Re: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)

Jeffrey Haas <jhaas@pfrc.org> Wed, 27 February 2019 22:29 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA72C131197 for <sidrops@ietfa.amsl.com>; Wed, 27 Feb 2019 14:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7AdrIhH_FTI for <sidrops@ietfa.amsl.com>; Wed, 27 Feb 2019 14:29:19 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 6D189131180 for <sidrops@ietf.org>; Wed, 27 Feb 2019 14:29:19 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id C63C41E2D8; Wed, 27 Feb 2019 17:28:26 -0500 (EST)
Date: Wed, 27 Feb 2019 17:28:26 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: Russ Housley <housley@vigilsec.com>
Cc: sidrops@ietf.org
Message-ID: <20190227222826.GA26668@pfrc.org>
References: <m2fts968ei.wl-randy@psg.com> <BD686FC4-58B7-48FC-85EC-EEC5C2F30B53@vigilsec.com> <20190227215142.GB21642@pfrc.org> <3EF81391-A613-4F10-B636-E29ABB5643DA@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3EF81391-A613-4F10-B636-E29ABB5643DA@vigilsec.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/CzxrINCeFzsWgD0mew8XHC9cjv8>
Subject: Re: [Sidrops] WG-ADOPTION: draft-borchert-sidrops-rpki-state-unverified-01 - ENDS: 2019-03-12 (mar 12)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 22:29:22 -0000

On Wed, Feb 27, 2019 at 05:09:14PM -0500, Russ Housley wrote:
> >> This seems to be a proposal for documenting why the marking is something other that valid or invalid.  I can see why a researcher might care about those differences, but I cannot see how an operator would make use of it.  I do not think we should add complexity.
> > 
> > I likely should write more text, but very simply some operators want easy
> > ways to mark that a system that should be expected to do validation has not
> > done so.  The existing tri-state (valid, invalid, not-found) doesn't cover
> > this.
> 
> Please write a little bit more.  What action would be taken in the unverified state that is different from the action taken in the not-found state?

Among other things, not draconically drop things if that's your policy.

not-found says the prefix isn't in the db.
unverified means that the db might be outright down.

How you feel about such things will wildly vary depending on your network
and how much you wear a security hat for your day job.

-- Jeff