[regext] Re: AD Evaluation: draft-ietf-regext-rdap-rir-search-13
Orie Steele <orie@transmute.industries> Thu, 30 January 2025 14:13 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CDE8C15154A for <regext@ietfa.amsl.com>; Thu, 30 Jan 2025 06:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.861
X-Spam-Level:
X-Spam-Status: No, score=-0.861 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_B4CoNQ9DNb for <regext@ietfa.amsl.com>; Thu, 30 Jan 2025 06:13:26 -0800 (PST)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23272C151532 for <regext@ietf.org>; Thu, 30 Jan 2025 06:13:25 -0800 (PST)
Received: by mail-pj1-x1030.google.com with SMTP id 98e67ed59e1d1-2ee786b3277so1108741a91.1 for <regext@ietf.org>; Thu, 30 Jan 2025 06:13:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1738246405; x=1738851205; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=2AX3mJ4rSCgTKBsf+B0qAu10nDNZXSBF9FL6bDLlWIk=; b=H1D9/lDti9xjsUEi/YdvXAKKlypUHQj2ADG/oi7rELRMuRREoSK65oxzyzmUl3vDq5 +4UHzK1wHUVHSITlP7xA4GVxaV/Wvbhtzl4XM9Ndk3WTJHHmSksSwcx9D328d4fnTbw1 RofFtT3mV4nWck9s3l720LdrCXG7ZCR6uNAMC+TSkx7VCK7JnSQdpQblljU6mkIFs3ik UDnvlHqApiLdE1nGkbmE2ACOWupHnyuoZ33b5pFYJTqD2p6VJnrzrrUrv1GE3UT0+NQU r2hcjkCLE/DThFjiadUV+xER7/NVQaOSHD33FOPsCnMBZJ4aGKG8pqaZqPms9pv0Jv7b RkYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738246405; x=1738851205; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2AX3mJ4rSCgTKBsf+B0qAu10nDNZXSBF9FL6bDLlWIk=; b=Neoe7p6dwcbKFuS4lmo4jhoGx+AAxaBJ1fNezvHISBuTBfpoqvQF9IDkhMQs23Bnyx x7NXg6WYuBhs+PLWJYVNUTooo29elw+irssWY6XqnfLzttPszXmAcux8O6YF2sWUJuU7 Pt3+YVP7rTpc4Ft2mYpyWpeJm5YCRaR8YI9LbSP18FcrVaImyXnY2h84py6N0rEntkjb VXPqnAGYWtzXtQrDkQOBNnWQiR3bjRVDKK/+TbIFUGgVpDhrNbELEZsvInb8MBBdgp7C knCjXfKWqEERkcGdxyDD4PfUajiYxFfo+wzRtZ5vFh8xrUfl/zAh5XT+H0fW/vMKH8Hk /NnA==
X-Forwarded-Encrypted: i=1; AJvYcCXpbqzhenuRB+rTZlrHjjLVQD72ezRXyrZ8rZ9W5tSByvrexqJA/nsa+F3590N7hUQF9/6+I6E=@ietf.org
X-Gm-Message-State: AOJu0YxYXmjJNJ120g7pW917srh+RVFEvljJCnGOHez7Vl7prpqx2UhE 6SVJRnKxwUtknJDBj586NXkF7/hEsdg83yQGGyvSmFOr4rsw6+isB1i8nK4sfRzSxiaZ7SrOGCp cMv1O0iIloupz6slXde5Y4y5N0f33YVrG/uXwyzhd9kl7Y6d5
X-Gm-Gg: ASbGncvrUnUZfwfp8KaUyLz1OCX3wrHNJ/osfBdUuLf+lKF7wgmFOhoPl6Ksad6sqfF k3d6b83jxXS7FJh3KncTH1EgRnUNYm6aQQSKEGocWcC+QPCgRgPIi4mDJDMD+tbcfX0ls46Fikm ztlVaWrJX2hLD7PJC41XehEVhCTTqO
X-Google-Smtp-Source: AGHT+IGoVN0aCdaTN5LzodYdy9TgPStK0ki8D/AVYUiREwR4ODl3HbD0seWkcexwbQPL06dxeWE0Zp0a0R8d9xR7yzI=
X-Received: by 2002:a17:90a:d890:b0:2ee:e317:69ab with SMTP id 98e67ed59e1d1-2f83aa65ed2mr13735414a91.0.1738246405120; Thu, 30 Jan 2025 06:13:25 -0800 (PST)
MIME-Version: 1.0
References: <CAMzqgowFYZ=SOGWemkGFCn+ftoMo1bUk0AJdewPjM-f=PzFU3Q@mail.gmail.com> <Z5q0974QicwSujDm@TomH-498551.lan>
In-Reply-To: <Z5q0974QicwSujDm@TomH-498551.lan>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 30 Jan 2025 08:13:13 -0600
X-Gm-Features: AWEUYZk_JY4iqyQjzz6St-pyFVXGLjOrE1iA26bTsxkfijCTWUUW0uQFPYdoCYE
Message-ID: <CAN8C-_K18jWcDY1JZakZzZgRqJDgPPCjqj_+4WyAiPR4Af7CNA@mail.gmail.com>
To: Orie <orie@or13.io>, regext@ietf.org
Content-Type: multipart/alternative; boundary="00000000000082806f062ced076d"
Message-ID-Hash: C5ZT6KXGSDICMMJQKXYB7KQDRJXV6LAM
X-Message-ID-Hash: C5ZT6KXGSDICMMJQKXYB7KQDRJXV6LAM
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-regext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [regext] Re: AD Evaluation: draft-ietf-regext-rdap-rir-search-13
List-Id: Registration Protocols Extensions Working Group <regext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/BDNjOMz7p-IzQRNmoTsFs_dZdwk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Owner: <mailto:regext-owner@ietf.org>
List-Post: <mailto:regext@ietf.org>
List-Subscribe: <mailto:regext-join@ietf.org>
List-Unsubscribe: <mailto:regext-leave@ietf.org>
Hi Tom, Thanks for addressing my comments. I'm marking the document revised I-D needed, and awaiting your updates. Regards, OS, ART AD On Wed, Jan 29, 2025 at 5:09 PM Tom Harrison <tomh@apnic.net> wrote: > Hi Orie, > > Thanks for your review, much appreciated. > > On Tue, Jan 28, 2025 at 05:15:49PM -0600, Orie wrote: > > # Orie Steele, ART AD, comments for draft-ietf-regext-rdap-rir-search-13 > > CC @OR13 > > > > * line numbers: > > - > https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-regext-rdap-rir-search-13.txt&submitcheck=True > > > > * comment syntax: > > - https://github.com/mnot/ietf-comments/blob/main/format.md > > > > ## Discuss > > > > ### 200 or 404 > > > > ``` > > 715 If the search can be processed by the server, but there are no > > 716 results for the search, then the server returns an HTTP 200 (OK) > > 717 [RFC9110] response code, with the body of the response containing > an > > 718 empty results array. > > ``` > > > > https://www.rfc-editor.org/rfc/rfc7480.html#section-5.3 implies that a > 404 > > MUST be returned. > > Thanks, we will update this part of the document to note that a 404 > should be returned in this case. > > > ### Bare identifiers > > > > The shepherd writeup comments on the use of "bare identifiers", and I > > recall some discussion regarding possible collisions. > > > > I didn't see anything about this in security considerations, are there > some > > "valid but harmful" examples that we can share to warn implementers, or > has > > this issue been resolved? > > There was some discussion about the risk of collision when bare > identifiers are used as path segments under existing path segments, as > is the case here with '/domains/rirSearch1/<relation>/<domain name>' > (the '/domains' path is defined in RFC 9082, > https://www.rfc-editor.org/rfc/rfc9082.html#section-3.2.1) See > https://mailarchive.ietf.org/arch/msg/regext/YtvMiv3xoNnxqBomm5lyTqrEgqo/ > from Scott Hollenbeck: > > Please note that the domain relation search function described in > the draft is apparently extending the core "domains" search > described in RFC 9082. Both currently use "domains" in the path > segment. That isn't optimal. There is no collision with the "ip" > and "autnum" path segments from 9082 because those values are > singular. This draft uses the plural forms "ips" and "autnums". > > If there's some reason that the above is invalid, please explain > why. The "rirSearch1" identifier appears in path segments and the > rdapConformance data structure, but I don't see how it actually > identifies an extension element unless it's intended to > disambiguate the "domains" search collision I noted above. If > that's the case, use of the extension prefix to create > "rs_domains" would avoid the collision entirely. > > and > https://mailarchive.ietf.org/arch/msg/regext/nHfJg1hA0h5RcEDzn0M3WQ63on4/ > (also from Scott), where it was noted that there is no collision > problem in this instance, because '/domains' queries per RFC 9082 can > be unambiguously distinguished from '/domains/rirSearch1' queries per > this draft. Additionally, from > https://mailarchive.ietf.org/arch/msg/regext/X5vlp8Il8WVg8S0bouV8mKz_UXk/ > (also from Scott): > > Mario, my concern about a possible collision arose because > “domains” (from RFC 9082) === “domains” (from the draft). I’m not > sure if the draft is specifying a new “domains” path segment (in > which case the names do collide), or if the draft is extending the > 9082 path segment by adding additional elements to the path. My > confusion exists because the draft isn’t using prefixed extension > identifiers. The situation would be unambiguous if the draft used > something like “rs_domains”, or “domains/rs_rirSearch1”. The > prefix is a clear indicator of what’s being extended. In my > exchange with Jasdip I did note that there’s no operational issue > here even if there is a collision because a properly formed query > will contain other information that enables a server to correctly > process both 9082 queries and RIR search queries, though I’d > prefer that the information included an extension identifier > prefix. > > To summarise, there isn't a collision problem in this document itself, > so we don't think that any text about that is needed here, though it > may be a good idea to add something about that to the extensions > document > (https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-extensions/) > > On the related topic of bare identifiers, > https://www.rfc-editor.org/rfc/rfc9082.html#section-5 has: > > Custom path segments can be created by prefixing the segment with > a unique identifier followed by an underscore character (0x5F). > For example, a custom entity path segment could be created by > prefixing "entity" with "custom_", producing "custom_entity". > > and https://www.rfc-editor.org/rfc/rfc9083.html#section-2.1 has: > > Servers that insert such unspecified members into JSON responses > SHOULD have member names prefixed with a short identifier followed > by an underscore followed by a meaningful name. > > both of which run counter to the concept of bare identifiers. > https://mailarchive.ietf.org/arch/msg/regext/9ZJ8P51rEIJs0jw0OnPIH0cnPGI/ > sets out the authors' reasons for using bare identifiers > notwithstanding the text in RFC 9082 and RFC 9083 on this topic. > > > ## Comments > > > > ### Better Search Example Syntax? > > > > Instead of: > > > > ``` > > 157 ips?handle=XXXX > > ``` > > > > Consider syntax like: > > > > ``` > > Client request: > > > > GET .well-known/api-catalog HTTP/1.1 > > Host: example.com > > Accept: application/linkset+json > > > > > > Server response: > > > > HTTP/1.1 200 OK > > Date: Mon, 01 Jun 2023 00:00:01 GMT > > Server: Apache-Coyote/1.1 > > Content-Type: application/linkset+json; > > profile="THIS-RFC-URL" > > > > { > > "linkset": [ > > { > > .... > > ``` > > > > (borrowed from - > > https://datatracker.ietf.org/doc/draft-ietf-httpapi-api-catalog/08/) > > We would prefer to use the existing syntax, for consistency with the > searches defined in RFC 9082. > > > ### Top/Bottom > > > > Is there a reason that `192.0.2.128/25` <http://192.0.2.128/25> is > missing from: > > > > ``` > > 391 +==================+===========================================+ > > 392 | INR object value | Bottom objects | > > 393 +==================+===========================================+ > > 394 | 192.0.2.0/24 | 192.0.2.0/25, 192.0.2.0/28, 192.0.2.0/32, | > > 395 | | 192.0.2.128/26, 192.0.2.192/26 | > > 396 +------------------+-------------------------------------------+ > > 397 | 192.0.2.0/25 | 192.0.2.0/25, 192.0.2.0/28, 192.0.2.0/32 | > > 398 +------------------+-------------------------------------------+ > > 399 | 192.0.2.128/25 | 192.0.2.128/26, 192.0.2.192/26 | > > 400 +------------------+-------------------------------------------+ > > ``` > > > > I expected to see text explaining why `192.0.2.0/25` > <http://192.0.2.0/25> is present but ` > > 192.0.2.128/25` <http://192.0.2.128/25> is not. > > The set of bottom objects comprises the most-specific objects that > entirely cover the specified object value. '192.0.2.0/25' is present > as a bottom object for '192.0.2.0/24' because it is the most-specific > object in the hierarchy for the addresses in '192.0.2.0/25', save for > those addresses that fall within '192.0.2.0/28' and '192.0.2.0/32' > (i.e. it's fine for the set of bottom objects to overlap, if that's > what's required to cover the specified object value). > '192.0.2.128/25' is not present as a bottom object for '192.0.2.0/24' > because it is itself completely covered by more specific objects, > being '192.0.2.128/26' and '192.0.2.192/26'. > > > I also wonder why `192.0.2.0/25` <http://192.0.2.0/25> is repeated in > its bottom objects, > > whereas `192.0.2.128/25` <http://192.0.2.128/25> is not. > > The answer here is similar to the previous one. '192.0.2.0/25' is not > completely covered by more-specific objects, so it is included in its > set of bottom objects. Whereas '192.0.2.128/25' is completely covered > by more-specific objects, so it is omitted from its set of bottom > objects. > > > ### SHOULD return 501? > > > > ``` > > 505 By default, any valid status value may be used for status > filtering. > > 506 Server operators MAY opt not to support "status" filtering for the > > 507 "down" and "bottom" link relations, in which case the server should > > 508 respond with an HTTP 501 (Not Implemented) [RFC9110] response code > if > > 509 it receives such a request. Server operators MAY also opt not to > > ``` > > Thanks, we will update this to SHOULD. > > -Tom > > _______________________________________________ > regext mailing list -- regext@ietf.org > To unsubscribe send an email to regext-leave@ietf.org >