IETF Logo Mail Archive

Re: [Sidrops] adopt draft-ymbk-sidrops-rpki-has-no-identity please

Ben Maddison <benm@workonline.africa> Wed, 24 March 2021 07:15 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4391F3A25A4 for <sidrops@ietfa.amsl.com>; Wed, 24 Mar 2021 00:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODocfWTt77wr for <sidrops@ietfa.amsl.com>; Wed, 24 Mar 2021 00:15:21 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60079.outbound.protection.outlook.com [40.107.6.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D2F73A25A0 for <sidrops@ietf.org>; Wed, 24 Mar 2021 00:15:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zpr/iMxG+dqBAMjsS0DLivyG85LH6rVm8OEyq6m1Z7NhnwcOz42PxDSOgxa5ZS69rD/rQYJjMVL08wMFLAbs4Bly20x/qoL4xBzgrutdyN6pHbdaG9IG6RRwydwahtdvtRsGWUkK5BjATOrHst5zc/siHK58u0loko0TU0c5dcXBjRQeZjn+9k90pzyVaIu32l2ULufiA7zF+aiXHNQelDIge/NVZLaWG2fcn86KfTyNHvO7v0POBFLwZ6w0FND2uack7PL+pXkNmbLHtNAMlfw7x6ATQ8Pf8HiG0QmE9aoO5Uj5vU7vXKmwRm1E/K3sMPpM9R1Rghr4v/SgMfp6Vg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4AI3ibA8BLaMYPxs19x+ALVdxhQdeCty9tat6j2fol0=; b=Tda8IuA8ex2FVK9RNKE33QHyGlJhQqgqC247WK7zRPXqy2ThDLjXHcleeO/wUUZ4jNboYlS6j34J5ib25SBPhKRuU+dYJyMdf/4zHCVVCWJzRJqeo0uCVx3ltW6xkjjBmKQ8uOSliBjg8azv5K4STv/DLe3LBsSvoXFEsR3BS4ykUif+E+CummY3gvGrSG4pncECpy1SjC01/5kb3hMlq70SG6AJU7frcE6ITSN7gH+f6ULA5ti4bKmuCAcq4zoEtGDW/PeBWZ06HJQ+/9qMJzZ9MfY7LT63qCM3iyQFj+rBe4qMwN9mViKBnqklaf0A78CLFiRWVAywAXHS0WJvhw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4AI3ibA8BLaMYPxs19x+ALVdxhQdeCty9tat6j2fol0=; b=Ju0asPdxxlDddYtMEb6v69MqkH3EvWX4VOkyMoZs0AapbMkqxBTzL76jlQLZvU9RKHuEt79s7OG3yV3OfjyXDLzLO+it1Wi34k4R0cLjxXeg1lCDZfkalS6JCwgYTO5BlKEaks680QkcwEIHsp7+Jm8hiPI8+/PgNvlazSro6qM=
Authentication-Results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=workonline.africa;
Received: from DB8P190MB0746.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12a::24) by DB9P190MB1227.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:222::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Wed, 24 Mar 2021 07:15:17 +0000
Received: from DB8P190MB0746.EURP190.PROD.OUTLOOK.COM ([fe80::30ad:1e5a:51e1:870]) by DB8P190MB0746.EURP190.PROD.OUTLOOK.COM ([fe80::30ad:1e5a:51e1:870%3]) with mapi id 15.20.3977.024; Wed, 24 Mar 2021 07:15:16 +0000
Date: Wed, 24 Mar 2021 09:15:10 +0200
From: Ben Maddison <benm@workonline.africa>
To: Mikael Abrahamsson <swmike=40swm.pp.se@dmarc.ietf.org>
Cc: Randy Bush <randy@psg.com>, SIDR Operations WG <sidrops@ietf.org>, George Michaelson <ggm@algebras.org>
Message-ID: <20210324071510.yamkwi3yx5aeo7na@benm-laptop>
References: <m2ft0sgwfy.wl-randy@psg.com> <alpine.DEB.2.20.2103231615441.21528@uplift.swm.pp.se> <m2pmzpz41r.wl-randy@psg.com> <CAKr6gn2BWm0ZwuqwLc=g7FXgqbt0eqJ3tWJW7BzP=vEn6qCEcA@mail.gmail.com> <m2mtutz3s4.wl-randy@psg.com> <CAKr6gn2YM+5+3BMPUPM0O-C_VP5dprQyOyXkxvAKDhP7tfDbyQ@mail.gmail.com> <m2im5hz2qt.wl-randy@psg.com> <CAKr6gn3m6aBV_PkZQQfnEg2R5M92kfJhvGfAiu-3XW++bdR=1A@mail.gmail.com> <m2ft0lz0h3.wl-randy@psg.com> <alpine.DEB.2.20.2103240715470.21528@uplift.swm.pp.se>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="b6w5ja2qvgim4ezn"
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.20.2103240715470.21528@uplift.swm.pp.se>
X-Originating-IP: [160.119.236.50]
X-ClientProxiedBy: JNXP275CA0006.ZAFP275.PROD.OUTLOOK.COM (2603:1086:0:19::18) To DB8P190MB0746.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:12a::24)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (160.119.236.50) by JNXP275CA0006.ZAFP275.PROD.OUTLOOK.COM (2603:1086:0:19::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.24 via Frontend Transport; Wed, 24 Mar 2021 07:15:16 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 62615879-455f-4577-5a53-08d8ee94933a
X-MS-TrafficTypeDiagnostic: DB9P190MB1227:
X-Microsoft-Antispam-PRVS: <DB9P190MB1227B9709DEB92E582547B9DC0639@DB9P190MB1227.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: JXNCw79Wif5CEouwdtbk3M8pKb43Z4QY6S1AoQBk5FaD3iGy++xv4VjUHOFksTrIi2HybIj2qO0eSoCBZUHgkmay0xiPTFEEx1we4P+5X++3PGjrAmwks3vgbGAwmyigmTT23ukN15sWJ63CazFRD6AxDVLIIwmaWMXdju4SZ5e6HY7rgjHy1NNe84EajaezpTxJ4JL8GsunBEGTqCY7MMV45UEWKKVx2a8IK0pbXJE3iVEBCEpV3qkaCaDz9nE5TFC7Jtix7yVAz31qp9jSIjRmrxNi458ozWa1a3xjbyO2Rfil+eU7dThBtDiqA5pSmy9meB3LEajQM516KToXHG28laf3A/t9aOSCacbxTgE2kG5pSDlPtbri9cgXX1ybmE1nxDEh8NdGpfXhLFmIgDqroS3M0HWzu2swxYu7721vuO66/e7NuKBWNqkQWzHxwdhdUB6QyqS3AurM3Et1gN5khpGzlAObiBjzVJjM+67zXsJCuJyH1aM4n4xW/Oee+svM/JqjC/tcG9XuZ2i0ojuzduofpCBKvXWg7MBTs87WmGjPCsVYtOXDMvhpnq/j9jK+SZ6AqlGghfAm04qaBl8UiGiZG47S76GQpSaEajVC3l3SWJob3cDCuKoDsuQ6h7Q9QKXz6PjD4eVGKoY8E6oBI+56IccTEQt7eLWne8AO4yaXmviP0duvhT7zvW9g39Uz527mk5COO0mX3PcuGA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P190MB0746.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(39830400003)(376002)(366004)(136003)(346002)(396003)(52116002)(6666004)(86362001)(66556008)(44144004)(66946007)(38100700001)(316002)(66476007)(8676002)(8936002)(21480400003)(83380400001)(4326008)(26005)(16526019)(6496006)(54906003)(33716001)(186003)(9686003)(5660300002)(478600001)(956004)(2906002)(6486002)(1076003)(46492009)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: HREcSP1dWQDNuud4mY+paLnXNkRFgcvy+rvXGZWs/fIxfgypFm39aK2ro3RnEB8xgtrYXLBovm1w5RITjFq5IiO8YHfbNCcCrfQqq+wde4TrEzJxHUIv8s+6JyuV07hBfp8RwuNExJTA62zhig0Nu/p+hYfEl0UgUZ5aHXzfqVTW6xnxqHpLfuxA8ui7aFLRanRVhpuSrskvJ977o7hsqltIe9vi0/SafAXuZha3bTe7YpBD2P9WLm3uVoSGbALRRoQSCt7BIG4qJw91obwb7L3QqFHFslVsnHDde4DCR21k57bK8fOISgEQ7Nt8vA9NM6KS+aFtuQoqW/tXXJ+6DwruEFluWDcZctkjU9LYYAfkAH5EneG2IAhxfxuw/I85M0fbdRGeS/yOijSMboj2JtV2WSllFNKYB4LaMPGtujpCbDvENK1XXytcG1PDsAu+dO63vwiCidWlwxe0JD3SuCYmsrKO2rL8dqrMsICLToUdPqh53yePj0ST4HXNgEb1gKaoqY43ktQ/nKIAjdOwCBf4rt2kHvK7ZGJAN1QyBxJyfadohxUgI6ZQx99p3UbH9oOEvQ6v3g5MMJr3E1vGvqhYrreUp0czZj9SEBkyKwXRdPEFelWr9WS9aaYyheZUlCEFvDIyEMc9dfGkIKPoJbIJJQ78pc8LhzW7ojQm9fHaz8rn6hxd3wTFRD3m1mEo+ck7CZ2tLwvjmIZfkaJrEcKmkr020E1FRjX1gQX+bSzUjdY7a+TVPczMOv+aLEPzsMV+1vVlAPxlTQwz9AmBujpwxGdq86GlBSAjFcTt6K1OCr8a0pFcT7bbOA0RLA2eSjWZu3AbL7GUKLVYgBtAVf1UrSQQgVN8rZh6xo7OPO6LfyInFvY6xw8CyiXuewRxjs343c7Hz8XudrwYJFPKnlnc3M+U2GT2Fuxij+1dY5y/11WPBxQmEPqLoE9f1ivTmSM3MOFnnUuxIIqFgQSCo5tVCSkUn7hC9Go6sPpkjP8p5es482wrfBDRB9YIQsSx0PlDICnPb2HprtfH6uSeHVfcIs+NfkVQzPcnxcYHKjQhFX0zxVDhizjLJ2DLKPMRukINYPnivDhO6u+X6+tZKWJuKbWeGLb3ihfdrACJckb9cyWjFe4k5AkfBwHeZInUILB0z67lygrbJ3M/fdiGgTrdG0M7gDDhHuwppxBDnKNd8nkm5qGvIpXAPGeOhNsax6lyoeStuHvivvdYKc9FnHXK0ybCYI3EYiBTmINzRLurO1eZMVLiw/zbTBVCDB96U/rXae/waKUMsfMclCJLzD513cgkReGbiTamf7TJgc3MS3zfh1fLpquQQkDSDdqJ
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: 62615879-455f-4577-5a53-08d8ee94933a
X-MS-Exchange-CrossTenant-AuthSource: DB8P190MB0746.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2021 07:15:16.9423 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: mgUtjF7GtxoRClBFnktBsj6S3Ic/hbahRxqEQLESyNj6mAVjdszoEjsxd4s2HHcqVhq0Q1B6Zvp9evmSEi/iwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P190MB1227
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/93mFbfcBFfngb90MGeR7VaAD28g>
Subject: Re: [Sidrops] adopt draft-ymbk-sidrops-rpki-has-no-identity please
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2021 07:15:26 -0000

On 03/24, Mikael Abrahamsson wrote:
> On Tue, 23 Mar 2021, Randy Bush wrote:
> 
> > from the sec cons
> > 
> >    When a document is signed with the private key associated with a
> >    RPKI certificate, the signer is speaking for the INRs, the IP
> >    address space and Autonomous System (AS) numbers, in the
> >    certificate.  This is not an identity; this is an authorization.
> 
> Agreed.
> 
> Are you opposing the use of RPKI for signing LOAs, because I don't see the
> document affecting the use of RPKI for RSC for signing LOAs.
> 
> The document says it doesn't prove identity. Correct. We all seem to agree
> on that. Now what?
> 
Yup, I certainly agree with that.

I also agree that the LOA use-case for RTA/RSC is fundamentally no
different from the semantics of 6811.

However, "strongly defined" objects (ROAs, GBRs, ASPAs, etc) ship with
well specified semantics, which can be (are) sanity checked by the
originating WG during standardisation.

The difference, for me, and why I think that a document spelling out
what is and is not a suitable use of the RPKI is a good idea, is that
RTA/RSC-style objects give issuers free reign to invent new semantics on
the fly, including ones with bogus trust semantics (like Randy's EFT
authorization).

People will always be able to trip over their own feet using tools like
these, but spelling out what is and is not a good idea seems to be a
useful community service.

I don't think that the document currently does a particularly good job of
articulating this distinction. But I do think that it should be adopted
so that the shortcomings can be fixed by the WG.

Cheers,

Ben

v2.23.0 | Report a Bug | By Email