IETF Logo Mail Archive

Re: [Sidrops] WGLC - draft-ietf-sidrops-rfc6482bis - ENDS: July 17, 2023 (07/17/2023)

Tim Bruijnzeels <tim@nlnetlabs.nl> Sat, 22 July 2023 18:41 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5530EC1519BA; Sat, 22 Jul 2023 11:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcWJ-C982R3o; Sat, 22 Jul 2023 11:41:22 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [IPv6:2a10:de80:1:4091:b9e9:2218:0:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44E53C15155B; Sat, 22 Jul 2023 11:41:21 -0700 (PDT)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4R7Zy64lV1zyTY; Sat, 22 Jul 2023 18:41:18 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4R7Zy44j8CzFv; Sat, 22 Jul 2023 18:41:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1690051278; bh=im28XNoFKR6eizKC8EFval7iWw/AYGYYV/mSVkM85g0=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=eWjTpow8oGZ3tMiHS1ejqCFreGRXkhmXn9J3umRLBt0dR6zZCDXsuOaGgV2seoD2p viXmkGQJE6W0AI6yEQCn7X8owiJ8cP/lUnOKSalBXwF1EueCwAAj+S9ktCkD7z0tSs FTng+xCCw7c3dIsHvEm4bK1ZVdfBgCAT0DZBS5xLQ86wk1UkuT7TkPepZUmXTGvaDI /xe48lubDhhKHycGVDDDN14ylxXne4r0/77miZaDYPTvgGbUJXB1jiu6emjCYkHMB4 gBSx3CDcpez6R6PeOmZJzQEp6xoh9wP2bu6kBOPjSDvmImChHhmdCPw79azF0+1V59 oH93qE6yx7oHg==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
X-Soverin-Authenticated: true
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <CAL9jLabiR0DXhj42M7znNDD=KeMWQin-yO4NoOmD2sKDbqjwfQ@mail.gmail.com>
Date: Sat, 22 Jul 2023 15:41:03 -0300
Cc: Ties de Kock <tdekock@ripe.net>, Job Snijders <job@fastly.com>, Theo Buehler <tb@theobuehler.org>, sidrops-ads@ietf.org, SIDR Operations WG <sidrops@ietf.org>, SIDROps Chairs <sidrops-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF4D3669-8FEF-4D34-812D-4E33D760FD0F@nlnetlabs.nl>
References: <CAL9jLaZC0x-JyEU2UvZxedDupUZ1_XzYVuFUnqkoD9Tq-r_9Lg@mail.gmail.com> <CAL9jLaZBXgCNgnwONMq3-djvSniRBpU2U3wjGk1_rKJ4fRe+bg@mail.gmail.com> <ZJvlPr5CKgzgexYv@theobuehler.org> <ZJvrCQKxnwWKTp/y@snel> <CAL9jLaYztNAuyrE+Fm4BJ+YEeUaLXKtrheeQNG5ushmn2K+-5g@mail.gmail.com> <B6CA486C-C78E-460C-A8E8-9F633EED2D09@ripe.net> <CAL9jLabiR0DXhj42M7znNDD=KeMWQin-yO4NoOmD2sKDbqjwfQ@mail.gmail.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.4 cv=LJ6gAra9 c=1 sm=1 tr=0 ts=64bc22ce a=Cg07s/Xn6F9ALoBN5rmzVg==:117 a=Cg07s/Xn6F9ALoBN5rmzVg==:17 a=IkcTkHD0fZMA:10 a=pGLkceISAAAA:8 a=qwgrlvfet6HTXQsgbR4A:9 a=QEXdDO2ut3YA:10
X-Cloudmark-Reporter: gROuSvc3thRiTAbZVjLliqiDZZs=
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/3ui0rIboyItC91WhSNI5sLJdSiM>
Subject: Re: [Sidrops] WGLC - draft-ietf-sidrops-rfc6482bis - ENDS: July 17, 2023 (07/17/2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2023 18:41:26 -0000

Hi

> On 21 Jul 2023, at 22:56, Christopher Morrow <christopher.morrow@gmail.com> wrote:
> 
>> 
>> All ROA’s are republished “regularly” (on average a yearly cycle).
>> 
>> However to get this implemented you would need the installed base of CA software
>> to be updated, then wait for this rollover to happen. If I recall there was nor
>> threat being mitigated here --- I would not do a flag day "to practice" if this
>> is for aesthetic reasons.
> 
> seems fair, yes I agree you'd want to delay until all publishers were updated.
> that's a relatively small field of software and actually a relatively
> small field of users.
> 
> This is some of the same argument about making v6 changes ~15 yrs
> back: "vast install base!!"
> :)
> 
> My point in bringing this up was REALLY:
>  1) if this is causing code complexity and possible mishandling of
> data we should fix it sooner rather than later.
>  2) if there is nothing here but 'ugh I need to test this so I have
> to sort both before compares!' - ok, cool... err, that's light duty as
> a problem
> 
> Ties sounds like they say: "Meh, there is not a PROBLEM, just a
> nice-to-have perhaps"

As a CA implementer... I have no objection to adding ordering when encoding in a future release if it helps some RP implementations.

But I will need a better description of what order to use. I get that RFC 3779 orders by start addresses and puts IPv4 before IPv6. But in this case, there can be multiple prefixes with the same start address, e.g. if both 10.0.0.0/20 and 10.0.0.0/24 are present. It needs to be clear what the tiebreaker is (shorter prefix first or last?).


>> Also, I like order, but is it a 'nice to have' (makes testing and such
>> simpler) or:
>> "boy for reason x, y, z this is actually important there's a ton of
>> complex code to
>>  handle this unordered list and the tech-debit over time would be
>> nice to clean up!"
>> 
>> 
>> In my implementation this check _caused_ additional complexity because of the
>> check that had to be implemented.
> 
> :) ok.
> 
> So, 1 person says: "meh, not important".


I think it's out of scope for this -bis.

Or well... there could be a RECOMMENDED or KINDLY ASKED ;) to order, but if the objective would be to start rejecting unordered ROAs then this is a breaking change. That needs a clearly formulated plan - even if, in this case, we may be able to avoid a version increase because the actual object encoding is not changed. I don't think we can do this as part of the LC of this document. Perhaps a separate document would work, or LC is cancelled for now, and we take the time to discuss.

Speaking for myself on the time to discuss... I had a few moments to reply today, but I won't have time to really think this all through until late August.


Tim

v2.23.0 | Report a Bug | By Email