Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-opsawg-9092-update-10: (with DISCUSS and COMMENT)
Randy Bush <randy@psg.com> Tue, 13 February 2024 22:08 UTC
Return-Path: <randy@psg.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E88CEC1519A5; Tue, 13 Feb 2024 14:08:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=psg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6R3GGUV1tP5U; Tue, 13 Feb 2024 14:08:02 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 934F0C1519A2; Tue, 13 Feb 2024 14:08:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=psg.com; s=rgnet-mail; h=Content-Type:MIME-Version:References:In-Reply-To:Subject:Cc: To:From:Message-ID:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=awGCwe/AsSqxves4Nt0lpvCCBZy0twy+cJOHrGfVF7I=; b=W/Bms7E1xA4zxfvsDCTxQdwcez O8cOaChaLYA5doDkfu32dYs75cLzMWslH3P6+68XMokpbtFGUzMWPmIe53jsadScusd5uQvVrkj4n ZSJcDr4W0CYNX3k5fFV6xYK+a+zpE4otlx6Lc0VjP3NGNHB1aR64i/0YoiLwZluaBbAqlWW3QmrMh pExXEj+Ad+UK/aQr2Qt+s87Kt2T//PTLqzowlfAO1MeRhWpTzfIfUFUINvh3qlIMKSvnqUCrMuXnf fgeqBhN6KCzs3UGtVdkI+5wc8PugUOE42tp4rji/D/UDclleqVgcMbsk4CEKh6OKQHEE5NdbuEwCe XqfG8eYg==;
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.95) (envelope-from <randy@psg.com>) id 1ra0wa-000Hab-Mp; Tue, 13 Feb 2024 22:08:01 +0000
Date: Tue, 13 Feb 2024 14:07:58 -0800
Message-ID: <m27cj8m30h.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Paul Wouters via Datatracker <noreply@ietf.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-9092-update@ietf.org, opsawg-chairs@ietf.org, opsawg@ietf.org, mcr+ietf@sandelman.ca
In-Reply-To: <170784829052.7939.16825522646369028165@ietfa.amsl.com>
References: <170784829052.7939.16825522646369028165@ietfa.amsl.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/TzSTkuM-WOtyZ67XhM7iCa1H6Ks>
Subject: Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-opsawg-9092-update-10: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 22:08:07 -0000
thanks for review, paul
> #1 document track
>
> The document is Standards Track, and so are the docs is
> Obsoletes/Updates ([RFC2725] and [RFC4012]), but the document also
> claims "change control effectively lies in the operator community".
> Normally, that would mean the IETF publishes this as Informational.
> But of course that would raise the issue that an Informational would
> Obsolete a Standards Track document. Some discussion on this would be
> good.
please differentiate between change control of the document, and of
RPSL. the ietf abandoned RPSL decades ago.
> #2 Transport Security
>
> There are quite a few sentences scattered through the document about
> transport security that are not aligned, see:
>
> The URL uses HTTPS, so the WebPKI provides authentication
>
> So is HTTPS mandatory? I guess not since (see below) FTP is allowed as
> URL too.
please differentiate between
- fetching a geofeed file pointed to by an inetnum: https url, and
- fetching the rirs's published archive of all inetnums: and other
rpsl objects
> the RIR's FTP [RFC0959] services SHOULD be used
that is bulk fetching the rpsl, not the geofeed
> More seriously, can we avoid SHOULDing the FTP protocol?
> Are these resources not made available over HTTP?
one at a time with tweezers. don't do that.
> Note the paragraph above it says: "Historically, [...] often without
> consistent authentication". I wouldn't call that "Historically" if you
> are are promoting FTP and allow "unsigned" files.
again, please differentiate between the bulk fetch of the rpsl via ftp
and the fetch of individual geofeed files via https.
> The geofeed files MUST be published via and fetched using HTTPS
> [RFC9110].
>
> Uhm. So what about FTP now?
again, please differentiate between the bulk fetch of the rpsl via ftp
and the fetch of individual geofeed files via https.
> The Security Considerations could bundle all the talk about HTTPS and
> FTP and put in one clear clause here, mentioning that due to lack of
> universal signing, it is sadly super important to have transport
> security protection (eg HTTPS, not FTP)
again, the differentiateion between the rpsl data and the geofeed files
is critical.
> #3 Signature and white space requirements are a bit troubling
> #4 Misc. Security comments
more on these later, when russ has had a chance to comment
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Since geofeed_1 contains geolocation data about 192.0.2.0/29,
> it is discarded because 192.0.2.0/24 is within the more specific
> inetnum: covering the address range and that inetnum: has a
> geofeed reference.
>
> This reads a bit odd, a 192.0.2.0/29 comes out of nowhere. I guess you
> meant to say "a client looking for geofeed data for 192.0.2.0/29" ?
how about
An application looking for geofeed data for 192.0.2.0/29, MUST
ignore data in geofeed_1 because 192.0.2.0/29 is within the
more specific 192.0.2.0/24 inetnum: covering that address range
and that inetnum: does have a geofeed reference.
randy
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Randy Bush
- [OPSAWG] Paul Wouters' Discuss on draft-ietf-opsa… Paul Wouters via Datatracker
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Job Snijders
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Randy Bush
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Russ Housley
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Randy Bush
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Russ Housley
- Re: [OPSAWG] Paul Wouters' Discuss on draft-ietf-… Russ Housley