (5) | | (6) | | (7) | | (8) | || -|| |C | |C | |C | |C | || || |C | |C | |C | |C | || -|| | root| | root| | root| | root| ..... || || | root| | root| | root| | root| ..... || -|| +-----+ +--+--+ +-----+ +--+--+ || || +-----+ +--+--+ +-----+ +--+--+ || -|+------------+---------------+-------------+| |+------------+---------------+-------------+| -+-------------+---------------+--------------+ +-------------+---------------+--------------+ - | | | | - +---------v-+ +-v---------+ +---------v-+ +-v---------+ - | CP CA | | CP CA | | CP CA | | CP CA | - |Certificate| |Certificate| |Certificate| |Certificate| - +-----+-----+ +-----+-----+ +-+-------+-+ +-----+-----+ - | | | | | - | | | | | - v v v v v - +-----------+ +-----------+ +-----------+ +-----------+ +-----------+ - | CP AS | | CP AS | | CP AS | | CP AS | | CP AS | - |Certificate| |Certificate| |Certificate| |Certificate| |Certificate| - +-----------+ +-----------+ +-----------+ +-----------+ +-----------+ ++--------------------------------------------+ +| TRC 1 | +| (base/initial) | +|+------------------------------------------+| +|| - Version - Core ASes || +|| - ID - Description || +|| - Validity - No Trust Reset || +|| - Grace Period - Voting Quorum || +|| - ... || +|+------------------------------------------+| +|+--------------------++--------------------+| +|| Votes || Regular Voting || +|| (cert. indices) || Certificates || +|| || || +|| || +-----+ +-----+ || +|| (empty) || | (1) | | (2) | || +|| || |C | |C | ...|| +|| || | reg | | reg | || +|+--------------------+| +-----+ +-----+ || +|+--------------------+| || +|| || || +|| || || +|| Signatures |+--------------------+| +|| |+--------------------+| +||+------------------+|| Sensitive Voting || +||| 73 A9 4E AO 0D...||| Certificates || +||+------------------+|| +-----+ +-----+ || +||+------------------+|| | (3) | | (4) | || +||| 53 B7 7C 98 56...||| |C | |C | || +||+------------------+|| | sens| | sens| ...|| +|| ... || +-----+ +-----+ || +|+--------------------++--------------------+| +|+------------------------------------------+| +|| CP Root Certificates || +|| || +|| +-----+ +-----+ +-----+ +-----+ || +|| | (5) | | (6) | | (7) | | (8) | || +|| |C | |C | |C | |C | || +|| | root| | root| | root| | root| ... || +|| +-----+ +--+--+ +-----+ +--+--+ || +|+------------+---------------+-------------+| ++-------------+---------------+--------------+ + | | + v v + +-----------+ +-----------+ + | CP CA | | CP CA | + |Certificate| |Certificate| + +-----+-----+ +-----+-----+ + | | + v v + +-----------+ +-----------+ + | CP AS | | CP AS | + |Certificate| |Certificate| + +-----------+ +-----------+ ~~~~ {: #figure-2 title="TRC update chain and the different types of associated certificates. Arrows show how signatures are verified; in other words, they indicate that a public key contained in a certificate or TRC can be used to verify the authenticity of another item."} @@ -776,52 +771,7 @@ A TRC can have the following states: - Valid: The validity period of a TRC is defined in the TRC itself, in the `validity` field (see [](#validity)). A TRC is considered valid if the current time falls within its validity period. - Active: An active TRC is a valid TRC that can be used for verifying certificate signatures. This is either the latest TRC or the predecessor TRC, if it is still in its grace period (as defined in the `gracePeriod` field of the new TRC, see [](#grace)). No more than two TRCs can be active at the same time for any ISD. -{{figure-3}} shows the content of both a base/initial TRC and the first regularly-updated TRC based on the base TRC. All elements of the shown TRCs are specified in detail in the following subsections. - -~~~~ -+--------------------------------------------+ +--------------------------------------------+ -| TRC 1 (base, initial) | | TRC 2 (regular update) | -|+------------------------------------------+| |+------------------------------------------+| -||- Version - Core ASes || ||- Version - Core ASes || -||- ID - Description || ||- ID - Description || -||- Validity - No Trust Reset || ||- Validity - No Trust Reset || -||- Grace Period - Voting Quorum || ||- Grace Period - Voting Quorum || -||- ... || ||- ... || -|+------------------------------------------+| |+------------------------------------------+| -|+--------------------++--------------------+| |+--------------------++--------------------+| -||Votes (cert.indices)|| Regular Voting || ||Votes (cert.indices)|| Regular Voting || -|| || Certificates || || || Certificates || -|| (empty) || || || (1),(2)... || || -|| ||+-----+ +-----+ || || ||+-----+ +-----+ || -|| ||| (1) | | (2) | || || ||| (1) | | (2) | || -|| |||C | |C | ... || || |||C | |C | ... || -|| ||| reg | | reg | || || ||| reg | | reg | || -|+--------------------+|+--+--+ +--+--+ || |+--------------------+|+-----+ +-----+ || -|+--------------------+| | | || |+--------------------+| || -|| || | +--------++-----+ || || || -|| || +----------------++-+ | || || || -|| Signatures |+--------------------+| | | || Signatures |+--------------------+| -|| |+--------------------+| | | || |+--------------------+| -||+------------------+|| Sensitive Voting || | | ||+------------------+|| Sensitive Voting || -|||73 A9 4E AO 0D ...||| Certificates || | +--+>|48 AE E4 80 DB ...||| Certificates || -||+------------------+||+-----+ +-----+ || | ||+------------------+||+-----+ +-----+ || -||+------------------+||| (3) | | (4) | || | ||+------------------+||| (3) | | (4) | || -|||53 B7 7C 98 56 ...||||C | |C | || +------+>|7E BC 75 98 25 ...||||C | |C | || -||+------------------+||| sens| | sens| ... || ||+------------------+||| sens| | sens| ... || -|| ... ||+-----+ +-----+ || || ... ||+-----+ +-----+ || -|+--------------------++--------------------+| |+--------------------++--------------------+| -|+------------------------------------------+| |+------------------------------------------+| -|| CP Root Certificates || || CP Root Certificates || -|| || || || -|| +-----+ +-----+ +-----+ +-----+ || || +-----+ +-----+ +-----+ +-----+ || -|| | (5) | | (6) | | (7) | | (8) | || || | (5) | | (6) | | (7) | | (8) | || -|| |C | |C | |C | |C | || || |C | |C | |C | |C | || -|| | root| | root| | root| | root| ..... || || | root| | root| | root| | root| ..... || -|| +-----+ +-----+ +-----+ +-----+ || || +-----+ +-----+ +-----+ +-----+ || -|+------------------------------------------+| |+------------------------------------------+| -+--------------------------------------------+ +--------------------------------------------+ -~~~~ -{: #figure-3 title="The TRC on the left-hand side is the initial base TRC. The TRC on the right is the product of the first regular update of the base TRC."} +{{figure-2}} shows the content of both a base/initial TRC, the changes made with the first regular update to the base TRC. All elements of the TRC is detailed in the following subsections. ### TRC Format @@ -1106,29 +1056,33 @@ The selection of the right set of TRCs to build the trust anchor pool depends on The selection algorithm for building the trust anchor pool is described in pseudo-python code below. ~~~~python - def select_trust_anchors(trcs: Dict[(int,int), TRC], verification_time: int) -> Set[RootCert]: + def select_trust_anchors(trcs: Dict[(int,int), TRC], \ + verification_time: int) -> Set[RootCert]: """ Args: - trcs: The dictionary mapping (serial number, base number) to the TRC for a given ISD. + trcs: The dictionary mapping (serial number, \ + base number) to the TRC for a given ISD. verification_time: The time of verification. Returns: - The set of CP Root certificates that act as trust anchors. + The set of CP Root certificates acting as trust anchors. """ - # Find highest base number that has a TRC with a validity period - # starting before verification time. + # Find highest base number that has a TRC with validity + # period starting before verification time. base_nr = 1 - for trc in trcs.values(): - if trc.id.base_nr > base_nr and trc.validity.not_before <= verification_time: + for trc in trcs.values() + if trc.id.base_nr > base_nr and trc.validity.not_before \ + <= verification_time: base_nr = trc.id.base_nr - # Find TRC with highest serial number with the given base number and a - # validity period starting before verification time. + # Find TRC with highest serial number with given base number + # and a validity period starting before verification time. serial_nr = 1 for trc in trcs[isd].values(): if trc.id.base_nr != base_nr: continue - if trc.id.serial_nr > serial_nr and trc.validity.not_before <= verification_time: + if trc.id.serial_nr > serial_nr and \ + trc.validity.not_before <= verification_time: serial_nr = trc.id.serial_nr candidate = trcs[(serial_nr, base_nr)] @@ -1138,25 +1092,29 @@ The selection algorithm for building the trust anchor pool is described in pseud if not candidate.validity.contains(verification_time): return set() - # If the grace period has passed, only the certificates in that TRCs - # may be used as trust anchors. - if candidate.validity.not_before + candidate.grace_period < verification_time: + # If the grace period has passed, only the certificates in + # that TRC may be used as trust anchors. + if candidate.validity.not_before + candidate.grace_period \ + < verification_time: return collect_trust_anchors(candidate) predecessor = trcs.get((serial_nr-1, base_nr)) - if not predecessor or predecessor.validity.not_after < verification_time: + if not predecessor or predecessor.validity.not_after < \ + verification_time: return collect_trust_anchors(candidate) - return collect_trust_anchors(candidate) | collect_trust_anchors(predecessor) + return collect_trust_anchors(candidate) | \ + collect_trust_anchors(predecessor) def collect_trust_anchors(trc: TRC) -> Set[RootCert]: """ Args: - trc: A TRC from which the CP Root Certificates shall be extracted. + trc: A TRC from which the CP Root Certificates shall \ + be extracted. Returns: - The set of CP Root certificates that act as trust anchors. + The set of CP Root certificates acting as trust anchors. """ roots = set() for cert in trc.certificates: @@ -1604,6 +1562,12 @@ The signed TRC is validated by inspecting its contents on the monitor and verify Changes made to drafts since ISE submission. This section is to be removed before publication. +## draft-dekater-scion-pki-08 +{:numbered="false"} + +- Fix oversized diagrams +- Introduction text rewording + ## draft-dekater-scion-pki-07 {:numbered="false"}