Re: [sidr] Eric Rescorla's No Objection on draft-ietf-sidr-slurm-07: (with COMMENT)

Di Ma <> Fri, 06 April 2018 14:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4BA591270AE for <>; Fri, 6 Apr 2018 07:20:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kGNyrtlGkVB1 for <>; Fri, 6 Apr 2018 07:20:45 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9171D1201FA for <>; Fri, 6 Apr 2018 07:20:44 -0700 (PDT)
X-QQ-mid: bizesmtp16t1523024377tleov3lb
Received: from [] (unknown []) by (ESMTP) with id ; Fri, 06 Apr 2018 22:19:36 +0800 (CST)
X-QQ-SSF: 00400000002000F0FH40B00A0000000
X-QQ-FEAT: 9MsTBLS6yXGj+PsKdj6vBAmVux/EjqH0Dwa/CsyXZQG5qFFBwBUixZpFZ7pAE Y7o2WXuRoy7H04jsGEJD/5DVTwOxtugAeFpFykJ1JP3HCCqyY4oqxYPkoYknWj0hTiwnasP yMhgKS3XZpFhm0KW2Ax2r8QQ3m8xbBI1tbAuLLuNEJzEExYLUYrO3mvSz8jwCYsODZoXJC7 sFVdI6DdClBq1Rc6q0E/4E5zlZPjZnlrXkX56O0agBnaxFGEUjsxBOjYzBSMcrOImod1mrh SKo2qdOPS+q6Eyx6SSwIHQyCkLZFrKr2fdMSRyp4PEqvDYqTTo5YS/bkM=
X-QQ-GoodBg: 2
Content-Type: text/plain; charset=gb2312
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Di Ma <>
In-Reply-To: <>
Date: Fri, 6 Apr 2018 22:19:14 +0800
Cc: The IESG <>,,,,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Eric Rescorla <>
X-Mailer: Apple Mail (2.3445.5.20)
X-QQ-Bgrelay: 1
Archived-At: <>
Subject: Re: [sidr] Eric Rescorla's No Objection on draft-ietf-sidr-slurm-07: (with COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Apr 2018 14:20:50 -0000


Thanks very much for your comments.

Please see authors' responses in lines.

> 在 2018年4月3日,00:56,Eric Rescorla <> 写道:
> Eric Rescorla has entered the following ballot position for
> draft-ietf-sidr-slurm-07: No Objection
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
>   path of a BGP route.  However, ISPs may want to establish a local
>   view of the RPKI to control its own network while making use of RPKI
>   data.  The mechanisms described in this document provide a simple way
> Nit: their network
>   the information expressed via putative Trust Anchor(TA) and the
>   certificates downloaded from the RPKI repository system.  For
>   instances, [RFC6491] recommends the creation of ROAs that would
> I don't really understand this sentence. Why “putatve"

We authors will go with “configured Trust Anchor(s) (TAs)”

>   operators are hereby called Simplified Local internet nUmber Resource
>   Management with the RPKI (SLURM).
> It would help here to say that this includes filtering.

We will make changes as follows:

  This motivates creation of mechanisms that enable a network operator to
  publish a variant of RPKI hierarchy (for its own use and that of its customers)
  at its discretion.

  This motivates creation of mechanisms that enable a network operator to
  publish exception to the RPKI in the form of filters and additions (for its own
  use and that of its customers) at its discretion.

>   In general, the primary output of an RP is the data it sends to
>   routers over the rpki-rtr protocol.  The rpki-rtr protocol enables
>   routers to query an RP for all assertions it knows about (Reset
> citation for rpki-rtr plese.


>   members that are not defined here MUST NOT be used in SLURM Files.
>   An RP MUST consider any deviations from the specification an error.
>   Future additions to the specifications in this document MUST use an
> Nit: errors.


>   acceptable.  Each "slurmTarget" element contains merely one "asn" or
>   one "hostname".  An explanatory "comment" MAY be included in each
>   "slurmTarget" element so that it can be shown to users of the RP
> Is this exclusive or?
>   Emergency Response Team Coordination, the SLURM file source may
>   generate a SLURM file that is to be applied to only one specific RP.
>   This file can take advantage of the "target" element to restrict the
> I am having trouble reading this sentence. Can you please rephrase.

We authors have decided to drop slurmTarget element.

>   [RFC6487].  This is the value of the ASN.1 OCTET STRING without the
>   ASN.1 tag or length fields.
> IMPORTANT: There is an opportunity for ambiguity here in case the SPKI was not
> DER-encoded. I assume you mean this must be taken directly from the cert?

Good point. 

We will say in next version:

The Router SKI is the Base64 encoding without trailing ‘=‘ (Section 5 of RFC4648 ) of the certificate’s Subject Public Key as described in Section 4.8.2. of RFC6487. 

The Router Public Key is router public key’s subjectPublicKeyInfo value, as described in RFC8208. This is the full ASN.1 DER encoding of the subjectPublicKeyInfo, including the ASN.1 tag and length values of the subjectPublicKeyInfo SEQUENCE.

>   The following JSON structure represents an array of
>   "prefixAssertions" with an element for each use case listed above:
> I guess that the semantics here are obvious, but perhaps you could state them
> explicitly, given that this is actually not exactly the same as an ROA.


And we will update JSON related content throughout this draft based on your suggestion together with Adam’s. 

> 3.5.2.  BGPsec Assertions
> IMPORTANT: It seems even less obvious what the semantics are here for injecting
> BGPSec assertions. How do you reconstruct the BGPSec data.

We will make changes as follows:

  Each RP is locally configured with a (possibly empty) array of BGPsec
  Assertions.  This array is added to the RP's output.

  Each RP is locally configured with a (possibly empty) array of BGPsec
  Assertions.  Each BGPSec Assertion contains the same data that would
  otherwise be extracted from a BGPSect Router Certificate [RFC8209]
  and communicated in the RPKI to Router Protocol version 1 protocol

>          contained by any prefix in any <prefixAssertions> or
>          <prefixFilters> in file Z.
> OK, so you are going to error out even if there are assertions which are
> identical?

Duplicate assertions are idempotent, but the RPKI to Router Protocol
explicitly filters out duplicates in the communication with the router.