Re: [Sidrops] Orie Steele's No Objection on draft-ietf-sidrops-cms-signing-time-06: (with COMMENT)
Orie Steele <orie@transmute.industries> Tue, 09 April 2024 14:56 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A4AC14F6BF for <sidrops@ietfa.amsl.com>; Tue, 9 Apr 2024 07:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00hCDKVm9EnZ for <sidrops@ietfa.amsl.com>; Tue, 9 Apr 2024 07:56:03 -0700 (PDT)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6759CC14F6A2 for <sidrops@ietf.org>; Tue, 9 Apr 2024 07:56:03 -0700 (PDT)
Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-2a53a4a283eso1473895a91.0 for <sidrops@ietf.org>; Tue, 09 Apr 2024 07:56:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1712674563; x=1713279363; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KmRgPmEAYvYTsDoUAXVRKOLLjHpG6fORD16/XlKtoCU=; b=Kl8UXHCMtmNyAkMgiNkL7d6W8XG774gCHTxOIgMG05iAoP4slbKiMSXw332Jekwtt+ sKxUJoruLWbdn02Sw+xiTgEDlTlIp2T240O4KT7DKwr4lGkBnKXfJ9uZhUtr5wWGVCge TV7pbbA3VXcho4PHtal/SY4k04Ij3n3MdKF/i360p28159VjhmSKq06hP6Ooad+jNyra wLIwrTB65XF/HiSrfybpY7xzPiR6x2P2GhTzw/Nvc02Um5oBCNJPFu1Z70uxc7E/PSZH bQVAg8vz4PMss3JDBQ9A32WUcLjexzV9aUuti+iiPn0gkpD/gsD+OWgekJS/2pAGwd8z 1irA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712674563; x=1713279363; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KmRgPmEAYvYTsDoUAXVRKOLLjHpG6fORD16/XlKtoCU=; b=jjBaKE5SVLe568h+jCd6TiF9m8TrvjLPUQosnZvbstHTZEYREPtyuqUb8AP2fu/4Ze cUBxIcyYXLp0jmhA/rg8wBh8+njUU/N90blt3/PZLr4mP+IX2iwAs3/U9O5QaCtwvebJ Uv++sVRsZqCqU69bh/vCIhReGDzzT3bVcO6+QxoCQW1IZvDn8RszPZ7dw+WI9lipxLsl nOtz6wJ5IRio5KfiRHPxGPvgVP6Zv99SjLUhTvZpcWFstfAIYmowmrlg+cmTEcT+FNU0 V9nAkgBNCENgq1xENyt0POehHW4r6qlXAkPwfd56SE/BfMQq5vUwof9ZHZEj1ANbYS4c 5j/g==
X-Forwarded-Encrypted: i=1; AJvYcCXZSCg87u7TqNjKHbcpYxRBKjjMASFo0XYhI5hhA+m+ksM+EaFM6fiuk9MEvkaxWPRansGSjxgUveStcxpL9nkS
X-Gm-Message-State: AOJu0YwI8/ndDUgdkNPrD6XwXST0rAZCgQMP1ZdAAJOMKvIozqw97NtA hdGMNu42QacMOzkdM0hk2jOHiqnJ4C2jla5El/lZpkryHNBGPS7TX01Aaz0BC7epgZPC7Z//pLR OMIPL4fICUWEF+0ZfVKiGFoJNpf0ktvpbnfhkPg==
X-Google-Smtp-Source: AGHT+IHYZ978GSLhdpWNoEeldJdQoJmW/OIvEjcYOd7FUdKvNeDvAhpZr5WpqraZDBGhqttx9CfetZeVM6GFMKqK/VU=
X-Received: by 2002:a17:90b:38cf:b0:29c:5708:b922 with SMTP id nn15-20020a17090b38cf00b0029c5708b922mr12417911pjb.26.1712674562691; Tue, 09 Apr 2024 07:56:02 -0700 (PDT)
MIME-Version: 1.0
References: <171260858688.49397.2189518988804934513@ietfa.amsl.com> <ZhVRdtcdUwCqX03j@snel>
In-Reply-To: <ZhVRdtcdUwCqX03j@snel>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 09 Apr 2024 09:55:51 -0500
Message-ID: <CAN8C-_+-YYM3ansxcxUAj81AGeHyNxEktoQafbOBk98Pb=1kxw@mail.gmail.com>
To: Job Snijders <job@fastly.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sidrops-cms-signing-time@ietf.org, sidrops-chairs@ietf.org, sidrops@ietf.org, housley@vigilsec.com
Content-Type: multipart/alternative; boundary="000000000000ecf8160615ab1e6b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Uyva7PV3-Ld98PIvMRJJ_exiDfk>
Subject: Re: [Sidrops] Orie Steele's No Objection on draft-ietf-sidrops-cms-signing-time-06: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 14:56:08 -0000
Inline: On Tue, Apr 9, 2024 at 9:32 AM Job Snijders <job@fastly.com> wrote: > Dear Orie Steel, > > Thank you for taking the time to read and review this internet-draft! > > On Mon, Apr 08, 2024 at 01:36:26PM -0700, Orie Steele via Datatracker > wrote: > > ## Comments > > > > ``` > > 129 Publishers SHOULD ensure that the last modification timestamp > of the > > 130 file remains unchanged as well. > > ``` > > > > Why not MUST? What happens if they do not? > > If publishers do not ensure the last modification timestamp of the file > remains unchanged, the file might be needlessly re-transmitted. This > potentially results some waste of bandwidth, but but does not impact the > validity of the Signed Objects. > > The internet-draft outlines an optimization, it does not describe a > 'without this, RPKI wont work'-concept > I see that's what it says above this sentence, but again, why not: To avoid needless re-transfers of unchanged files in consecutive rsync synchronizations, [I-D.timbru-sidrops-publication-server-bcp] publishers MUST ensure that the last modification timestamp of the file remains unchanged as well, and MUST use the so-called 'deterministic' (normalized) timestamps for files. In other words, answer what MUST a publisher do to avoid the unoptimized outcome, even if the optimized outcome is not required. > > ``` > > 156 In order to reduce the burden of the rsync synchronization > (following > > 157 an RRDP failure), Publishers and RPs SHOULD adhere to the > following > > 158 guidelines. > > ``` > > > > Why not MUST? Perhaps this sentence is not needed. > > The authors thought it might be helpful to explain why the guidelines > are useful to implement, what the benefits are if advantage of the > optimization is taken. But again, if publishers don't follow this > guidance the end result is inefficient, but still functional transfers > of RPKI data. > Ok, this makes sense, and also aligns with your comment above. > > > ``` > > 162 When serializing RPKI Signed Objects to a filesystem > hierarchy for > > 163 publication via rsync, the mod-time of the file containing > the Signed > > 164 Object SHOULD be set to the value of the CMS signing-time > attribute > > 165 contained within the Signed Object. > > ``` > > > > Why not MUST? What happens if the mod-time is set to something else? > > Does this guidance also apply to publishers that support RRDP in > > addition to rsync? > > if the mod-time is set to something else, the data might needlessly be > retransferred. The guidance applies to all publishers, including the > ones that support RRDP. Every publisher MUST support rsync, which is > where these guidelines are recommended. > Consider phrasing it like: All publishers that support rsync and RRDP MUST set mod-time of the file containing the Signed Object SHOULD be set to the value of the CMS signing-time attribute contained within the Signed Object, in order to reduce the change of needlessly retransferring data. Essentially you are saying: these optimizations are not required, but SHOULD be used, in order to achieve them, this is what MUST happen. > > ``` > > 169 When serializing RPKI Signed Objects retrieved via RRDP to a > > 170 filesystem hierarchy, the mod-time of the file containing the > Signed > > 171 Object SHOULD be set to the value of the CMS signing-time > attribute > > 172 contained within the Signed Object. > > ``` > > > > Why not MUST? > > > > The amount of redundancy between this section and previous section, is > > confusing. I would assume publishing and consuming would both need > guidance on > > CMS signing-time, regardless of if rsync or RRDP was used. > > The above section is for Relying Party implementers (the counterpart to > the publisher side). I made an attempt by splitting the different > instructions for publishers and relying parties into 2 sections: > "2.1 Guidance for Publishers" and "2.2 Guidance for Relying Parties". > Do you have suggestions to resolve the potential for confusion? > > As to your question about MUST, if Relying Party implementers ignore > this internet-draft, those implementations might be more wasteful in > terms of bandwidth, but still will be functional. So softer guidance > seemed appropriate. > > All in all this document is "do X if you want maximum efficiency", but > if publishers or relying parties don't read this draft, it's not the end > of the world. Hope this clarifies where we're coming from! > Yes, this clarifies things, I think your intention could be conveyed more directly / strongly with: Implementations SHOULD follow these guidelines, in order to avoid unnecessary data transfer. (you say this already) In order to avoid unnecessary data transfer the following actions MUST occur. (you could say this, instead of repeating SHOULD) However, it might be worth waiting for additional reviews, before taking any action. > > Thanks & kind regards, > Thanks again for this document. > > Job > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [Sidrops] Orie Steele's No Objection on draft-iet… Orie Steele via Datatracker
- Re: [Sidrops] Orie Steele's No Objection on draft… Job Snijders
- Re: [Sidrops] Orie Steele's No Objection on draft… Orie Steele