IETF Logo Mail Archive

Re: [Sidrops] Making ASPA AFI-Agnostic - coordination (Was: WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023))

Ties de Kock <tdekock@ripe.net> Wed, 07 June 2023 11:05 UTC

Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03726C151084; Wed, 7 Jun 2023 04:05:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxNsbVr7O9IE; Wed, 7 Jun 2023 04:05:02 -0700 (PDT)
Received: from mail-mx-1.ripe.net (mail-mx-1.ripe.net [IPv6:2001:67c:2e8:11::c100:1311]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0239C15108A; Wed, 7 Jun 2023 04:05:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=90LcbVqcpCfwBAWKb9x7NntOEinFUJQf969NcCsygug=; b=pykPrOAH0zzV487nXkdTmTBt yMqFICsJveCdGw729qF0Sh62iQSM9fI6dQVavn1VEQoYtP418J0DlTSBIFF4aaOvlwJXj0U6NYmDV fxOlG196ezk+7CYG3O5TjE02GeCYg+wmQuI3LDotFpnbEeMEi7nsrUmOVVGSycfcVtZiRJ0teAkKd 4+bmi2hf+FDL0dhPcdEGwFXhlMoa71Tq5BxjzEFLxC7FRx7Bc74+I7vTDkuGvFoaO7mDLAGsmKlSi 3bcKpiRl3Clace0v2c8M2JL7Rf7/6nBkzIatqL+FXzRxzAH+DBjY35/6MgY7rNtWiGpc5ko8cDH78 tG3Q0QuhYg==;
Received: from allealle.ripe.net ([2001:67c:2e8:23::c100:170c]:54792) by mail-mx-1.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1q6qyH-002qYI-17; Wed, 07 Jun 2023 11:04:57 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1q6qyH-0002GP-0s; Wed, 07 Jun 2023 11:04:57 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Ties de Kock <tdekock@ripe.net>
In-Reply-To: <ZH+hdvAwuZ7nN3vK@snel>
Date: Wed, 07 Jun 2023 13:04:46 +0200
Cc: Christopher Morrow <christopher.morrow@gmail.com>, Martin Hoffmann <martin@nlnetlabs.nl>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, Claudio Jeker <cjeker@diehard.n-r-g.com>, "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-8210bis@ietf.org" <draft-ietf-sidrops-8210bis@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2E12662D-2BF3-468B-9F55-7AB43DE4BA0E@ripe.net>
References: <c62da49ce2a142999260371a0af7b673@akamai.com> <SA1PR09MB81428936A8B2BC30C04C4B2684629@SA1PR09MB8142.namprd09.prod.outlook.com> <88D8A314-0D17-4EA7-9E33-424021AF0FFF@vigilsec.com> <SA1PR09MB814232A57F80E8B92637ABF684639@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142A3F0D8E30F4F154863A084639@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB81427668A874A3EEFDE61DAE846A9@SA1PR09MB8142.namprd09.prod.outlook.com> <20230428100855.3450881e@glaurung.nlnetlabs.nl> <SA1PR09MB8142DA858A2039F2ED7DAD2B846E9@SA1PR09MB8142.namprd09.prod.outlook.com> <20230502124540.6bc662ba@glaurung.nlnetlabs.nl> <CAL9jLaaL2vvRYL6+ftu8vP9fDWWBoF5NFCGGL_nDj+_VSc5E4Q@mail.gmail.com> <ZH+hdvAwuZ7nN3vK@snel>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.600.7)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e1bc01e1119fbdf4dc7d7dbafc7f3d05fb
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/DhhRFBUxTFdcFd7lFkCf-Z_ts9s>
Subject: Re: [Sidrops] Making ASPA AFI-Agnostic - coordination (Was: WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023))
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 11:05:07 -0000

Hi Job,

This is a very big last minute change we are proposing. It feels ironic to do
this now given that profile changes last July were “too late”. But better late
than never I guess :).


> On 6 Jun 2023, at 23:13, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Dear Chris, others,
> 
> Let me start of by responding to "Are there complaints you'd like to
> swing my way? :)" - Quite the opposite! I very much appreciate your
> co-chairing work (and Russ, and Keyur, you all serve as volunteer!).
> Developing an understanding of the movements in the sidrops@ working
> group can take up considerable time and attention: the mailing list is
> very active, and the stakes are high: problems in products produced by
> SIDROPS usually mean problems for the whole Internet.
> 
> On Tue, Jun 06, 2023 at 04:41:07PM -0400, Christopher Morrow wrote:
>> So, first I think we pull this draft back from the edge of publication
>> and address at least one point which seems to have gotten some fair
>> time at the mic:
>> "Should the ASPA content be AFI specific? or AFI Agnostic?"
>> 
>> It seems to me that there are both sides being discussed with what
>> looks like a reasonable end at: "AFI Agnostic please" This makes some
>> sense to me, at least, since generally though we MAY have disjoint
>> (not the same?) forwarding paths for v4/v6 we probably have reasonable
>> ideals that our v4/v6 transit/customer relationships are fairly well
>> aligned. It may be the case that there are folks with this sort of
>> deployment, they should be able to publish correct ASPA records, I
>> believe.
>> 
>> I think a side effect of this decision (AFI agnostic ASAP) is that we
>> need to rethink/redo a bit of 8210bis, which I think was shipped at
>> IESG for publication 'just recently' :(
>> 
>> Does the above make enough sense to roll forward with? :)
> 
> Yes, it does for me. Below is a (perhaps incomplete) todo-list of what
> needs to happen next to swiftly move to AFI-agnostic ASPA. I've taken
> the liberty to assign names to each task (as suggestion... :-)).

For the RIPE NCC, our validation, object signing, web API, and testing setup
need to change. The change will delay our production release significantly (for
v0, our implementation is complete, while the new work needs to be planned).
 
> 
> * draft-ietf-sidrops-aspa-profile needs changes to the ASN.1, the
>  DER-encoded examples, and some blurps of text. As part of this change 
>  the ASPA profile version will be increased to 1 to avoid clashes with
>  existing work. Note: this will be the first Signed Object profile with
>  a explicit non-zero version in the eContent. [JOB]
> 
> * draft-ietf-sidrops-aspa-verification needs changes to align with the
>  new profile. [AZIMOV or SRIRAM?]
> 
> * draft-ietf-sidrops-8210bis-10 needs to be pulled back out of the RFC
>  Editor queue, I suspect that our AD needs to arrange that [WARREN]
> 
> * Either the authors of draft-ietf-sidrops-8210bis-10 (or newly
>  assigned volunteers) need to update the 8210bis specification, taking
>  into account lessons-learned from the 8210bis implementation efforts
>  (StayRTR, OpenBGPD, Routinator, etc).
>  The RTR version number needs to be bumped.
>  I hope Randy and Rob want to continue work on 8210bis, but if not - me
>  and Claudio would be available as co-authors to specify the required
>  changes.
> 
> * Signers need to be updated so RP implementations have something to
>  test against. Tim's earlier work in which he made a test TAL with some
>  test objects was massively helpful.
>   - krill / krill testbed [TIM]
>   - rpkimancer [BEN]
>   - any others?
> 
> * RP implementations with ASPA support need to be updated
>  - rpki-client [JOB]
>  - Routinator [MARTIN]
>  - RPSTIR2 [DIMA]
>  - rpki-prover [MIKHAIL]
>  - others?
> 
> * RTR server implementations need to be updated:
>  - StayRTR [BENCOX or JOB?]
>  - RTRTR [MARTIN]
>  - any others?
> 
> * BGP implementations need to be updated both in RTR handling and in BGP
>  UPDATE verification:
>  - OpenBGPD [CLAUDIO]
>  - BGP-SRx [NIST]
>  - any others? (I am not aware of other BGP implementations with ASPA)
> 
> * Existing deployments need to be updated when the above are completed
>  - YYCIX [JOB]
>  - not aware of any other ASPA-verification deployments
> 
> Did I miss anything in the above?
> 

I think rpki-prover is missing from the list. Furthermore, there are some
private implementations of 8210bis. I agree with Claudio's strong preference
not to complicate version negotiation in the RTR protocol more.

What is also lacking (and does not exist for all objects after ROAs) is a
conformance test cases for the objects. We have recently seen issues where
_valid_ ASPA configurations caused an RP implementation to create broken JSON:
If we want to make changes on a compressed timeline, I think having conformance
tests is key.


Kind regards,
Ties

v2.23.0 | Report a Bug | By Email