IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Lubashev, Igor" <ilubashe@akamai.com> Tue, 28 March 2023 13:55 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6288C14CF15; Tue, 28 Mar 2023 06:55:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bi7u4EIFWDS6; Tue, 28 Mar 2023 06:55:06 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A0EFC14CEFE; Tue, 28 Mar 2023 06:55:06 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32S9nSdv012239; Tue, 28 Mar 2023 14:54:49 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=RJdA9FauPCK0V60SsPjMewHj14t/D3g0/C3RQclPAug=; b=FDjqUGaRW7MXuGUIBHchEKsJskfAJiYtArwV7VMlVGTooIVZH1U0mxwoTf6KPPd4wkq8 Nt7Y1nyyd14NIN2LX9q7U/vvsWUHknFN+2qjb7NqFh2G9OC3iQji0NJKlfIYPrQi3Pf0 YQxALTmhXBDq25C8xAZ91MfIkSnbeYlsWtTQqB1CqzyJ0VrM5PJn/3wB01nwh7TXEJ6B dqadwAyyfcbGL+YVFP2IFJBzgdTsKkHye+CRkNVO8BzQw/PkMnVI4048QwnmKk9tIzuU 37Ic2Q7KUqd+LHyyHW54CC08SbaNdPaKwoRy6zqjVX3MgiPetXKnQP3v/63z+o3s7rcU jQ==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by mx0a-00190b01.pphosted.com (PPS) with ESMTPS id 3phsvsxnv1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Mar 2023 14:54:49 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.17.1.19/8.17.1.19) with ESMTP id 32SCvxKr029178; Tue, 28 Mar 2023 09:54:48 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.200]) by prod-mail-ppoint7.akamai.com (PPS) with ESMTPS id 3phv9yu1js-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Mar 2023 09:54:48 -0400
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) by ustx2ex-dag4mb1.msg.corp.akamai.com (172.27.50.200) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.21; Tue, 28 Mar 2023 08:54:48 -0500
Received: from ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) by ustx2ex-dag4mb3.msg.corp.akamai.com ([172.27.50.202]) with mapi id 15.02.1118.021; Tue, 28 Mar 2023 06:54:48 -0700
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: Claudio Jeker <cjeker@diehard.n-r-g.com>, Ben Maddison <benm@workonline.africa>
CC: Aftab Siddiqui <me@aftabsiddiqui.com>, Job Snijders <job=40fastly.com@dmarc.ietf.org>, Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Aftab Siddiqui <Siddiqui@isoc.org>, Max Stucchi <stucchi@isoc.org>, Hanna Kreitem <Kreitem@isoc.org>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZXYjPNJLZt5LW/keL30gQG63u3q8I2uQAgACwe4CABZLvgIABPqEAgAADL4D//9rK4A==
Date: Tue, 28 Mar 2023 13:54:47 +0000
Message-ID: <69e6a0b608b848e8840dd26584c9d682@akamai.com>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com> <ZBxcTHebGjhJGpzh@snel> <CAB5NZESXFF68ez7NwK6s3hqYY6ChkHyu_r8jPggO3ysHQB0emA@mail.gmail.com> <ZCGdV7KRNMfaEUd9@diehard.n-r-g.com> <20230328084312.zfj2j2qaa24w5wt5@iolcus> <ZCKrS8AamnpQTmnP@diehard.n-r-g.com>
In-Reply-To: <ZCKrS8AamnpQTmnP@diehard.n-r-g.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-24_11,2023-03-28_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 malwarescore=0 bulkscore=0 suspectscore=0 spamscore=0 mlxlogscore=793 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303280109
X-Proofpoint-ORIG-GUID: SGB2E7upTjKtd36hR_yVOVzU4t0R5oJV
X-Proofpoint-GUID: SGB2E7upTjKtd36hR_yVOVzU4t0R5oJV
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-24_11,2023-03-28_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 mlxlogscore=729 clxscore=1011 mlxscore=0 adultscore=0 phishscore=0 suspectscore=0 priorityscore=1501 bulkscore=0 malwarescore=0 impostorscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303280110
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/0_anL6ZCArTxIYRRcBCFZZnuclE>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 13:55:09 -0000

On Tuesday, March 28, 2023 4:55 AM, Claudio Jeker wrote:
> On Tue, Mar 28, 2023 at 05:43:12PM +0900, Ben Maddison wrote:
> > Hi all,
> >
> > On 03/27, Claudio Jeker wrote:
> > > On Fri, Mar 24, 2023 at 11:35:35AM +1100, Aftab Siddiqui wrote:
> > > > Hi Job,
> > > >
> > > >
> > > > >
> > > > > >      *   To make it clear “AS 0 ASPA MUST only have AS 0 as Provider
> > > > > >          AS”, it doesn’t clearly mention that “normal” ASPA (non AS 0
> > > > > >          ASPA) MUST NOT have AS 0 in the Provider AS.
> > > > > >      *   In the absence of point ‘b’ what if AS 0 is added as Provider
> > > > > >          AS in the ‘normal’ ASPA?
> > > > >
> > > > > I'm a bit unclear on what is meant with the above two points, can you
> > > > > further clarify?
> > > > >
> > > >
> > > > As per the definition "An ASPA object showing only AS 0 as a provider
> AS is
> > > > referred to as an AS0 ASPA." i.e. {CAS, AS(0)}
> > > > Any ASPA which is not "AS 0 ASPA" is referred to in the draft as "normal
> > > > ASPA" but it doesn't say that normal ASPA can't have AS 0 in the
> provider
> > > > AS. i.e. {CAS, AS(139038), AS(0)}. Yes, there is no reason to have AS 0 in
> > > > the provider AS but make it clear in the draft.
> > >
> > > Adding AS0 to any ASPA object with other ASID in the SPAS is not altering
> > > the outcome. {CAS, [AS(139038), AS(0)]} and {CAS, [AS(139038)]} are
> > > equivalent. The big unsolved question is if the profile spec should limit
> > > this alternative encoding (with the RP software enforcing that MUST).
> >
> > This point is key. Disallowing AS0 in PAS, other than in the case that
> > it is the only item doesn't actually change any behaviour or fix
> > anything.
> >
> > The only benefit that I can see is that we guarantee a single canonical
> > representation.
> >
> > Enforcing this in the ASN.1 of the profile can (I think) be done, but
> > would significantly complicate the module. I'm not convinced this is a
> > price worth paying.
> >
> > I do not think that we should introduce new normative restrictions that
> > are *not* described by the ASN.1.
> 
> But in general non-canonical forms are a big issue when it comes to X.509
> since it results in unequal objects that result in the same effect.
> I'm not sure if this will affect the security or not.
> 
> For the providerAS sequence there are already constrains in place:
>     * The CustomerASID value MUST NOT appear in any providerASID field.
>     * The elements of providers MUST be ordered in ascending numerical
> order
>       by the value of the providerASID field.
>     * Each value of providerASID MUST be unique (with respect to the other
>       elements of providers).
> 
> Especially number 2 and 3 make verification that AS 0 is the only element in
> the sequence fairly trivial. So adding an extra bit for AS 0 should not be
> that complex.
> 
> --
> :wq Claudio

I also think that it is best to have a single valid representation for a Provider ASN list -- it makes it easier to compare ASPA Objects and reduces the chances for implementation mistakes.

However, since the purpose of any specification is providing clarity to ensure interoperability, making it explicit whether AS0 is allowed in multi-element ASN lists is most important.  The actual decision is a secondary concern.

- Igor

v2.23.0 | Report a Bug | By Email