IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt

Russ Housley <housley@vigilsec.com> Tue, 24 May 2022 09:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 005ABC14F749 for <sidrops@ietfa.amsl.com>; Tue, 24 May 2022 02:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7uVA2TWjHoDy for <sidrops@ietfa.amsl.com>; Tue, 24 May 2022 02:56:42 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B9D0C14F727 for <sidrops@ietf.org>; Tue, 24 May 2022 02:56:42 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 1D52316976B; Tue, 24 May 2022 05:56:41 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 0030816976A; Tue, 24 May 2022 05:56:40 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <YoyqLTIG/ZG2LMZa@snel>
Date: Tue, 24 May 2022 05:56:40 -0400
Cc: Theo Buehler <tb@theobuehler.org>, George Michaelson <ggm@algebras.org>, Ben Maddison <benm@workonline.africa>, Randy Bush <randy@psg.com>, SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D8141C29-3470-4652-BF59-BE57DEA52806@vigilsec.com>
References: <m2o7ztfe4d.wl-randy@psg.com> <20220520012253.zu4abj7kotvg3m3z@benm-laptop> <80AD7E72-1F42-4314-B0A8-69819904F2EB@vigilsec.com> <20220520135826.23h6eaurre7zvqxs@benm-laptop> <17C2DA7E-A5CB-49EE-8148-FB223A12D992@vigilsec.com> <CAKr6gn1vcma0=2v4k9i+i6C3Z4odx5A=vn+yFVQZJVkFicZwRA@mail.gmail.com> <YovdiIzWJ1Cw3QUO@snel> <F51216BA-1556-4441-8048-7B0258F0F959@vigilsec.com> <YoycSh4wUtbjP7E5@theobuehler.org> <F5B89898-C00D-4371-B2E4-B5AE9407B8D8@vigilsec.com> <YoyqLTIG/ZG2LMZa@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/2PJVN4cUzs9BE5qQHNDlg3AIZ_I>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 09:56:44 -0000


> On May 24, 2022, at 5:49 AM, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> On Tue, May 24, 2022 at 05:28:38AM -0400, Russ Housley wrote:
>>> What puzzles me about this position is that one can construct exactly
>>> the same argument about 'inherit' or 'rdi'.
>>> 
>>> What is the distinction that makes a decode failure acceptable if an
>>> existing RFC 3779 implementation generates 'inherit' or 'rdi' but
>>> not if it generates a 3-octet value in an addressFamily? Is it
>>> because the latter mistake is somehow smaller and easier to make?
>> 
>> I do not see these as similar situations. RFC 3779 is intended for use
>> in a RPKI certificate, where the is a issuer certificate that one
>> could expect to be readily available for path validation.
>> 
>> Also, RFC 3779 defines:
>> 
>>   IPAddressFamily     ::= SEQUENCE {    -- AFI & optional SAFI --
>>      addressFamily        OCTET STRING (SIZE (2..3)),
>>      ipAddressChoice      IPAddressChoice }
>> 
>>   IPAddressChoice     ::= CHOICE {
>>      inherit              NULL, -- inherit from issuer --
>>      addressesOrRanges    SEQUENCE OF IPAddressOrRange }
>> 
>> This draft proposes:
>> 
>>  ConstrainedIPAddressFamily   ::= SEQUENCE { -- AFI & opt SAFI --
>>   addressFamily        OCTET STRING (SIZE (2)),
>>   ipAddressChoice      SEQUENCE (SIZE(1..MAX)) OF IPAddressOrRange }
>> 
>> When the addressesOrRanges CHOICE is selected, the two would produce
>> the same bits on the wire, except the third octet is not permitted.
> 
> Right, the third octet is not permitted, which is why the RSC ASN.1
> module does not offer space for the third octet to exist.
> 
> If the RSC ASN.1 notation does not offer room for the SAFI octet to
> exist; my expectation is that this in and of itself is an unambigious
> signal to signer/validator implenmenters to not include the SAFI.
> 
> What advantage is there to permitting the third octet to exist on the
> wire (according to RSC ASN.1 module), but subsequently implore upon
> signer and validator implementers to reject RSC objects when the third
> octet is encountered?

If some implementation copies the encodes RFC 3779 bytes that include the 3rd octet, when should the mistake be caught on the receiving side?  Decode failure is what will happen now.  I think checking after decode will be easier to debug and correct.

Russ

v2.23.0 | Report a Bug | By Email