IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-profile-15.txt

Ties de Kock <tdekock@ripe.net> Thu, 29 June 2023 10:41 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9CFC14F738 for <sidrops@ietfa.amsl.com>; Thu, 29 Jun 2023 03:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YplB_dg_--T5 for <sidrops@ietfa.amsl.com>; Thu, 29 Jun 2023 03:41:23 -0700 (PDT)
Received: from mail-mx-1.ripe.net (mail-mx-1.ripe.net [IPv6:2001:67c:2e8:11::c100:1311]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 013C7C14CF1B for <sidrops@ietf.org>; Thu, 29 Jun 2023 03:41:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Cc:Date:Subject:Mime-Version:Content-Type:Message-Id:From ; bh=WfHcKhJI8PuSGhfCw/tnhknQemClfQEUe6AryHibnRc=; b=jDq3nts8l/XaelKJSeg9sss3 CzWcFpDnpkMJFkQccS9ATW1VRJBYMEqlRyI3KpQSvTtcw1FZ7H9RA+/I9DpBn4gmjiM0UfBDNxs7I ZUzpnyGnAlWHfS06UF6ESmhx8H2icxY2RSJbJ7vxuVAqwKPfOnlKvsTPch3Eog76EeY25obdmgSrM cHhdLVDbr1qSlK6qZlmj2EvYCYCkyUS4Ci3YcGQ8BLG2cv2jYfvH+fnMWK/qMyKpZe3WCjTHSYcIl Y5A9pXC+QoaiOXqNXE7tHiyxJt9HE5GZebSrMoFCOdaEVmQpkHpm0Id52F83qE7b5DxbetwiQHAfC Cei7WsRNCA==;
Received: from bufobufo.ripe.net ([2001:67c:2e8:23::c100:170d]:36046) by mail-mx-1.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1qEp5S-00CFUy-36; Thu, 29 Jun 2023 10:41:18 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1qEp5S-0004aj-2p; Thu, 29 Jun 2023 10:41:18 +0000
From: Ties de Kock <tdekock@ripe.net>
Message-Id: <9A2602AA-8390-4B55-B4AE-A36E1A0B9B22@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_687FFBC3-F567-411B-8416-D422DCF09C90"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Thu, 29 Jun 2023 12:41:08 +0200
In-Reply-To: <ZJ1cUSRgTohE7Cm9@snel>
Cc: Martin Hoffmann <martin@nlnetlabs.nl>, sidrops@ietf.org
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
References: <168621843689.33017.6897451444105786551@ietfa.amsl.com> <ZIGogKIH4Srb8Nxt@snel> <20230628173307.29fefec2@glaurung.nlnetlabs.nl> <ZJxXjg1NNdgVRP50@snel> <20230629115810.1c65c0c8@glaurung.nlnetlabs.nl> <ZJ1cUSRgTohE7Cm9@snel>
X-Mailer: Apple Mail (2.3731.600.7)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e1e12c20e9286a1f7427bee3814bbbb0a9
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7PFUmq1tAaHSKhV1kvVLnj5ENEQ>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-profile-15.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 10:41:27 -0000

Hi all,

> On 29 Jun 2023, at 12:26, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Dear Martin,
> 
> On Thu, Jun 29, 2023 at 11:58:10AM +0200, Martin Hoffmann wrote:
>> Job Snijders wrote:
>>> On Wed, Jun 28, 2023 at 05:33:07PM +0200, Martin Hoffmann wrote:
>>> 
>>>> While we are at it, I would like to again raise the suggestion to
>>>> not use a version 1 here but rather stick to 0 and use a different
>>>> content type OID. The older and newer definitions are not
>>>> compatible, so a new OID feels more appropriate than a version
>>>> change.  
>>> 
>>> I can see your argument, but I'm not sure there is clear consensus to
>>> request a fresh content-type OID, and there are counter-arguments too.
>>> 
>>> In the past the ASPA profile definition has been updated without
>>> cranking the version or content-type OID. Some argue we are in a phase
>>> of 'experimentation' (since the internet-draft isn't published as
>>> RFC), where some incompatibility with older revisions of the draft is
>>> to be expected and of no concern.
>> 
>> I’d be okay with leaving the version at 0 and using the current OID as
>> well. The old-format objects will fail to be decoded either way, so it
>> doesn’t really make a difference in practice. Depending on how the
>> parser works, they may be rejected even before you get to the version
>> check, too.
> 
> I agree, only low-level parsers would have a test/branch opportunity to
> jump to a different codepath based on the eContent version number. For
> example in rpki-client higher-level functions are used, causing
> old-format objects to be rejected before you get to the version check.
> https://github.com/openbsd/src/blob/2b5ea97fcaa542de6fb9316d0e7e06767bdf24cd/usr.sbin/rpki-client/aspa.c#L49-L62

But you could test against multiple formats there.

Recall that extremely limited tooling is available for DER in some languages.
> 
>> I’m a bit worried with having version 1 in a newly published standard.
>> It’ll be the only one that does that and it is very easy to miss
>> because it really is just a single digit in the text below the
>> grammar.
> 
> A (somewhat weak) argument could be made that there is some educational
> value using this new object as an opportunity to 'practise' an eContent
> version bump, but since the old-format and new-format structure differ
> so much, the excercise of bumping the eContent version seems of limited
> value.
> 
>> Ask me how I know ...
> 
> hah! :-) If it's any consolation, you weren't the only one.
> 
> I think we are blessed that multiple people are now independently
> producing and validating objects to help each other cross-check.
> 
> Based on the feedback so far (offlist and onlist) I'm inclined to update
> the internet-draft to require the eContent version to 0, and continue to
> use the current OID.

I strongly disagree with reverting the version to 0 w/ the same OID.

We have interoperability and test objects with version 1 at the moment.
Reverting causes churn without clear benefit, and will cause more implementation
complexity for implementations that need to consider the objects that are
effectively deployed in the wild.

More expressions of support of reverting to verion-0-with-differing-schema
on-list would help clarify how strong this support is.

Kind regards,
Ties

v2.23.0 | Report a Bug | By Email