Re: [sidr] [Errata Verified] RFC8360 (5638)

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 14 February 2019 08:39 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8007B131091; Thu, 14 Feb 2019 00:39:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbj3UBxLKJ9U; Thu, 14 Feb 2019 00:39:25 -0800 (PST)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18579131055; Thu, 14 Feb 2019 00:39:25 -0800 (PST)
Received: from [IPv6:2a04:b900::1:b9b9:e896:9203:8e3a] (unknown [IPv6:2a04:b900:0:1:b9b9:e896:9203:8e3a]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 3585715E21; Thu, 14 Feb 2019 09:39:22 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=pass (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=pass smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1550133562; bh=4IjEFQBkJ+T1tFt25sxPJ2drLR5+zGwwoAxg8Io8Oxs=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=V20gBcLt35d/sc4TNsxti48omjtH9be/zD0SjVZuK5vuBcyDQBZoZ/SUP6YiHyeTI 3WcpAboyRDMcJpiFOlcxHpF/OtpevPOHX1CbSCMGNxO+VGLlnr+USQRmbBCmsdC1P/ iifu3YPQW+UxmCflBXjQnKENlScKqNKm/7tFS0Rs=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <28B68FF3-EE99-43BA-9CF8-BF73A56F1640@tislabs.com>
Date: Thu, 14 Feb 2019 09:39:21 +0100
Cc: sidr list <sidr@ietf.org>, The IESG <iesg@ietf.org>, Daniel Shaw <daniel@afrinic.net>, "Carlos M. Martinez" <carlos@lacnic.net>, George Michaelson <ggm@apnic.net>, Tim Bruijnzeels <tim@nlnetlabs.nl>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8F9E7B83-9ABE-489B-8038-6586A6EBEAA3@nlnetlabs.nl>
References: <20190213194103.A1B3AB82674@rfc-editor.org> <28B68FF3-EE99-43BA-9CF8-BF73A56F1640@tislabs.com>
To: Sandra Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/eoVabJOSV1lgEySfhaNJC1Le_p8>
Subject: Re: [sidr] [Errata Verified] RFC8360 (5638)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 08:39:28 -0000

Hi all,

The errata is correct, this is a copy paste error.

There should be no impact on implementation, other than that if the implementation follows the original text strictly it will not work for ASNs on a trust anchor certificate, and if it's changed to follow the corrected text it will work. Mea culpa, I blame my copy/paste skills and replaying short term memory and my intent in proof reading my own bit of text here.

Tim


> On 13 Feb 2019, at 22:36, Sandra Murphy <sandy@tislabs.com> wrote:
> 
> I’d be interested to hear from the implementer(s) of the validation-reconsidered RFC what impact there is in handling this change.
> 
> (I suspect little impact, if any, but it would be very good to hear it from the implementer(s).  Suspicions don’t count for much.)
> 
> —Sandy
> 
>> On Feb 13, 2019, at 2:41 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>> 
>> The following errata report has been verified for RFC8360,
>> "Resource Public Key Infrastructure (RPKI) Validation Reconsidered". 
>> 
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata/eid5638
>> 
>> --------------------------------------
>> Status: Verified
>> Type: Technical
>> 
>> Reported by: Alberto Leiva Popper <ydahhrk@gmail.com>
>> Date Reported: 2019-02-13
>> Verified by: Warren Kumari (Ops AD) (IESG)
>> 
>> Section: 4.2.4.4
>> 
>> Original Text
>> -------------
>>  7.  Compute the VRS-IP and VRS-AS set values as indicated below:
>> 
>>      *  If the IP Address Delegation extension is present in
>>         certificate x and x=1, set the VRS-IP to the resources found
>>         in this extension.
>> 
>>      *  If the IP Address Delegation extension (...)
>> 
>>      *  If the IP Address Delegation extension (...)
>> 
>>      *  If the IP Address Delegation extension is present in
>>         certificate x and x=1, set the VRS-IP to the resources found
>>         in this extension.
>> 
>>      *  If the AS Identifier Delegation extension (...)
>> 
>>      *  If the AS Identifier Delegation extension (...)
>> 
>> Corrected Text
>> --------------
>>  7.  Compute the VRS-IP and VRS-AS set values as indicated below:
>> 
>>      *  If the IP Address Delegation extension is present in
>>         certificate x and x=1, set the VRS-IP to the resources found
>>         in this extension.
>> 
>>      *  If the IP Address Delegation extension (...)
>> 
>>      *  If the IP Address Delegation extension (...)
>> 
>>      *  If the AS Identifier Delegation extension is present in
>>         certificate x and x=1, set the VRS-AS to the resources found
>>         in this extension.
>> 
>>      *  If the AS Identifier Delegation extension (...)
>> 
>>      *  If the AS Identifier Delegation extension (...)
>> 
>> Notes
>> -----
>> There seems to be a copy-paste error.
>> 
>> There are two bullet points explaining the initialization of VRS-IP, and none explaining the initialization of VRS-AS.
>> 
>> All the evidence suggests that the two extensions (IP Address Delegation and AS Identifier Delegation) are meant to be handled similarly, so I believe that the last three bullet points are supposed to perfectly mirror the first three.
>> 
>> --------------------------------------
>> RFC8360 (draft-ietf-sidr-rpki-validation-reconsidered-10)
>> --------------------------------------
>> Title               : Resource Public Key Infrastructure (RPKI) Validation Reconsidered
>> Publication Date    : April 2018
>> Author(s)           : G. Huston, G. Michaelson, C. Martinez, T. Bruijnzeels, A. Newton, D. Shaw
>> Category            : PROPOSED STANDARD
>> Source              : Secure Inter-Domain Routing
>> Area                : Routing
>> Stream              : IETF
>> Verifying Party     : IESG
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr