[Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Was: I-D Action: draft-ietf-sidrops-aspa-profile-21.txt)
Job Snijders <job@bsd.nl> Fri, 30 January 2026 17:55 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B9D9EAFA6B01 for <sidrops@mail2.ietf.org>; Fri, 30 Jan 2026 09:55:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NV7E_j-Txpy for <sidrops@mail2.ietf.org>; Fri, 30 Jan 2026 09:55:12 -0800 (PST)
Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 10C88AFA6A38 for <sidrops@ietf.org>; Fri, 30 Jan 2026 09:55:11 -0800 (PST)
Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-b8869cd7bb1so394835966b.1 for <sidrops@ietf.org>; Fri, 30 Jan 2026 09:55:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769795704; x=1770400504; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=LsV/UR6amu06mXX/Lm2/Ak+8R7m4m5LSmSfKDMlBfvc=; b=knFY56On+vQz5GIhIj3Vb0qu+hzdvpt6li3k4nlejf/WOMES5XI4CudSOAURki9cSE zCqtfMzZF9oUYXtBQnwbm4P0Zu/8IUbBMbePPjVFWLmEi8SKSmed+HRzVzq703r1ZfEu dpNrfOJ8VWRspaat1kXSdnzeVvpjWB3pkkDwop6nxn0cnthBr02iA58kecP6CCXxgmv6 rRuvRCfQnzQjvkmyKyLRXIwzLzOQ/6Ei+Kx5wFMHaKR1SSinkzPLkWaDxKc93r3i5fKP 5PlO/akPKBDWzq+QcrnB7qYLXqwwGsipUFzWhT9TCaTUec4JIdGUqdGBctGDa5zYPM8d nUzA==
X-Gm-Message-State: AOJu0YxRNvVwarVQoJr4PU+Cbz/Mg0TSB/w1uYs25mi41P6NM50rCilF dcKydiyRJlFTzU13YxzcSEb9Yl23ixV9H/kNDqwpp80SedLXNsK1JpYnVuDAoBodFhn5NvaWzQC GSXqY
X-Gm-Gg: AZuq6aL8bdN9Adv2COTcTcSXm328saePNi1EbuaF6dDYTzwjgoTxXBD0qPxXufLsKq4 vXWcoUq3EQfk7wZQKp7NbbOnPAlkZdoYkaXLmUmyWQf9+ioZzMvOB5Go3jCNZqtLeo9Baa/7DyQ B5KoQtWZTDyIUddJbf5v6qzXn1KUWk/RZjIviCn8VFtI2XOX7Bc/lAHKvaccUgm6p0Oc52xTcCk RYxmDd0DPalcqNUitaaU/k2a00v8sqAuoLQf40fsPiIl3JXEcmSrvHCaPcvm7K3m/HbjsChRJ69 tOHYzj/wHf1P4vFV9TIq/DdSqHbi0RyV/uq6pnc5V77o8L2jZFSrcVfxv3nLosSDom2xC5QSIwj 4e+a4ShcDJp0Pw2cdOC17TFl2Xz+ks2Lyjjb+tTchi7mRFXP5Vbx0sGy9RsbFcgJ+xtfnIU5sLS lbSe6gAsuSMHoeBX5RHPLTq7236CdOVSZWFlPGYmN87x2CX5vatSetdLhbRS0PrPw2gucU+oc15 XgRLbrZ0MliEvTkJV/3DXmRMpPkZG2ubeZwE+vCMOJ50ThRFFEPq7N9QEL6t4qln7hpnAM0
X-Received: by 2002:a17:907:3cc5:b0:b88:61c3:3701 with SMTP id a640c23a62f3a-b8dff7c2f20mr236396166b.52.1769795703784; Fri, 30 Jan 2026 09:55:03 -0800 (PST)
Received: from feather.sobornost.net ([192.147.168.2]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b8dbef86deesm457818766b.3.2026.01.30.09.55.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jan 2026 09:55:02 -0800 (PST)
Date: Fri, 30 Jan 2026 17:55:01 +0000
From: Job Snijders <job@bsd.nl>
To: sidrops@ietf.org
Message-ID: <aXzwdRVVgP2aHxiM@feather.sobornost.net>
References: <176856799339.114496.4298005588069734285@dt-datatracker-865585c994-4fgh4> <aXtigbzAz9yImmC9@feather.sobornost.net> <19DD8F42-B586-4C88-87ED-3A2165B2FE97@ripe.net> <aXtrhXBVwP8ps-Pi@feather.sobornost.net> <DS0PR09MB10598D3C8177FD7D6E222697D849FA@DS0PR09MB10598.namprd09.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DS0PR09MB10598D3C8177FD7D6E222697D849FA@DS0PR09MB10598.namprd09.prod.outlook.com>
X-Clacks-Overhead: GNU Erik Bais
Message-ID-Hash: EBSX64B5U2G2JPWIM6WF4RZKTJBKBOKM
X-Message-ID-Hash: EBSX64B5U2G2JPWIM6WF4RZKTJBKBOKM
X-MailFrom: job@instituut.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Was: I-D Action: draft-ietf-sidrops-aspa-profile-21.txt)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/VXXiO2Wm2f1Ei7QjbhSL_nrP3vk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
On Fri, Jan 30, 2026 at 05:02:46PM +0000, Sriram, Kotikalapudi (Fed) wrote: > >My concern is in the realm of unintended malleability: our goal is to > >specify a canonical encoding and I can only see downsides to allowing > >superfluous encoding of the 'zero provider'. > > What would be one or two specific examples of the downsides? Malleability and canonicalization is a fascinating topic. Perhaps https://cborbook.com/part_2/determinism.html is of some help? As a rule of thumb, in SIDROPS we strive to use canonical encoding rules. A normalized form helps when comparing information elements (e.g. memcmp() can be used), which in turn makes debugging easier, and also makes detecting of corruption in memory/programflow/etc easier, and also allows implementers to optimize algorithms for inserting into internal data structures. The practise of using canonical forms (especially in security sensitive contexts!) dates back to RFC 3779 and even before that. > My inclination is towards being tolerant about the presence of AS 0 in > the ASPA. Tim was also initially thinking along these lines. We should > try to avoid seemingly unnecessary churn in the RP/RTR > implementations. But why allow for malleability? How does this churn affect you? What I rpopose really is a small change which only needs to be executed by a very limited group of individuals. And it seems all those individuals are engaged and planning accordingly. Should you have concern that changes like these negatively impact the publication process, I have good news: finding edges cases like these "now" really is the most expedient way forward. There are i's to be dotted and t's to be crossed, and these things must be done in order for SIDROPS to deliver a high quality product. I suspect that dealing with this canonicalization refinement "now" (January 2026) will save our future selves from a discussion on an Errata filing and even possible tedious -bis document projects. > Tim said: "Fwiw we plan to update our implementation to disallow this > in future, and tell our users to either use AS0 (and confirm that they > are REALLY SURE THAT THEY HAVE NO PROVIDERS) or 1 or more other ASNs." > > Yes, good. I would prefer that the RPKI registration systems (ARIN, > RIPE, etc.) alert the AS owner (registrant) so that the superfluous > cases are prevented. Great. > I think you have not considered the case when an AS owner already has > a registered AS 0 ASPA; the AS may or may not be operational. Later, > they register a new ASPA listing their newly contracted provider > ASN(s) in the SPAS; this is a separate new ASPA. They forgot (or > ignored) that there was an AS 0 ASPA. > I think it is too harsh to penalize them and treat both ASPAs (AS 0 > ASPA and the normal ASPA) as invalid in RPKI and discard them. Ah, I think you misunderstand the implications of enforcing the canonical form in the context of Signed Object's eContent. When two distinct ASPAs exist, (one AS 0 provider, and another one with a set of providers using non-zero ASes), they can both be valid at the same time and if that is the case they'll be merged/deduplicated appropriately by the cache. The canonicalization rule refinement is about the byte structure of a *single* ASPA. The scenario that you describe with two valid ASPAs is not applicable. To re-iterate: going forward, it is disallowed to combine AS 0 and non-zero ASes in a *single* ASPA, but it is not illegal to issue two separate valid ASPAs (one with AS 0 and one with a non-zero AS as provider). Obviously, while the other ASPA exists in parallel, the AS0 ASPA has become superfluous for the time being and has no impact on route decision making processes. > If we do this by changing the ASPA object verification (X.509 related) > specification, it also causes a significant churn in the > implementations of the ASPA profile draft. Plus, AS owner is > penalized harshly, when in fact, their AS 0 ASPA can be simply ignored > (rendered ineffective) and the other normal ASPA prevails. No no... the proposed refinement is a very modest change, it'll be done in a jiffy. > It also sends an unwarranted (false) scare to users on the ROA side. > ROA registrants (prefix owners) might be confused and would scramble > to do something in case they have an AS 0 ROA and normal ROA for the > same prefix(es). They must not go through such unwarranted churn. We > want them to feel free about registering an AS 0 ROA initially when > they newly acquire the resource and later add a normal ROA when they > wish to start using it in routing; deleting the AS 0 ROA is optional. I'm sure that the proposed change will not change any such dynamics for the worse. Kind regards, Job
- [Sidrops] Re: I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-pro… internet-drafts
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Nimrod Levy
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] AS 0 mixed in ASPA 'providers'? (Was: I… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Tim Bruijnzeels
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Tim Bruijnzeels
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Ties de Kock
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Ralph Covelli
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Sriram, Kotikalapudi (Fed)
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Nick Hilliard
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Nick Hilliard
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? (Wa… Ralph Covelli
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Job Snijders
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Martin Hoffmann
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Claudio Jeker
- [Sidrops] Re: AS 0 mixed in ASPA 'providers'? Ralph Covelli