Re: [OPSAWG] Finding and Using Geofeed Data
Randy Bush <randy@psg.com> Sat, 12 September 2020 23:53 UTC
Return-Path: <randy@psg.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B9C3A0E99 for <opsawg@ietfa.amsl.com>; Sat, 12 Sep 2020 16:53:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7X684g0qz7ih for <opsawg@ietfa.amsl.com>; Sat, 12 Sep 2020 16:53:24 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AE93A0E98 for <opsawg@ietf.org>; Sat, 12 Sep 2020 16:53:24 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1kHFKW-0004ic-Bs; Sat, 12 Sep 2020 23:53:16 +0000
Date: Sat, 12 Sep 2020 16:53:15 -0700
Message-ID: <m2zh5ublhw.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Massimo Candela <massimo@us.ntt.net>, opsawg@ietf.org
In-Reply-To: <4685.1599951840@localhost>
References: <8450cc78-8c60-ff7a-19f5-ea7335d262cd@us.ntt.net> <m25z8kdoqb.wl-randy@psg.com> <4685.1599951840@localhost>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/7msjEm2LpqtBzq7zzLQE1qZfS1k>
Subject: Re: [OPSAWG] Finding and Using Geofeed Data
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 23:53:26 -0000
>> Identifying the private key associated with the certificate, and
>> getting the department with the HSM to sign the CMS blob is left as
>> an exercise for the implementor.
>
> This cynical comment jumped out at me.
> It seems that you don't have a lot of confidence that the key will be
> easily used.
actually, i am hoping that ggm et alia will revive
draft-michaelson-rpki-rta
until then, i am personally not all that concerned about signing. as
folk start to actually follow this path (and massimo is keeping a list
of those who are), after a while folk may care enough about authenticity
to go through the effort of signing geofeeds.
but we felt it incumbent on us to specify how to do so.
> As I understand it, you are not creating the geofeed: attribute, but
> instead shoving a URL into a "remark".
one thing at a time. the ietf gave up on specifying rpsl a couple of
decades ago. a first task i was given as a new ops area director was
to shoot the rps wg. so we are not attempting to modify rpsl, though
we do suggest how it might be done.
> I don't see an IANA Considerations in RFC2622... so many you have to
> Updates?
let's you and them fight :)
> I gather from my quick reading that the geofeed data should be signed
> by the same RPKI key, and that such keys are rather high value.
> Should they be signing geofeed data?
got any other congruent authoritative keys?
> I understand RFC8805 to be a simple CSV format.
> One thought I have is to just stuff that into the "remark" directly.
scale issues. as i just said on nanog
for some flat fan out last kilometer providers that could be the
inetnum: object from hell. there are global providers which segment
large prefixes over diverse areas. etc.
i doubt the rpsl providers would like multi-megabyte inetnum:s. rpsl
providers already throttle in defense.
> I think that each inetnum:/inet6num: entry will be unique per prefix.
> Maybe the geography is not 1:1, particularly with larger IPv6
> allocations.
it isn't even for ipv4
> But, if the HTTP(S) indirection via URL requires a signature from the
> same key as the RPSL signature
there is no such thing as an rpsl signature. and i sure as bleep ain't
gonna propose one.
> then why not just put a SHA256 hash into the remark, eliminating the
> need to find the private key? That way, the same person with access
> signs both?
because, as the draft tries to politely say
Unfortunately the RPSL in many repositories is weakly authenticated
at best.
randy
- [OPSAWG] Finding and Using Geofeed Data Massimo Candela
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Erik Kline
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Michael Richardson
- Re: [OPSAWG] Finding and Using Geofeed Data Erik Kline
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Joe Clarke (jclarke)
- Re: [OPSAWG] Finding and Using Geofeed Data Massimo Candela
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Michael Richardson
- Re: [OPSAWG] Finding and Using Geofeed Data Erik Kline
- Re: [OPSAWG] Finding and Using Geofeed Data Joe Clarke (jclarke)
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Joe Clarke (jclarke)
- Re: [OPSAWG] Finding and Using Geofeed Data Randy Bush
- Re: [OPSAWG] Finding and Using Geofeed Data Owen DeLong