[Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Was: I-D Action: draft-ietf-sidrops-aspa-profile-21.txt)
Nimrod Levy <nimrodl@gmail.com> Thu, 29 January 2026 13:51 UTC
Return-Path: <nimrodl@gmail.com>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EC68EAEE9550 for <sidrops@mail2.ietf.org>; Thu, 29 Jan 2026 05:51:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91-ogSSCwmRi for <sidrops@mail2.ietf.org>; Thu, 29 Jan 2026 05:51:52 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 387E3AEE9549 for <sidrops@ietf.org>; Thu, 29 Jan 2026 05:51:52 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-59b9fee282dso842016e87.3 for <sidrops@ietf.org>; Thu, 29 Jan 2026 05:51:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769694711; cv=none; d=google.com; s=arc-20240605; b=W3Rk4+5VBkGX2TdJSHUIlEMH1GNzqZbPr5wExDm/aJRti0alF+0DNIZiECAcslRmQE S7NFih6DpnCSh8o88nImcy7n3fgJz3wL1uJ0Rdtqiax1uzdYYBRw7UItVWptWM9AvEwI avKxq+VGBesjTAGn8lJ3Hzy9aUTN6sdnUUY3WT/jqwoz2PoCfsN9iYHs2WX/8b7f4cE9 ChL2//GSMt6OLwm13+IQaNLVToyRq2YxedVSkOnK3izTIR9OsfH/Q/kJUhsGbzUhy45T LSv7kwAMikMDExc8iMx92D4UqEcnYaF1J+2N60ckrHXHg/d72spPRqOxF/J59fJ0V8qU USaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=vaNUo5GiM9cw2pXd/js+t2Pg8Vx9McYHpnT188S5Wtg=; fh=7Ls6NSzrTGpjpnkI9GUpJRr/p28ergI0U3zekkalIXs=; b=BcwjAN3j+vDvvaV4wcMJPDaF9GSFBzAqabNEroDlHxVlfVmZH8/pLObjkwdcPDZ+Pd lRf8wJbnu2uKLG+LZOwBmIVngpL+kfPlBdEeiJR+JKNsm0Vdgx2wvaKeBDBS7RN+OZ7k lyh4x5Uo7+t1KLxQ2la6RLnmJw0n+FnLUdg1wfb+M8GCltVAlo/QaLrDK+3hFAjohE33 s6Y6LGla8IUtNWSvRsyo8RFxe690aGxIIvcZKhvhRfEr4zykW1ocv2vEH8pb24c+Rqsm 2XKu1trflBWknU+slodFsN6xWbzu57XXH8H/gGgIjhx+yL9FBxfXYaeBmUMY0zmgUqsW FfPA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769694711; x=1770299511; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vaNUo5GiM9cw2pXd/js+t2Pg8Vx9McYHpnT188S5Wtg=; b=VZT3FemU+7iCVfXgzucfbjZxSUgLBekUrTvoXfzc/nGP7sjEC8doHgXr1N7bu5es5Z ErUyGGTDxTzjoAzvPZkuF9tRbJCEBaysGBpdPkOWXJskZCtdI+jOR6rmLj5kZtmpZgiz otsXzY9SYf//6oPrDLfmeb6i82jVYxA8/FfWl5yxJG86nnsnD3gQczaOFWXjj4hyTxXI 225FexoRVZYaTXxYxy71gVNbwmL+3foBLDHtN2vqwhLezqB8t8wQgSmK93XlDKeaKV3o dKgr0eyA+qmVRfhHZT6q5a9Rt+Ny9rk28253SU47YmqGuZtvcl4/b3WsoJW51HoueF0C DBog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769694711; x=1770299511; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vaNUo5GiM9cw2pXd/js+t2Pg8Vx9McYHpnT188S5Wtg=; b=BussZFAOgLkUmUNYc4kaOAWABy219iLsep4UwPxU5mpbv6xmyMmvBD2ViY75BzfsIL 9p+9t4JkYp52QCpSUTEyAoPYoAHnrWZfwL6fRlVXhE3feLcMGI7870ZPo2EWJ1fR8gWL Cj5qC0+l1+O2k8dTDs6UH8IMKc1df4LLqHNc8Eut8MvWLytenK1frLhjNQjrGpup6l+N PCul++tYjDDMJNld/M5J18vKtkPxIv3f2TFKbRspxMeV2MqZ8h2b5Jgh3LSgq3sHOkhQ bcWqrMWSFL2cqhfrKaoAR5XQJb0UprYZCK1ck6lUQ/bp+S3iNBQKbqEZaoyEJRSGUQEM ewVA==
X-Gm-Message-State: AOJu0YxjSgWIcN3UAHQkzaC2tc4pKz2KSMMXLXe+xwaHCO1AyASd863l 1F4dX0e51raqCu+vQ+foYA+o+aXkJMU2m1bp5ka53n+khuSDii9uzirT0/BBIBqpRNT5k8R3OqA I8hHo866Zqs4dtNaudiTsK1IYUTW9Gt3xHA==
X-Gm-Gg: AZuq6aLibQFUQBqpyF0jXTYW6KCPwGJQ+cO78hR6mOobAIIwZfJehDraaLCmTUBxOj4 i4oooVmVyva5l8eJqA+62GObKIcnJhBJfQvMemv3JfCbUpDLmAtyVDfZ/RifKE1/vulef/NvJF9 ZyaoFkIOXHMJEkrTqknVPbLmGve4YxXryARCsTyAmGlaYiNLO2pBV6sgRm/55si3tVEicKuatWa KojT/pruIt3GARUJ2iAg9dwnRAyKYek+q6XIHRzYC7ovNiWR2cJGmz/pkLJzZaMOV6/QfQxj705 ghuY9qdyknvQDIQaY16AM2r28q7I0w==
X-Received: by 2002:a05:6512:616:20b0:59e:49a:1eaf with SMTP id 2adb3069b0e04-59e049a1ee3mr2301785e87.40.1769694710446; Thu, 29 Jan 2026 05:51:50 -0800 (PST)
MIME-Version: 1.0
References: <176856799339.114496.4298005588069734285@dt-datatracker-865585c994-4fgh4> <aXtigbzAz9yImmC9@feather.sobornost.net>
In-Reply-To: <aXtigbzAz9yImmC9@feather.sobornost.net>
From: Nimrod Levy <nimrodl@gmail.com>
Date: Thu, 29 Jan 2026 08:51:37 -0500
X-Gm-Features: AZwV_QiDJWjK9G9iD860RzERPW3p_oghyl3BN-m-Nf1twuLB1_NjTWzrlJg0uiU
Message-ID: <CALTLbCHNS6pFZ-voDNqoACAvEJJ=2uOvf5vKQZ3qz_nn089Ggw@mail.gmail.com>
To: Job Snijders <job@bsd.nl>
Content-Type: multipart/alternative; boundary="00000000000093bf660649872800"
Message-ID-Hash: 7C5TCOY67NMUZPABGBW5IFBVCJ6KQQ5H
X-Message-ID-Hash: 7C5TCOY67NMUZPABGBW5IFBVCJ6KQQ5H
X-MailFrom: nimrodl@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sidrops@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Was: I-D Action: draft-ietf-sidrops-aspa-profile-21.txt)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/062KvDvZab0a2lFMmiCkFijGLdM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
If we go down this path, would it make sense to add a similar constraint (if one does not already exist), that a prefix should not have a ROA specifying both AS0 and another ASN? Nimrod On Thu, Jan 29, 2026 at 8:38 AM Job Snijders <job@bsd.nl> wrote: > Dear all, > > Apparently our attempt at specifying a canonical encoding for ASPA > eContent wasn't _entirely_ successful, please see the following object > decoding. > > > $ rpki-client -f > rpki.ripe.net/repository/DEFAULT/76/9d7cd7-ee63-4886-8fe1-b5ce6b6fd4d1/1/ygtEKAvCPKS208hGgxgvNBoaYpA.asa > File: ygtEKAvCPKS208hGgxgvNBoaYpA.asa (raw, > json) > Hash identifier: > PRA1qTJjgc8ZVUJi9mvFCAL+qKXJHkWZ1Nr5Ustka0M= > Subject key identifier: > CA:0B:44:28:0B:C2:3C:A4:B6:D3:C8:46:83:18:2F:34:1A:1A:62:90 > Certificate issuer: > /CN=e1977859d071f7150837b2acb4353ff33efd831c > Certificate serial: 019BE8C1BFD4ED33FFBFE0409D48662CF8ED > Authority key identifier: > E1:97:78:59:D0:71:F7:15:08:37:B2:AC:B4:35:3F:F3:3E:FD:83:1C > Authority info access: rsync:// > rpki.ripe.net/repository/DEFAULT/4Zd4WdBx9xUIN7KstDU_8z79gxw.cer > Subject info access: rsync:// > rpki.ripe.net/repository/DEFAULT/76/9d7cd7-ee63-4886-8fe1-b5ce6b6fd4d1/1/ygtEKAvCPKS208hGgxgvNBoaYpA.asa > Signing time: Fri 23 Jan 2026 02:49:30 +0000 > ASPA not before: Fri 23 Jan 2026 02:49:30 +0000 > ASPA not after: Thu 01 Jul 2027 00:00:00 +0000 > Customer ASID: 215219 > Providers: AS: 0 > AS: 6939 > Validation: OK > Signature path: rsync:// > rpki.ripe.net/repository/DEFAULT/76/9d7cd7-ee63-4886-8fe1-b5ce6b6fd4d1/1/4Zd4WdBx9xUIN7KstDU_8z79gxw.crl > rsync:// > rpki.ripe.net/repository/DEFAULT/76/9d7cd7-ee63-4886-8fe1-b5ce6b6fd4d1/1/4Zd4WdBx9xUIN7KstDU_8z79gxw.mft > rsync:// > rpki.ripe.net/repository/DEFAULT/4Zd4WdBx9xUIN7KstDU_8z79gxw.cer > rsync:// > rpki.ripe.net/repository/DEFAULT/KpSo3VVK5wEHIJnHC2QHVV3d5mk.crl > rsync:// > rpki.ripe.net/repository/DEFAULT/KpSo3VVK5wEHIJnHC2QHVV3d5mk.mft > rsync:// > rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer > rsync:// > rpki.ripe.net/repository/aca/7DNNDzoYvgAht7joQih2Qayxcxo.crl > rsync:// > rpki.ripe.net/repository/aca/7DNNDzoYvgAht7joQih2Qayxcxo.mft > rsync:// > rpki.ripe.net/repository/ec334d0f3a18be0021b7b8e842287641acb1731a.cer > rsync:// > rpki.ripe.net/repository/ripe-ncc-ta.crl > rsync:// > rpki.ripe.net/repository/ripe-ncc-ta.mft > rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer > Signature path expires: Fri 30 Jan 2026 02:01:06 +0000 > > What stands out is the "AS: 0" Providers entry mixed with a non-zero > provider. > > When an AS resource holder specifies any non-zero AS as provider IN > ADDITION to specifying AS 0 (zero) as provider, the outcome of the > validation algorithm is as if the "AS 0" provider entry didn't exist. > In other words, the "AS 0" provider entry becomes superfluous in the > presence of any other non-zero provider entries. Right? From that it > follows that issuer implementations should not permit subscribers to > specify AS 0 alongside non-zero provider entries.... > > I propose we add an extra constraint in Section 3.3 > > https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-21#name-providers > > NEWLY ADDED: > > ------------------------------------------------------------------------------- > > * When multiple providers are listed, each ASID value MUST be a > positive integer. > > > ------------------------------------------------------------------------------- > > What do others think? > > and perhaps draft-ietf-sidrops-8210bis should be updated to align? > > Kind regards, > > Job > > _______________________________________________ > Sidrops mailing list -- sidrops@ietf.org > To unsubscribe send an email to sidrops-leave@ietf.org >
- [Sidrops] Re: I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-pro… internet-drafts
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Nimrod Levy
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] AS 0 mixed in ASPA 'providers'? (Was: I… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Tim Bruijnzeels
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Tim Bruijnzeels
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Ties de Kock
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Ralph Covelli
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Nick Hilliard
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Nick Hilliard
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Ralph Covelli
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Claudio Jeker
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Ralph Covelli