[Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)

Tim Bruijnzeels <tbruijnzeels@ripe.net> Wed, 29 May 2024 08:14 UTC

Return-Path: <tbruijnzeels@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1329CC151556 for <sidrops@ietfa.amsl.com>; Wed, 29 May 2024 01:14:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7JhLP83nZ_Ho for <sidrops@ietfa.amsl.com>; Wed, 29 May 2024 01:14:12 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C946C151557 for <sidrops@ietf.org>; Wed, 29 May 2024 01:14:12 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2e6f51f9de4so24295481fa.3 for <sidrops@ietf.org>; Wed, 29 May 2024 01:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ripe.net; s=google1; t=1716970451; x=1717575251; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=b41mo1uab1IqLI+bSCdbbdQWTFG7p5XhAaaxbYV+MuI=; b=Sj0URCJ90P0MuKMOaR+cUACqIrTZYm19/0K8bY467HxXm6rev5C0spXhsLeyZIXa12 5bz+rKaE/BGqz5YO7orQ8LOL65+lxaL3tsDANklMDg05LrAINGDsfgrYRmaXdmIqlgyC z4xJHr1sZ5kBYpNHU68fybir2Q53Ez/lsaUJk2W7/Tmpg+ywrlwHPUMW1S9ewQV/qAMY 27KpnoTXT2CJ7AKEY2DhhAbtIZYFZ4nHOsvDdr1k55E/CeaKOHaw4PRzz8Qh1u+Fnnz+ jXcQd2mEOnpvxjNIcrA83gV31Yp+mp9x2SgJwzjk9sx64NAfXbK+BhpFUEJWT3ToHs5C DbPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716970451; x=1717575251; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=b41mo1uab1IqLI+bSCdbbdQWTFG7p5XhAaaxbYV+MuI=; b=EciYpOW5OEeVTgxjo7QlwiQ1ili+BewkOvleayzCcave1hVYZuseqqbQTiweDfboPs 20KhsZmDcHX6jI9uKGkasYJpC995UhJ5pB0Hjz1UOwpUIeqoHYzJmMF1zqEr3n/oGqs9 8r7sas8AZ5LemSP8Sv1WePlqUZx45UtnMu25eQfpXnHtTcmH2pL+y7IEHEWXrk/JOLZk RIhMOwOfkEPf12Wn1RPOAlC6ErgLqx1UqrVgOjQ6LEUijNATJ9uB00Qk6iSNPtjRDQxi POwgrfHvtbCf0DthhcNuhgEdayXsB8yQIrD6XbspXYbrKsXa+dUB1R5M/fvUuLC4IFzC scoQ==
X-Forwarded-Encrypted: i=1; AJvYcCVQgi09HoUzlVjAjvL4/Xdd+d5MZ2rj1TKUMbz4NICYT9toQ5NvbyO42M9x6Hnahf/UAC39v1/5Me5G+qOpwiMC
X-Gm-Message-State: AOJu0YyBJShSBFl2WYyjLgBvWBI0d1dFePCfwu8pRdVkvroxESZqrGFO BKt8wAeFpRSHiLpCgG/w4ResuSboj926d94zTRmJoossAlIE1/AsbY7bSN6TuQ8=
X-Google-Smtp-Source: AGHT+IHtczohvcD1fk8rJ3xET/Pc48bfNNokeuglFhwYLeQiiWLwDM4FK5wWRuP5VHJv6Tvt49pb+A==
X-Received: by 2002:ac2:5a09:0:b0:51d:9f10:71b7 with SMTP id 2adb3069b0e04-52965c2f877mr11075975e87.28.1716970450610; Wed, 29 May 2024 01:14:10 -0700 (PDT)
Received: from smtpclient.apple (2a02-a46d-1a37-0-34d9-d9a-edee-eece.fixed6.kpn.net. [2a02:a46d:1a37:0:34d9:d9a:edee:eece]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a65a01f2e4dsm3756866b.129.2024.05.29.01.14.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 May 2024 01:14:10 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: Tim Bruijnzeels <tbruijnzeels@ripe.net>
In-Reply-To: <SA1PR09MB814214B4946E15E7296570E984F12@SA1PR09MB8142.namprd09.prod.outlook.com>
Date: Wed, 29 May 2024 10:13:59 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F62EB815-FEE2-45EB-8B67-FC93C3667619@ripe.net>
References: <SA1PR09MB8142978FC5DFD478E40B54D884F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814286463D99E5327EEDF3B184F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB8142749B4309DCBDFFEED34784F12@SA1PR09MB8142.namprd09.prod.outlook.com> <SA1PR09MB814214B4946E15E7296570E984F12@SA1PR09MB8142.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: B4JP5RGYHPLKPHGXQF5FJ4C62O5TEDQV
X-Message-ID-Hash: B4JP5RGYHPLKPHGXQF5FJ4C62O5TEDQV
X-MailFrom: tbruijnzeels@ripe.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Amir Herzberg <amir.lists@gmail.com>, "sidrops@ietf.org" <sidrops@ietf.org>, "draft-sriram-sidrops-spl-verification@ietf.org" <draft-sriram-sidrops-spl-verification@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: WG Adoption call for draft-sriram-sidrops-spl-verification - ENDS 06/03/2024 (June 3 2024)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/MqmFBx0_YyECHjp9axwRz5zCceU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Hi,

> On 28 May 2024, at 22:37, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org> wrote:
> 
>> 
>> However, is SPV the best mechanism to deal with this?
>> I think a better alternative would be an extension to the ROA 
>> mechanism. This extension will define a `conditional ROA'.
>> This conditional ROA will also contain the result of a hash function 
>> h(x) over some random x. You can use the conditional ROA in two ways:
>> 
>> - without the preimage x: such ROA will not make announcements for AS
>> 7 and 1.2.3/24 valid. However, it could be used to allow DSR , i.e., 
>> it would be considered for BAR-SAV filtering.
>> 
>> - with the preimage x, provided as a transitive BGP attribute or otherwise:
>> this turns the conditional ROA into regular ROA.
>> 
> 
> Your proposal involves modifying the ROA to add a new field. Perhaps it can be taken up in the future by the WG as new work.  I'll be happy to discuss its the pros and cons off-list.

I think discussion is good, but generally speaking I am not keen on changing the ROA format. We have a lot of deployment, CA implementations and UIs/APIs, RPs, best practices, documentation, etc.

I think new semantics are generally best done as separate, explicit, complementary types. This way it’s also clear that the signer explicitly opted in to making a statement - rather than going with an implicit default which is what we might end up with if we had a next version ROA with optional extra bits.

I support adopting SPL, my feeling is that some more discussion is needed before it’s done, but adopting it so we can have that discussion makes sense to me.

Tim