Re: [sidr] [Technical Errata Reported] RFC6482 (7079)

Job Snijders <job@fastly.com> Wed, 10 August 2022 17:18 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B83BC13CCEB for <sidr@ietfa.amsl.com>; Wed, 10 Aug 2022 10:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytud0atA9fTC for <sidr@ietfa.amsl.com>; Wed, 10 Aug 2022 10:18:01 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FB9CC157B52 for <sidr@ietf.org>; Wed, 10 Aug 2022 10:18:01 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id w19so28895694ejc.7 for <sidr@ietf.org>; Wed, 10 Aug 2022 10:18:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc; bh=Bu6CXM0d9RBpQFSqJhXrd/FAhNr7jhnD1puRbegS0nA=; b=OjnYvpCE2QMKDn4hCc8i5M1+eRA5W54UAIhOzXVNvnhdMAWy7o1OOxM5F240r4tNzx sslfYDm4yQzWYo09iK86YibwxyINwgMaqIdsq05B5QhGoXhIwckYDTqfKVVNW7BI1/Xy RV0qmuKDDjV21/P+l7eSZQGbfJJNJNV+R7/K0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc; bh=Bu6CXM0d9RBpQFSqJhXrd/FAhNr7jhnD1puRbegS0nA=; b=sXQkSTW9jp/2OMj9GOrUnOD5NEYdkFm0RRdMbQ4jobOySWy+uWJDcubHIxssUVEcoo avz5kQ/RX5KsslqSsjX0XzaLHkg2yaqdHDds4D3l9bSwKt/98aTJpq4rnRyQ8nboH44S KfYQuqom8usQTJEnZyFXMbwADfcsGlYC00Sp+yFopSXU2y8+6yYfKUehL9claWo5r4PP xYGWAFKH8VQcQqFJlGKEq1ZvZqg+0ePdgi4+RclWkvFxvhTs2/2KjRBcFh8SJ+Xv0nRi hEXv6TU8lxaW5btsX9uHdJYIQMZUaZJDD3/1sZk6ZrHZFmUqKsC+FL7PNnMpVjbqqsPk JQ+Q==
X-Gm-Message-State: ACgBeo0FMG7ZbbPgweLcxrWreI/0d4x+NjcKLVv5D5cYTXpGfSzcPvuC uzmKDSskpx1miUN31nXIoxS66A==
X-Google-Smtp-Source: AA6agR4ztjUkbkQMenD+bWkMqNxeYqTfHN3yQ6jO5z/B3YfJF3VAq4YEm+T2kcWlzW8caBPnCl//8A==
X-Received: by 2002:a17:907:8a07:b0:731:48ba:792e with SMTP id sc7-20020a1709078a0700b0073148ba792emr12335724ejc.397.1660151878968; Wed, 10 Aug 2022 10:17:58 -0700 (PDT)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id o3-20020a170906768300b007304d084c5esm2504977ejm.166.2022.08.10.10.17.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Aug 2022 10:17:58 -0700 (PDT)
Date: Wed, 10 Aug 2022 19:17:56 +0200
From: Job Snijders <job@fastly.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: mlepinski@bbn.com, skent@bbn.com, dkong@bbn.com, aretana.ietf@gmail.com, jgs@juniper.net, andrew-ietf@liquid.tech, morrowc@ops-netman.net, sandy@tislabs.com, sidr@ietf.org
Message-ID: <YvPoRJ3pK3KTyc4g@snel>
References: <20220810144136.990619606E@rfcpa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20220810144136.990619606E@rfcpa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/RZ0fhVY2F4BMozorw_jI4p9pTfE>
Subject: Re: [sidr] [Technical Errata Reported] RFC6482 (7079)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 17:18:05 -0000

Hi all,

To add a small datapoint: not a single one of the Internet's 124,647
ROAs (discoverable today through the 5 RIR TALs) carries the AS
Resources extension in the ROA EE certificate. This means that all
current CA implementations deployed in the field omit this extension.

I submitted this report in spirit of a similar issue (described in
Errata #3166 https://www.rfc-editor.org/errata/eid3166)

Kind regards,

Job

On Wed, Aug 10, 2022 at 07:41:36AM -0700, RFC Errata System wrote:
> The following errata report has been submitted for RFC6482,
> "A Profile for Route Origin Authorizations (ROAs)".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7079
> 
> --------------------------------------
> Type: Technical
> Reported by: Job Snijders <job@fastly.com>
> 
> Section: 4
> 
> Original Text
> -------------
>    Before a relying party can use a ROA to validate a routing
>    announcement, the relying party MUST first validate the ROA.  To
>    validate a ROA, the relying party MUST perform all the validation
>    checks specified in [RFC6488] as well as the following additional
>    ROA-specific validation step.
> 
>    o  The IP address delegation extension [RFC3779] is present in the
>       end-entity (EE) certificate (contained within the ROA), and each
>       IP address prefix(es) in the ROA is contained within the set of IP
>       addresses specified by the EE certificate's IP address delegation
>       extension.
> 
> Corrected Text
> --------------
>    Before a relying party can use a ROA to validate a routing
>    announcement, the relying party MUST first validate the ROA.  To
>    validate a ROA, the relying party MUST perform all the validation
>    checks specified in [RFC6488] as well as the following additional
>    ROA-specific validation step.
> 
>    o  The IP address delegation extension [RFC3779] is present in the
>       end-entity (EE) certificate (contained within the ROA), and each
>       IP address prefix(es) in the ROA is contained within the set of IP
>       addresses specified by the EE certificate's IP address delegation
>       extension.
>    o  The AS Resources extension is not used in Route Origin Authorizations
>       and MUST be omitted.
> 
> Notes
> -----
> The ROA RFC is a bit under-specified compared to other RPKI Signed Object profile definitions. (For example, RFC 8209 § 3.1.3.4 is less ambiguous on the matter of RFC3779 extensions.)
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC6482 (draft-ietf-sidr-roa-format-12)
> --------------------------------------
> Title               : A Profile for Route Origin Authorizations (ROAs)
> Publication Date    : February 2012
> Author(s)           : M. Lepinski, S. Kent, D. Kong
> Category            : PROPOSED STANDARD
> Source              : Secure Inter-Domain Routing
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG