IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Thu, 27 April 2023 17:49 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1332C1516FF; Thu, 27 Apr 2023 10:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0QsAxCBVbOvy; Thu, 27 Apr 2023 10:49:33 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20711.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::711]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3608C1519A0; Thu, 27 Apr 2023 10:49:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kFKiVbHk2ZHloXsEHXFLGZ6xSSeMv+t8hseW5cgVZ5GG3WCe4n+lU4N1OFa3pe3VeLE7wkcOTAeduZfqwjXvJa6ZpkdlrDD4cncPcLmDODfFzn6wKBvo9g9VN9tG91bNomSNIfF7x7p7gRLpBjRRelOCgDgWpMbgzkbgbUydThyO2YnlcqfgZC3atNh4qcDyOZkowvzX9ZvPs36SaTfWM7/XGTLZ2AFZHvm6oG3stW6kkH3c8irEJzxkXDbH8dZs1d4xnD7tuAw+/rAINR043xoQON1F0cZNHwoqyF3vrYBADCmjrdkSo2RqkUc2WkGQ2eIE0wQ4JeJ9uXg4grUeMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KnVP/z55n1p/PNPgIK32bXalLJndnqIgpjwUwex98WA=; b=GHFZGth8ux8YiIRRqT4EHKAskmU9h0WepyJAyGPKgRGs7qEqcspm9p68rTiRhg3tXQ6daAeIY+3MD693CclQipivOq1TONzU76eF1+hNpfCqWZg5Ss3NO/P2ZLFx5YiatfMiCu2hogzkp06AKJqs9KsnBG0gJjcWtwDPfMwvc63XfmBmuN212qZ47r5hs1ZbLvogOrdh/l8KMd5Vw1WAbRnELgd7XzfW0j2URvu+caKf7v26M24+GhG7Nibt8TRsTb6KK5U9wdmifRB4iNulQNaUvYs2Jw0JWuW036mFoJdvoRaLRbyBrRia8W7xNJUfd1a2Mqna8Ucmfq5pShJVvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KnVP/z55n1p/PNPgIK32bXalLJndnqIgpjwUwex98WA=; b=ReHJDRqjWs/6biAaOxC+NdF30XDbHp6LEa9H53JEKvMgdybqFZlXEhCRdb0cFMQ03OpXHirMrgyg638X+gOiGGbCtbB/+DgP1scEIkHx7quZPceihLh5Qh3/xXP9FhbIGlnYGy2608Ex0PIDLAbftho+HcroF6O8W3PPjd7GcMEgDWppChmIy0zTECASKdMkq8WESOJZqjAwllHXI+F8tREn1w8WuWcUjmAMNNtFthj2xUYZSICDM71HH0YO6ccMtf3/Jyqg6K12NbkdCYF6fLdsfS57zFZQYKbUyOtHWVA3E3lXY7mbqylOkBY3Bi4KPVhDNymGwt7P+Ct8BSaOJw==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SJ0PR09MB9159.namprd09.prod.outlook.com (2603:10b6:a03:462::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6340.23; Thu, 27 Apr 2023 17:49:29 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::226a:790b:a85c:d03e]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::226a:790b:a85c:d03e%6]) with mapi id 15.20.6340.022; Thu, 27 Apr 2023 17:49:29 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Martin Hoffmann <martin@nlnetlabs.nl>
CC: "draft-ietf-sidrops-8210bis@ietf.org" <draft-ietf-sidrops-8210bis@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Claudio Jeker <cjeker@diehard.n-r-g.com>
Thread-Topic: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
Thread-Index: AQHZUV6mxB5bPFSj10Ch+S0fYxNY/K77vemAgAuycmCAB0/JAIAA8bzMgAAMfviAAPrBAIAANBelgABAVgCAIkGKEIAAs9QAgABXRuCAAB7WQIALAK2n
Date: Thu, 27 Apr 2023 17:49:29 +0000
Message-ID: <SA1PR09MB81427668A874A3EEFDE61DAE846A9@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB814241245D01E81BADE3ED0884CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <31FDE1E9-3E87-4011-B65B-C6B3A264303F@vigilsec.com> <SA1PR09MB81427B4A1B126A5D1C1E289C84CF9@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142E41F2D6B537BCAA758F384CC9@SA1PR09MB8142.namprd09.prod.outlook.com> <CAL9jLaYz3OhcwBBcVMqnUseBR9J1ZyktcJo5YLeefQHMoYJu+A@mail.gmail.com> <CAL9jLaZ7eDc+zbhapS8dTYQKnTfgLd=MOPYw97-qcJ4eP6S6Mg@mail.gmail.com> <CAL9jLaYJ4ODfumG9Yk3-yv=_TaTSUeD++U4sGy7S-0xWcGBQPw@mail.gmail.com> <ZBGqSVL9sSqnAiJc@diehard.n-r-g.com> <SA1PR09MB8142E9F71F250B83062C724884869@SA1PR09MB8142.namprd09.prod.outlook.com> <ZCGcYHJ9PyrjgR+V@diehard.n-r-g.com> <SA1PR09MB8142EA7F33880679E9B509D384889@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB81426E1BB66D6DF31860F26984889@SA1PR09MB8142.namprd09.prod.outlook.com> <ed0146b09da346b2b48cb9701240926c@akamai.com> <SA1PR09MB81427D28EF661F9DAB05FB9B84889@SA1PR09MB8142.namprd09.prod.outlook.com> <c62da49ce2a142999260371a0af7b673@akamai.com> <SA1PR09MB81428936A8B2BC30C04C4B2684629@SA1PR09MB8142.namprd09.prod.outlook.com> <88D8A314-0D17-4EA7-9E33-424021AF0FFF@vigilsec.com> <SA1PR09MB814232A57F80E8B92637ABF684639@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142A3F0D8E30F4F154863A084639@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142A3F0D8E30F4F154863A084639@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SJ0PR09MB9159:EE_
x-ms-office365-filtering-correlation-id: e9b780cc-770a-420b-c100-08db4747bff9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AUZeuQpkfMrw6nKksinjsYW6A4FRxphbdctHtARMpYPUUd/v6RngWzCM64IfGmuWNufv/bzo1VD3fry3AuYafoXyiOBwpP9iGD/YSgSfbNEH9kqg9dpFV90hqb7wCtCLgOO1VEqKTIiVbKYfDJicob3F7qzDheOL1rdIm3BPza8l7PWVFicAiBttmFzN7PGmzPLh0HfatU+fHav7jpthxNZfBhegSvZLWyHc/KpO4efMDR/cJf5MqdibQ8Mf93FlBLOwOPyr0Ob8PksmoQC32yhLFaweXkWCjQdNWdOYn37C/RASM8BePNsagKCRN2QwqU/f2JC18E4OfVUom9pVjN5QM9wQgeAkTiIeSHLS6psrQQYIluXmSIIfqGDo405I6YEUTZ4gJOEPEWoQoYUmaZ8cZ4eu0tUvEs2CgdYVXQC6QNkP/uNcIq0YWFqubnhz2mZ3BijiDhJrPROGJp9xwyoBKxsHeFA5rCoG7ZsiDC7xW7xCx7b31YgYabAlXn2ZodxxMyIDx2phidxPenaz6AjAw1GEoVNB+3trvNlqGv1z5KwBn01J690v9KhBNVKnNvJyvWrmN7srf35yxNT4npTm/F6MdVIrEuR5cY33C5y714mZbRFbDzbkbr87Q4iW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(451199021)(71200400001)(7696005)(33656002)(6506007)(9686003)(498600001)(26005)(55016003)(83380400001)(66574015)(4326008)(6916009)(122000001)(86362001)(91956017)(64756008)(66556008)(66946007)(76116006)(66476007)(66446008)(8676002)(8936002)(38070700005)(52536014)(5660300002)(15650500001)(38100700002)(2906002)(54906003)(186003)(82960400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ODt6iRtzCYpKJZpVmNOIgJ2unsSEL0CNLt8YC0t2f+FeDTO+fZAxnC13z49H136QBpAT3q1m/TdCVJYftUdJY2gdfP1vzlRihfXGiqsoP/TK2vnPTpA1NukXxdGzr4b3nUUgR/NampZYSXhlsL147uLoNYiSPIiDvdskyXxSZrmof4cNNJ0/BIxq7WvD5Tx5x+vhmW8E/PspbW+9z16VFlrsnHSy08arOdtQ6Jp4j9noJXk3hcsX4+vjf0HTTSNan5wKmlv4f56Br3xglKgEGLsRPgi/AsyTCbIisCheLI/ut4g8zR7FKK9kKwDLnnmqXen00UUZ12XuzXfDw4vtNCgg4CqBKxQcZIVNsKpx7PVFOh9L5MmkXcoQVOFX8Iw1ke3pohjGQLUvslW+lZ4CU458udSwEeckC72csMxVm7F4GCkjjG8t+4uS0qk3azUrQI8Q1f6mJMy2zKGDeTb6HTgnYZCLHALStH1o6bRJecp5ex39HikpypuVsc/RkkjaawoXlu5b6JwC7A9R93T5t1bLkhZN4k9WeEvFyZHwJGFbM8Vq6i0x1GD5Px1189J2WO+xSMF0W7pB47frpxHqYQGkFsKSU7vjw+GOtbxjwhSWlg2Hf81FbbWqW8EpE5sa/jJz7X9W0s7XcZ9Vw99pOPGClx63iRZHRPe+yQ45OIuBonQSCbZXbfGGRuByU6WiuZokQN363t7holFekQrqmBYFXjWFKrBXDz2vuddAsrQlGvlE33KZNwQvcDtaD7bbNKkFFQ/4bBZQMp7xthcHnMFdd1vttRhogehDt5ycXUTUwETHBDk1TJ39aZJC8clEm+Y0ODuazMxwMkd81sak/aBnMBNhDWvYJjT3J5IFJh+oTpW9yReUwTpE0bK+AbnU+St+WtfG92cuSQPWSYWXA4tN4YLizIL0S37Ea/BQCaiu40QhKqs7Z6Y5Qd3FHzfDx9GKHbnxg6sEXWEFWMhC6CMGkdvDXf9hgjVq/PwdFKGJU0Piki+ElpZogUu9LkdCqmXW/r/ln+wLNe8mIy3sN9GcErhYVN7ggEhM2n82dRgp+gnHmW0xnt2cW2vC/x7DODn0i5S5ayt5RfvsCElb9HDfnaz62h+o4A0xbUzoCFEFIwSS1d8JwKQ0u0uNjzxbOwcLMvtqR4P0+9TLvrp65xEqY0lj1iy9SZvIuQSlM6EKgeXYa276sau6N7fRLbV3aXd0hlzZejzA1ZK/h5CNcxPa1xMHQO8ay9BbxFfZqeNBwPghV0RG+j6V91Le5lR33JtOjg7VEpadTVwaBM66grDCdHwrhS09tzUqnNLtYKI5jdAaI/ltO2zZZYtYB+HDFVHpdF4pN+VbQBg0qsDiMM1IbCeXpNz0mbdNd2gIIoHUMBIICJzn6rWrRGv60+NdQ3UjV2Ma6SXp082kwHaO5kVdAU7d3liOiBeyQvwGBJ+R5tU5Wp0kFMOIDu/GGOynKHh4RHazt9/vynmflx8Ur99pBarPZdOP8t/8OhX4xZ+CqU0LbKQhBR8IfdVuHjuVX7EJEqMJkaP/jNu/ryehtIqVoUyEo77sVe6jppAF+Xk=
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e9b780cc-770a-420b-c100-08db4747bff9
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2023 17:49:29.1639 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR09MB9159
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Ce6Wi0JJmljY5gmE9Mw2XTwRJGU>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2023 17:49:38 -0000

Hi Martin,

>Now, from the split into two documents, I conclude that as someone
>implementing an RPKI relying party software, you aren’t expected to
>read the verfication draft -- and will likely miss this subtlety. So,
>presumably, the conversion rules should be in the profile draft.

We'll make sure that it is clear in the verification draft, and 
also, some sections related to ASPA registration and VAP-SPAS 
creation will be repeated in the profile draft so that 
the latter is self-contained.

Regarding augmentation of VAP-SPAS with AS 0 SPAS for
the case of a CAS that has neglected to include one of the
AFIs in the ASPA, that is a thing that concerns the 
verification algorithm. Keeping that in mind, do you feel that
it might be OK if we simply take care of it on the router side
after the RTR ASPA PDUs have been received? Details follow.

That is, we do not worry about the augmentation when
the RTR cache server creates and sends the ASPA PDUs.
Instead, after all the RTR PDUs have been received,
any need for augmentation of the AS 0 SPAS (mentioned above) 
will be handled only on the router side.

Now there are two ways:

1. From the RTR PDUs, create a single VAP-SPAS table as follows: 

Col 1                  Col 2                                 Col 3
CAS       VAPS-SPAS for AFI=1       VAPS-SPAS for AFI=2

Either Col 2 or Col 3 entry may be empty in the scenarios when
an AFI has been neglected by a CAS in its ASPA.

This single table works just fine for the computation of the hop(...)
function in Section 5.

2. From the RTR PDUs (not augmented), create two VAP-SPAS tables 
one per AFI. Now the need for the augmentation may arise.
If there is a CAS in Table 1 (corresponding to AFI = 1) that 
does not show in Table 2 (corresponding to AFI = 2), then
that CAS is augmented in Table 2 with AS 0 SPAS, and vice-versa.

We can mention both of the above approaches as example
ways of implementation that would enable the path verification
algorithm to work correctly. We can include these descriptions
in both drafts so everyone one is well informed whether they read
only the profile draft or both.

Does this seem acceptable?

If not, then we need to talk about changing the processing
on the RTR cache server side or changing the RTR ASPA PDU format
(like what Claudio has been talking about). That would call
for a change in 8210-bis. 

Thank you.

Sriram

============================
Hi Sriram,

my apologies for continuously beating the same drum, but I am not sure
I can accept that the draft is quietly ignoring the different data
structure in RTR. Specifically, I just realized that I may or may not
have implemented the conversion from ASPA objects to RTR payload
wrongly in Routinator.

If for a given customer AS there are no provider AS for a requested
address family but there are for the other address family, the hop
function will result ‘no providers+’ rather than ‘no attestation.’
If the verification algorithm is implemented on individual per-family
provider sets, this means the provider set for that address family is
basically an AS0-only set.

Consequently, when transforming the provider set from an ASPA object
into its RTR payload, an AS0-only PDU should probably be added for a
customer AS that if the provider set for an address family turns out to
be empty. Otherwise a router keeping separate tables has to consult the
table for the other family any time there is no entry for a given
customer AS and that rather defeats the purpose.

Now, from the split into two documents, I conclude that as someone
implementing an RPKI relying party software, you aren’t expected to
read the verfication draft -- and will likely miss this subtlety. So,
presumably, the conversion rules should be in the profile draft.

But similarly, someone who only implements validation in a router and
starts out with the RTR payload data will be confused by the validation
algorithm working with something completely different. There’s a good
chance there are subtle and unexpected consequences there, too.

I feel that if we keep describing the validation algorithm in its
current form, the conversions should be addressed explicitly so that
it is clear how may ASPA RTR PDUs will there be for a given customer
AS, what will be in a provider AS set in each, and what that means for
the validation algorithm.

  -- Martin

v2.23.0 | Report a Bug | By Email