IETF Logo Mail Archive

Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Fri, 21 May 2021 21:02 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E353A1E88; Fri, 21 May 2021 14:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1f6P2Z3lVZk; Fri, 21 May 2021 14:02:18 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42093A2079; Fri, 21 May 2021 14:02:17 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 14LL29Y4017712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 May 2021 17:02:14 -0400
Date: Fri, 21 May 2021 14:02:09 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Randy Bush <randy@psg.com>
Cc: Benjamin Kaduk via Datatracker <noreply@ietf.org>, ggm@algebras.org, opsawg@ietf.org, opsawg-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-opsawg-finding-geofeeds@ietf.org
Message-ID: <20210521210209.GV32395@kduck.mit.edu>
References: <162149688912.26611.7060363738222603934@ietfa.amsl.com> <m2pmxl12e0.wl-randy@psg.com> <20210520233633.GO32395@kduck.mit.edu> <m2o8d3zxcz.wl-randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m2o8d3zxcz.wl-randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/NOXVwCG78hVndRYqhTQ4QqOq6ZY>
Subject: Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 21:02:20 -0000

On Fri, May 21, 2021 at 12:43:24PM -0700, Randy Bush wrote:
> >>> Publishing this document on the stanards-track does make one wonder
> >>> whether RFC 8805 should be adopted at least into the IETF stream and
> >>> possibly to the standards-track as well...
> >> 
> >> and it could use a bit of work in the process.  can you say "let's open
> >> a can of worms?"  but yes, geofeed has seriously 8805 deployment, and it
> >> is showing cracks.
> > 
> > The analogies to DMARC do kind of write themselves...
> 
> i nominate dnssec as the poster child here.  first version was not 
> deployable at all.

I think DNSSEC was always in the IETF stream, though -- DMARC started as
ISE, and we've had an IETF WG open for 6(?) years trying to bring it into
the IETF stream.

> > (We do have plenty of examples of shiny cryptographic schemes that remain
> > mostly unused, but I will refrain from naming names...)
> 
> and some that should have been unused
> 
> >>> Maybe I'm just confused about what "covered by he range of the inetnum:"
> >>> means, but I only see (at least so far) requirements that the signing
> >>> cert cover all addresses in the file, and that we fetch from the
> >>> most-specific inetnum: object with a geofeed reference.  Can't I still
> >>> sign with a cert that covers a broader range of addresses than the
> >>> intenum: object used to fetch?
> >> 
> >> i am trying to think of two examples [ yes, certs and inetnum:s may
> >> express ranges as well as cidr blocks ]
> >> 
> >> two inetnums:
> >>    1.2.3.0 - 1.2.3.7 
> >>    1.2.3.6 - 1.2.3.13
> >> and a cert for 1.2.3.0 - 1.2.3.13
> >> 
> >> and conversely
> >> 
> >> two certs:
> >>    1.2.3.0 - 1.2.3.7 
> >>    1.2.3.6 - 1.2.3.13
> >> and an inetnum: for 1.2.3.0 - 1.2.3.13
> > 
> > IIUC you'd need to subdivide the inetnums in order for the signatures to
> > work?
> 
> [ excuse i am running on 36 hours no sleep ]
> 
> currently we say
> 
>    The address range of the signing certificate MUST cover all prefixes
>    in the geofeed file it signs; and therefore must be covered by the
>    range of the inetnum:.
> 
> i.e. a cert for 1.2.3.0/24 can not sign either example.  i don't think
> that second restrictive clause is a logical conclusion from the first.
> 
> i suggest that, for simplicity and a redundancy check, the wrapper MUST
> be
> 
>     # RPKI Signature: A
>     #
>     # End Signature: B
> 
> where A-B MUST be the range of the inetnum: pointing to the file
> 
> and that the signing cert MUST cover A-Z, though could be wider.
> 
> i will work the text

That seems like it should have useful/workable properties.
We're now assigning semantics to the stuff after "RPKI Signature"/"End
Signature", that maybe didn't previously have important semantics.

Rob should probably weigh in on how much review such a change would need.

-Ben

> > nit: comma before "abusing" to aid readability.
> 
> ack
> 
> randy

v2.23.0 | Report a Bug | By Email