Re: [sidr] [Technical Errata Reported] RFC6482 (7079)

Randy Bush <randy@psg.com> Wed, 10 August 2022 16:48 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00E0DC14F74B; Wed, 10 Aug 2022 09:48:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5c351dsRkq3F; Wed, 10 Aug 2022 09:48:44 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73D6FC14F742; Wed, 10 Aug 2022 09:48:44 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.93) (envelope-from <randy@psg.com>) id 1oLosm-0010X3-V0; Wed, 10 Aug 2022 16:48:37 +0000
Date: Wed, 10 Aug 2022 09:48:35 -0700
Message-ID: <m24jykt57g.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: mlepinski@bbn.com, skent@bbn.com, dkong@bbn.com, aretana.ietf@gmail.com, jgs@juniper.net, andrew-ietf@liquid.tech, morrowc@ops-netman.net, sandy@tislabs.com, job@fastly.com, sidr@ietf.org
In-Reply-To: <20220810144136.990619606E@rfcpa.amsl.com>
References: <20220810144136.990619606E@rfcpa.amsl.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/zmkbkQQVrCjGOCm1sakvG0vJNAM>
Subject: Re: [sidr] [Technical Errata Reported] RFC6482 (7079)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2022 16:48:45 -0000

> Original Text
> -------------
>    Before a relying party can use a ROA to validate a routing
>    announcement, the relying party MUST first validate the ROA.  To
>    validate a ROA, the relying party MUST perform all the validation
>    checks specified in [RFC6488] as well as the following additional
>    ROA-specific validation step.
> 
>    o  The IP address delegation extension [RFC3779] is present in the
>       end-entity (EE) certificate (contained within the ROA), and each
>       IP address prefix(es) in the ROA is contained within the set of IP
>       addresses specified by the EE certificate's IP address delegation
>       extension.
> 
> Corrected Text
> --------------
>    Before a relying party can use a ROA to validate a routing
>    announcement, the relying party MUST first validate the ROA.  To
>    validate a ROA, the relying party MUST perform all the validation
>    checks specified in [RFC6488] as well as the following additional
>    ROA-specific validation step.
> 
>    o  The IP address delegation extension [RFC3779] is present in the
>       end-entity (EE) certificate (contained within the ROA), and each
>       IP address prefix(es) in the ROA is contained within the set of IP
>       addresses specified by the EE certificate's IP address delegation
>       extension.
>    o  The AS Resources extension is not used in Route Origin Authorizations
>       and MUST be omitted.

while i agree with the sentiment, to this amateur, this smells more like
a bit more of a change than an erratum.

randy