IETF Logo Mail Archive

Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 26 May 2021 02:55 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99B5D3A1A52; Tue, 25 May 2021 19:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6jiK3OOZoF1; Tue, 25 May 2021 19:55:52 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82B83A1A4F; Tue, 25 May 2021 19:55:51 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 14Q2tfc2000679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 May 2021 22:55:47 -0400
Date: Tue, 25 May 2021 19:55:41 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Randy Bush <randy@psg.com>
Cc: Benjamin Kaduk via Datatracker <noreply@ietf.org>, ggm@algebras.org, opsawg@ietf.org, opsawg-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-opsawg-finding-geofeeds@ietf.org
Message-ID: <20210526025541.GG32395@kduck.mit.edu>
References: <162149688912.26611.7060363738222603934@ietfa.amsl.com> <m2h7ivzt0c.wl-randy@psg.com> <20210521214555.GX32395@kduck.mit.edu> <m2cztjzqgq.wl-randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m2cztjzqgq.wl-randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/AgWCUsbvnvqtQIamAXZ5F0i9qm8>
Subject: Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 02:55:57 -0000

On Fri, May 21, 2021 at 03:12:21PM -0700, Randy Bush wrote:
> > If we're going with "[#RPKI Signature] address range MUST match [inetnum:
> > followed to get here]", then there are probably a couple places that still
> > talk about "covered by" that should catch up.
> 
> don't find any
> 
> what i did find is that i forgot to remove
> 
>          The address range of the signing certificate MUST cover all
> -        prefixes in the geofeed file it signs; and therefore must be
> -        covered by the range of the inetnum:.
> +        prefixes in the geofeed file it signs.

ok.

It looks like the thing in the diff that stuck out at me is actually for
the unsigned case, and "covered by" is (AFAICT) the right semantics for
that situation.
 
> > We may also need to look more closely at the bits after "# RPKI
> > Signature".  The example uses a CIDR range, but IIRC inetnum: ranges
> > are not limited to CIDR blocks, which would mean we need a story for
> > how to handle non-CIDR blocks.
> 
> ranges are well-defined in rpki, inetnum:, etc.  8805 entries must be
> cidr.
> 
> that an inetnum: or rpki cert range must cover geofeed file prefixes
> seems pretty clear.  but i have tweaked wording a bit.  i can push my
> emacs buffer to id repo, but will wait a bit for other comments.

I guess I dallied too long and this became the -15.

Having slept it over, I think the "IP address range [of "# RPKI
Signature:"/"# End Signature"] must match the inetnum: URL followed to get
to the file" is a good choice and helps identify the intended semantics
(though, of course, is not itself covered by the signature).

I think we still need to update the example to show how to represent a
non-CIDR range, though.  (I think, from the previous discussion, we wanted
the "RPKI Signature" line to have a starting address and the "End
Signature" line to have an ending address, but could be misremembering.)


Otherwise, looking at the diff from -12 to -15
(https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-finding-geofeeds-15&url1=draft-ietf-opsawg-finding-geofeeds-12),
I see that we now say "The IETF standardized RPSL in [RFC2725] and
[RFC4012]", but 2622 might actually be the right reference there, even if
we do need 2725 later for "inetnum:" itself.

The other changes look good.

Thanks,

Ben

P.S. I am impressed by the (apparent) automation to re-generate the
certificate (and example) at the time of building the document!

v2.23.0 | Report a Bug | By Email