IETF Logo Mail Archive

[Sidrops] Making ASPA AFI-Agnostic - coordination (Was: WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023))

Job Snijders <job@fastly.com> Tue, 06 June 2023 21:14 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC89C1524C8 for <sidrops@ietfa.amsl.com>; Tue, 6 Jun 2023 14:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2Ax5Y556xXq for <sidrops@ietfa.amsl.com>; Tue, 6 Jun 2023 14:14:11 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25B67C14E515 for <sidrops@ietf.org>; Tue, 6 Jun 2023 14:13:31 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-976a0a1a92bso777105966b.1 for <sidrops@ietf.org>; Tue, 06 Jun 2023 14:13:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1686086009; x=1688678009; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=qFVEUXiMySxA3JniCZPIG5yEzO4TCV8akJxtBt0BG8U=; b=W/i4Vs2QDCRpyD8+8HA8vHu4j3ZWV69rVCTPZW9sI5z3M8i4srUSD0Gf3bJKIKT67p y/bcBcMHi3P1mIQf9sxxlAzCsGlBr3Ok5SbR6Y3BSgJ3R90kLhAzloxoOSJTkZqJEYnp 3v/sgfJ17GaOQCdQeGqKnaTNSU727VnNuJ4nw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686086009; x=1688678009; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qFVEUXiMySxA3JniCZPIG5yEzO4TCV8akJxtBt0BG8U=; b=AGAnKSzFLbQN/X+Y6a0GmHek+DS9j3/SI6RP4TVPUWjD2vhQtQY7WTJTw2EqdADVed vShxDzeAqg7tfWTJLbQih2CMlgRIf0HsI7/rPqyGcHPqzPNi2gczKnKwi4pSWkMoBQas Y2J2Nc/dW+ICbS7ZgIeopx83ZwjplW1y7Ora1WDUnASL5Uub2Mol1CDZiEz74cVhElPI ZNi9gVJ8wj+n5La5OQOQci+xjRMLTNTbge/D/dUmTmzcn+0wf7vGwmcfAsPqewio2O8i SHOXIfrRn1DXXMuOrJQ46ysegDFDYCcUaQGSoRFQEh/S5uW+85FrYsdBZ3Rg7PSAG7Ea XlvQ==
X-Gm-Message-State: AC+VfDwoGcnlGF2luQydT3Fzod4gwmBnYs0GLmntHnURiQI29mIOVqSQ 6DOEuB6fEhIW1KI8VL+Pedg/IQ==
X-Google-Smtp-Source: ACHHUZ7pNbVI5cqY5LWVqd2OawTv3T1RKL43kNisD2ET3MmeKYw513B0YsoWqvoqSNc2mQYCdNWmHw==
X-Received: by 2002:a17:907:7ea7:b0:978:6a98:a019 with SMTP id qb39-20020a1709077ea700b009786a98a019mr3766000ejc.33.1686086008683; Tue, 06 Jun 2023 14:13:28 -0700 (PDT)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id w21-20020a170906185500b00968db60e070sm5988416eje.67.2023.06.06.14.13.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jun 2023 14:13:28 -0700 (PDT)
Date: Tue, 06 Jun 2023 23:13:26 +0200
From: Job Snijders <job@fastly.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
Cc: Martin Hoffmann <martin@nlnetlabs.nl>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>, Claudio Jeker <cjeker@diehard.n-r-g.com>, "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-8210bis@ietf.org" <draft-ietf-sidrops-8210bis@ietf.org>
Message-ID: <ZH+hdvAwuZ7nN3vK@snel>
References: <c62da49ce2a142999260371a0af7b673@akamai.com> <SA1PR09MB81428936A8B2BC30C04C4B2684629@SA1PR09MB8142.namprd09.prod.outlook.com> <88D8A314-0D17-4EA7-9E33-424021AF0FFF@vigilsec.com> <SA1PR09MB814232A57F80E8B92637ABF684639@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142A3F0D8E30F4F154863A084639@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB81427668A874A3EEFDE61DAE846A9@SA1PR09MB8142.namprd09.prod.outlook.com> <20230428100855.3450881e@glaurung.nlnetlabs.nl> <SA1PR09MB8142DA858A2039F2ED7DAD2B846E9@SA1PR09MB8142.namprd09.prod.outlook.com> <20230502124540.6bc662ba@glaurung.nlnetlabs.nl> <CAL9jLaaL2vvRYL6+ftu8vP9fDWWBoF5NFCGGL_nDj+_VSc5E4Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL9jLaaL2vvRYL6+ftu8vP9fDWWBoF5NFCGGL_nDj+_VSc5E4Q@mail.gmail.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/KFWoy6tzG8d3JpozLPe1m6GniEg>
Subject: [Sidrops] Making ASPA AFI-Agnostic - coordination (Was: WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023))
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2023 21:14:16 -0000

Dear Chris, others,

Let me start of by responding to "Are there complaints you'd like to
swing my way? :)" - Quite the opposite! I very much appreciate your
co-chairing work (and Russ, and Keyur, you all serve as volunteer!).
Developing an understanding of the movements in the sidrops@ working
group can take up considerable time and attention: the mailing list is
very active, and the stakes are high: problems in products produced by
SIDROPS usually mean problems for the whole Internet.

On Tue, Jun 06, 2023 at 04:41:07PM -0400, Christopher Morrow wrote:
> So, first I think we pull this draft back from the edge of publication
> and address at least one point which seems to have gotten some fair
> time at the mic:
> "Should the ASPA content be AFI specific? or AFI Agnostic?"
> 
> It seems to me that there are both sides being discussed with what
> looks like a reasonable end at: "AFI Agnostic please" This makes some
> sense to me, at least, since generally though we MAY have disjoint
> (not the same?) forwarding paths for v4/v6 we probably have reasonable
> ideals that our v4/v6 transit/customer relationships are fairly well
> aligned. It may be the case that there are folks with this sort of
> deployment, they should be able to publish correct ASPA records, I
> believe.
> 
> I think a side effect of this decision (AFI agnostic ASAP) is that we
> need to rethink/redo a bit of 8210bis, which I think was shipped at
> IESG for publication 'just recently' :(
> 
> Does the above make enough sense to roll forward with? :)

Yes, it does for me. Below is a (perhaps incomplete) todo-list of what
needs to happen next to swiftly move to AFI-agnostic ASPA. I've taken
the liberty to assign names to each task (as suggestion... :-)).

* draft-ietf-sidrops-aspa-profile needs changes to the ASN.1, the
  DER-encoded examples, and some blurps of text. As part of this change 
  the ASPA profile version will be increased to 1 to avoid clashes with
  existing work. Note: this will be the first Signed Object profile with
  a explicit non-zero version in the eContent. [JOB]

* draft-ietf-sidrops-aspa-verification needs changes to align with the
  new profile. [AZIMOV or SRIRAM?]

* draft-ietf-sidrops-8210bis-10 needs to be pulled back out of the RFC
  Editor queue, I suspect that our AD needs to arrange that [WARREN]

* Either the authors of draft-ietf-sidrops-8210bis-10 (or newly
  assigned volunteers) need to update the 8210bis specification, taking
  into account lessons-learned from the 8210bis implementation efforts
  (StayRTR, OpenBGPD, Routinator, etc).
  The RTR version number needs to be bumped.
  I hope Randy and Rob want to continue work on 8210bis, but if not - me
  and Claudio would be available as co-authors to specify the required
  changes.

* Signers need to be updated so RP implementations have something to
  test against. Tim's earlier work in which he made a test TAL with some
  test objects was massively helpful.
   - krill / krill testbed [TIM]
   - rpkimancer [BEN]
   - any others?

* RP implementations with ASPA support need to be updated
  - rpki-client [JOB]
  - Routinator [MARTIN]
  - RPSTIR2 [DIMA]
  - rpki-prover [MIKHAIL]
  - others?

* RTR server implementations need to be updated:
  - StayRTR [BENCOX or JOB?]
  - RTRTR [MARTIN]
  - any others?

* BGP implementations need to be updated both in RTR handling and in BGP
  UPDATE verification:
  - OpenBGPD [CLAUDIO]
  - BGP-SRx [NIST]
  - any others? (I am not aware of other BGP implementations with ASPA)

* Existing deployments need to be updated when the above are completed
  - YYCIX [JOB]
  - not aware of any other ASPA-verification deployments

Did I miss anything in the above?

Speaking for rpki-client / OpenBGPD - we will not provide a grace period
in which both v0 and v1 ASPA profiles are accepted. This is going to be
a 'hard cut': the next release will not support v0 ASPAs.

I think I can manage an update to aspa-profile tomorrow, then we can go
from there.

It would be super helpful if people report back on their implementation
status so we can gauge what the overall project status is.

This is a massive change in 'the last moment', but I believe it'll pay
off dividends. I wish to everyone who spent cycles thinking through the
implications of making ASPA AFI-agnostic (Jay, Tony, Mikael, Michael,
and many others in hallway conversations)

Kind regards,

Job

v2.23.0 | Report a Bug | By Email