Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Fri, 21 May 2021 21:02 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E353A1E88; Fri, 21 May 2021 14:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1f6P2Z3lVZk; Fri, 21 May 2021 14:02:18 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42093A2079; Fri, 21 May 2021 14:02:17 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 14LL29Y4017712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 May 2021 17:02:14 -0400
Date: Fri, 21 May 2021 14:02:09 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Randy Bush <randy@psg.com>
Cc: Benjamin Kaduk via Datatracker <noreply@ietf.org>, ggm@algebras.org, opsawg@ietf.org, opsawg-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-opsawg-finding-geofeeds@ietf.org
Message-ID: <20210521210209.GV32395@kduck.mit.edu>
References: <162149688912.26611.7060363738222603934@ietfa.amsl.com> <m2pmxl12e0.wl-randy@psg.com> <20210520233633.GO32395@kduck.mit.edu> <m2o8d3zxcz.wl-randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m2o8d3zxcz.wl-randy@psg.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/NOXVwCG78hVndRYqhTQ4QqOq6ZY>
Subject: Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 21:02:20 -0000
On Fri, May 21, 2021 at 12:43:24PM -0700, Randy Bush wrote: > >>> Publishing this document on the stanards-track does make one wonder > >>> whether RFC 8805 should be adopted at least into the IETF stream and > >>> possibly to the standards-track as well... > >> > >> and it could use a bit of work in the process. can you say "let's open > >> a can of worms?" but yes, geofeed has seriously 8805 deployment, and it > >> is showing cracks. > > > > The analogies to DMARC do kind of write themselves... > > i nominate dnssec as the poster child here. first version was not > deployable at all. I think DNSSEC was always in the IETF stream, though -- DMARC started as ISE, and we've had an IETF WG open for 6(?) years trying to bring it into the IETF stream. > > (We do have plenty of examples of shiny cryptographic schemes that remain > > mostly unused, but I will refrain from naming names...) > > and some that should have been unused > > >>> Maybe I'm just confused about what "covered by he range of the inetnum:" > >>> means, but I only see (at least so far) requirements that the signing > >>> cert cover all addresses in the file, and that we fetch from the > >>> most-specific inetnum: object with a geofeed reference. Can't I still > >>> sign with a cert that covers a broader range of addresses than the > >>> intenum: object used to fetch? > >> > >> i am trying to think of two examples [ yes, certs and inetnum:s may > >> express ranges as well as cidr blocks ] > >> > >> two inetnums: > >> 1.2.3.0 - 1.2.3.7 > >> 1.2.3.6 - 1.2.3.13 > >> and a cert for 1.2.3.0 - 1.2.3.13 > >> > >> and conversely > >> > >> two certs: > >> 1.2.3.0 - 1.2.3.7 > >> 1.2.3.6 - 1.2.3.13 > >> and an inetnum: for 1.2.3.0 - 1.2.3.13 > > > > IIUC you'd need to subdivide the inetnums in order for the signatures to > > work? > > [ excuse i am running on 36 hours no sleep ] > > currently we say > > The address range of the signing certificate MUST cover all prefixes > in the geofeed file it signs; and therefore must be covered by the > range of the inetnum:. > > i.e. a cert for 1.2.3.0/24 can not sign either example. i don't think > that second restrictive clause is a logical conclusion from the first. > > i suggest that, for simplicity and a redundancy check, the wrapper MUST > be > > # RPKI Signature: A > # > # End Signature: B > > where A-B MUST be the range of the inetnum: pointing to the file > > and that the signing cert MUST cover A-Z, though could be wider. > > i will work the text That seems like it should have useful/workable properties. We're now assigning semantics to the stuff after "RPKI Signature"/"End Signature", that maybe didn't previously have important semantics. Rob should probably weigh in on how much review such a change would need. -Ben > > nit: comma before "abusing" to aid readability. > > ack > > randy
- [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-o… Benjamin Kaduk via Datatracker
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Russ Housley
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Russ Housley
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Russ Housley
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Rob Wilton (rwilton)
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Benjamin Kaduk
- Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ie… Randy Bush