IETF Logo Mail Archive

Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)

Randy Bush <randy@psg.com> Fri, 21 May 2021 19:43 UTC

Return-Path: <randy@psg.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 538103A1E71; Fri, 21 May 2021 12:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t0TezyWhBTS6; Fri, 21 May 2021 12:43:29 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E3B93A1E4F; Fri, 21 May 2021 12:43:29 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1lkB3N-0001YB-DS; Fri, 21 May 2021 19:43:25 +0000
Date: Fri, 21 May 2021 12:43:24 -0700
Message-ID: <m2o8d3zxcz.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Benjamin Kaduk via Datatracker <noreply@ietf.org>, ggm@algebras.org, opsawg@ietf.org, opsawg-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-opsawg-finding-geofeeds@ietf.org
In-Reply-To: <20210520233633.GO32395@kduck.mit.edu>
References: <162149688912.26611.7060363738222603934@ietfa.amsl.com> <m2pmxl12e0.wl-randy@psg.com> <20210520233633.GO32395@kduck.mit.edu>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/mexBiLRvdhW8bJTFS-U6RY7v9aE>
Subject: Re: [OPSAWG] Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding-geofeeds-12: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 19:43:40 -0000

>>> Publishing this document on the stanards-track does make one wonder
>>> whether RFC 8805 should be adopted at least into the IETF stream and
>>> possibly to the standards-track as well...
>> 
>> and it could use a bit of work in the process.  can you say "let's open
>> a can of worms?"  but yes, geofeed has seriously 8805 deployment, and it
>> is showing cracks.
> 
> The analogies to DMARC do kind of write themselves...

i nominate dnssec as the poster child here.  first version was not 
deployable at all.

> (We do have plenty of examples of shiny cryptographic schemes that remain
> mostly unused, but I will refrain from naming names...)

and some that should have been unused

>>> Maybe I'm just confused about what "covered by he range of the inetnum:"
>>> means, but I only see (at least so far) requirements that the signing
>>> cert cover all addresses in the file, and that we fetch from the
>>> most-specific inetnum: object with a geofeed reference.  Can't I still
>>> sign with a cert that covers a broader range of addresses than the
>>> intenum: object used to fetch?
>> 
>> i am trying to think of two examples [ yes, certs and inetnum:s may
>> express ranges as well as cidr blocks ]
>> 
>> two inetnums:
>>    1.2.3.0 - 1.2.3.7 
>>    1.2.3.6 - 1.2.3.13
>> and a cert for 1.2.3.0 - 1.2.3.13
>> 
>> and conversely
>> 
>> two certs:
>>    1.2.3.0 - 1.2.3.7 
>>    1.2.3.6 - 1.2.3.13
>> and an inetnum: for 1.2.3.0 - 1.2.3.13
> 
> IIUC you'd need to subdivide the inetnums in order for the signatures to
> work?

[ excuse i am running on 36 hours no sleep ]

currently we say

   The address range of the signing certificate MUST cover all prefixes
   in the geofeed file it signs; and therefore must be covered by the
   range of the inetnum:.

i.e. a cert for 1.2.3.0/24 can not sign either example.  i don't think
that second restrictive clause is a logical conclusion from the first.

i suggest that, for simplicity and a redundancy check, the wrapper MUST
be

    # RPKI Signature: A
    #
    # End Signature: B

where A-B MUST be the range of the inetnum: pointing to the file

and that the signing cert MUST cover A-Z, though could be wider.

i will work the text

> nit: comma before "abusing" to aid readability.

ack

randy

v2.23.0 | Report a Bug | By Email