IETF Logo Mail Archive

Re: [Sidrops] AD Review of: draft-ietf-sidrops-rfc6482bis - "A Profile for Route Origin Authorizations (ROAs)"

Job Snijders <job@fastly.com> Wed, 20 September 2023 13:53 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2178C15C501 for <sidrops@ietfa.amsl.com>; Wed, 20 Sep 2023 06:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEWI3ARhJenJ for <sidrops@ietfa.amsl.com>; Wed, 20 Sep 2023 06:53:39 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4736DC15155E for <sidrops@ietf.org>; Wed, 20 Sep 2023 06:53:39 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-9a645e54806so875421566b.0 for <sidrops@ietf.org>; Wed, 20 Sep 2023 06:53:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1695218017; x=1695822817; darn=ietf.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=C1ZgPrXXoEtkqYqjwXlFnRcFSxLUNKTZOpSio53jrE8=; b=siWp2FTI+kUoTAdbjt1ds8oQ/W6mWyRje1jmJ3v2dt70KWdCNToX62xVZbS4gC6txR z5hgzeS+KzJ03BX3J8WU6lLeFT/prJEOABjCpxtbl1F7AnsGEvPq8iNt24pqMJgY1Oe3 TWIDbVFt8PClxmIJoaj6zNsEMCkCWFJHBY4WU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695218017; x=1695822817; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=C1ZgPrXXoEtkqYqjwXlFnRcFSxLUNKTZOpSio53jrE8=; b=sR86nHCeusHUyq+HnUR3qArwZpaV/3M954DJ8Pg9aXKr0T6tyvXNfaPKEP9FRHl+SX zqeNwWRhGQzs1tMpkm0bBQ/F4ztSVhrZG2b4O8D2+9HFF/IyiEA3FT1rL8Pek26L6bJR a9c7Q0gTnrtepjb9vctfaSkVwbwnBm9c6/Fi+uVQdqYI6bPgSfoIIV03RyEHw/S4Cm6c AXQBA3bcfiyHZI/E7JBXQ6I5pGP9ejQS2ZGOmWYLFtx0D7u5u4PG/Tdwlcof5QEcMJgs fjLUhK+qbB3SNf7Wuazf/m53OT9Vk0IuVh/Jnfym2MGS+og7tkrvN1qHTwX5dQTb2q+X aF0g==
X-Gm-Message-State: AOJu0Yy19GCdpAeRYET/RKT370ccPV0GMelqhrct1A9l6NFXfaYooYBb cGQKRDHVdzfyl1BG/rZr+9YFgg==
X-Google-Smtp-Source: AGHT+IF3HR1XAFAnVY+ruS+3AoW9KN1/G0+bToY5bKaLFb+V9/tUSX+gJguK0aakjr1m9q8sMfVYUA==
X-Received: by 2002:a17:906:5385:b0:9a5:c9a4:ba1b with SMTP id g5-20020a170906538500b009a5c9a4ba1bmr2068287ejo.8.1695218016991; Wed, 20 Sep 2023 06:53:36 -0700 (PDT)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id q21-20020a1709066b1500b0098921e1b064sm9291594ejr.181.2023.09.20.06.53.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Sep 2023 06:53:36 -0700 (PDT)
Date: Wed, 20 Sep 2023 15:53:35 +0200
From: Job Snijders <job@fastly.com>
To: Martin Hoffmann <martin@nlnetlabs.nl>
Cc: Job Snijders <job=40fastly.com@dmarc.ietf.org>, Warren Kumari <warren@kumari.net>, SIDR Operations WG <sidrops@ietf.org>, draft-ietf-sidrops-rfc6482bis@ietf.org
Message-ID: <ZQr5X9B3VdoZVsdf@snel>
References: <CAHw9_iKi5FLrrPW2GX0SJLgWq2g802r0JcsFsbgeYnYxfOigVg@mail.gmail.com> <CAMFGGcALstVA=04kZqoVAZanAKDa0rke=QYOyv2LNsWevLWgqg@mail.gmail.com> <CAHw9_iJJwx3R9AiBcmnST7qtdmSM_WMAtVur2RXH=dsZkFscOg@mail.gmail.com> <ZQrNn4mgpA9vJijj@snel> <20230920131316.080d60b0@glaurung.nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230920131316.080d60b0@glaurung.nlnetlabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/IM6nN598RZCNF3COkG87soaL624>
Subject: Re: [Sidrops] AD Review of: draft-ietf-sidrops-rfc6482bis - "A Profile for Route Origin Authorizations (ROAs)"
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 13:53:43 -0000

On Wed, Sep 20, 2023 at 01:13:16PM +0200, Martin Hoffmann wrote:
> Job Snijders wrote:
> > On Sun, Sep 17, 2023 at 10:10:22AM -0700, Warren Kumari wrote:
> > > How about, at the end of "5.  ROA Validation", at the end of:
> > > "Before a relying party can use a ROA to validate a routing
> > > announcement, the relying party MUST first validate the ROA.  To
> > > validate a ROA, the relying party MUST perform all the validation
> > > checks specified in [RFC6488] as well as the following additional
> > > ROA-specific validation steps." you add: "If any of these
> > > constraints fail, the profile is deemed corrupt, and the entire ROA
> > > should be discarded (probably after reporting an error)." or
> > > similar.  
> > 
> > Thank you for the suggestion, how about the following?
> > 
> > https://github.com/job/draft-rfc6482bis/commit/25f14dd674625a4ac526dfcfef26f7345bd10cc1
> 
> I think it still needs to be specified in the validation section
> (because that section claims to exhaustively list all condition for a
> valid ROA) that if any of the requirements given in the Content Type
> section is not met, validation fails.
> 
> This is not obvious to someone with a background in IETF protocols,
> who would rather be inclined to salvage what’s usable.

Did you mean the sentence should be at the bottom of the validation
section? Like so? https://github.com/job/draft-rfc6482bis/commit/b75dbd1f9cb019cec4a88103c6e1c9236743a0f7

Section 5 in its entirety:

-------------
5.  ROA Validation

   Before a relying party can use a ROA to validate a routing
   announcement, the relying party MUST first validate the ROA.  To
   validate a ROA, the relying party MUST perform all the validation
   checks specified in [RFC6488] as well as the following additional
   ROA-specific validation steps:

   *  The IP Address Delegation extension [RFC3779] is present in the
      end-entity (EE) certificate (contained within the ROA), and every
      IP address prefix in the ROA payload is contained within the set
      of IP addresses specified by the EE certificate's IP Address
      Delegation extension.

   *  The EE certificate's IP Address Delegation extension MUST NOT
      contain "inherit" elements described in [RFC3779].

   *  The Autonomous System Identifier Delegation Extension described in
      [RFC3779] is not used in Route Origin Authorizations and MUST NOT
      be present in the EE certificate.

   If any of the above checks fail, the ROA in its entirety MUST be
   considered invalid and an error SHOULD be logged.

6.  Security Considerations
....

--------------

v2.20.3 | Report a Bug | By Email