Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects
Erik Rozendaal <erozendaal@ripe.net> Fri, 09 December 2022 09:53 UTC
Return-Path: <erozendaal@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F0AC157B37; Fri, 9 Dec 2022 01:53:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMi0R3qGkFOl; Fri, 9 Dec 2022 01:53:15 -0800 (PST)
Received: from mail-mx-1.ripe.net (mail-mx-1.ripe.net [IPv6:2001:67c:2e8:11::c100:1311]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EA4BC157B33; Fri, 9 Dec 2022 01:53:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Message-Id:Cc:Date:From:Subject:Mime-Version:Content-Type ; bh=GNhxDwJKl1Yigr6CdoniOSd1mPvGG3L5JhPeY5mDfuI=; b=ksI+VKgeZ0YHm+xFcAM5CRtp XieQ8DEef7JXcU/Rl7RqdDwduDTI5BcQ2DCPChoGDQNpyJwmiC5yn5E1wwXxgsmLm/SVnAGIfp9oh yJ2zPv7eTmW/vCK4xC7kQjQhHwh0YhauhV6Y7G5/C88Ht+3kUXbAzbwQKOEiN3obQci57WL/mMPir EVlnxo7q5V4HIKTEb2JnjYNq783HMyhu8HFdtEE0QlufBqiHVNqGvp0TFQq2qGtUxTMWDk4BcoSSO cBqN/5H60tM4sqjgQZi99XAn+8LdgzZxf6JnVS33hO8iu5flMnYRy6luvO4XtyuJOmG9kk3pdbLtC gEjmc3X7Ag==;
Received: from bufobufo.ripe.net ([2001:67c:2e8:23::c100:170d]:51012) by mail-mx-1.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <erozendaal@ripe.net>) id 1p3a41-00Dt6W-0w; Fri, 09 Dec 2022 09:53:05 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <erozendaal@ripe.net>) id 1p3a41-0004cu-0L; Fri, 09 Dec 2022 09:53:05 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: Erik Rozendaal <erozendaal@ripe.net>
In-Reply-To: <SA1PR09MB8142F7C99E553E6610A925DF841B9@SA1PR09MB8142.namprd09.prod.outlook.com>
Date: Fri, 09 Dec 2022 10:52:33 +0100
Cc: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-profile@ietf.org" <draft-ietf-sidrops-aspa-profile@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BAD4B943-2332-4274-B571-A756D495EAA1@ripe.net>
References: <SA1PR09MB8142F7C99E553E6610A925DF841B9@SA1PR09MB8142.namprd09.prod.outlook.com>
To: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
X-RIPE-Signature: 3081e9bfa2e75d9dc8fe5e8110458a38ba2fd0d68136b1ce3be768f2f8afa86b
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/WXmtU34eBrFpwy85VrdUCaqxDjM>
Subject: Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2022 09:53:20 -0000
Hi Sriram, Thanks for your feedback. We've decided to use the terminology already present in the RIPE NCC RPKI API for consistency. Since we already used "ASN" for ROAs we also used this for ASPA in preference over the RFC use of "AS ID". With respect to the _afiLimit_ field we felt it was better to be explicit instead of depending on the absence (or null value). For the CMS objects it makes sense to use a default value to reduce the size of the objects, but this consideration doesn't really apply to our API. The use of _providers_ vs _ProviderASSet_ is more personal preference and easier typing. So, mostly the choices were basically due to consistency with our existing APIs and personal preference, since we don't follow the RFC naming currently. Kind regards, Erik > On 6 Dec 2022, at 18:05, Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram=40nist.gov@dmarc.ietf.org> wrote: > > Hi Erik, > > Thank you for the work. Just for my clarification... why the terminology in the RIPE ASPA configuration API does not seem to match that in the ASPA profile draft (v-11)? > > 'RIPE ASPA configuration API' vs. 'ASPA profile draft': > customerAsn <--> customerASID > ProviderASSet <--> providers > providerAsn <--> providerASID > afiLimit <--> afiLimit (this matches) > > For the afiLimit, the profile draft (v-11) says... "if present... the value MUST be either 0001 or 0002." > But the RIPE ASPA configuration API seems to allow a value ANY. The example in your post says: { "providerAsn": "AS64500", "afiLimit": "ANY" }. > > Sriram > > -------------------------------- > From: Erik Rozendaal <erozendaal@ripe.net> Mon, 21 November 2022 14:00 UTCShow header > > ASPA (Autonomous System Provider Authorisation[1]) is a new RPKI > object type and the first additional object type supported by the RIPE > NCC RPKI software since its original introduction. ASPA is currently > in draft status, and we implemented draft version 11 of the object > profile [2]. > > We built this ASPA pilot to help the community advance the work in the > IETF SIDR Operations (SIDROPS)working group. The initial version runs > in the RIPE NCC localcert[3] pilot environment, and we plan to make it > available in the production environment soon after the ASPA proposal > reaches RFC status. > > Below you can find the description of the RIPE NCC RPKI ASPA > configuration API. Please contact us at sw-enhancements@ripe.net if > you have any questions or problems. > > # ASPA configuration API > > The ASPA configuration can only be retrieved and updated in this pilot > environment using the RPKI Management API[4]. We added two new API > endpoints for ASPA: > > ## Retrieve the current ASPA configuration > > API endpoint: `GET /api/rpki/aspa` > > Returns a JSON representation of your current ASPA configuration and > an `entityTag`. This `entityTag` describes the current version of the > configuration. > > Example response body: > > { > "entityTag": "\"PUwiLtHQSA9LqD5mvUW3Rp7WqPCsS28p/5a52N9AcS8=\"", > "aspaConfigurations": [{ > "customerAsn": "AS64496", > "providers": [ > { "providerAsn": "AS64500", "afiLimit": "ANY" } > ] > }] > } > > ## Update the ASPA configuration > > API endpoint: `PUT /api/rpki/aspa` > > Atomically replaces the current ASPA configuration with the provided > configuration. You must provide the `entityTag` of your current > configuration in the `ifMatch` field. If the provided tag no longer > matches, you will get an `HTTP 412 precondition failed`[5] > response. This mechanism prevents conflicting updates of the ASPA > configuration. > > After the configuration is updated, the RIPE NCC RPKI system will > update the ASPA CMS objects and publish them to the RIPE NCC RPKI > repositories. This process usually takes less than 30 minutes but may > be slower, with a long tail up to the time limit described in our CPS. > > Example request body: > > { > "ifMatch": "\"PUwiLtHQSA9LqD5mvUW3Rp7WqPCsS28p/5a52N9AcS8=\"", > "aspaConfigurations": [{ > "customerAsn": "AS64496", > "providers": [ > { "providerAsn":"AS64500", "afiLimit": "IPv4" } > ] > }] > } > > Note: it is also possible to use the HTTP `ETag`[6] response header > and `If-Match`[7] request header instead of the JSON object fields. > > ## ASPA configuration JSON > > The ASPA configuration JSON has the following format. All fields are > required: > > `aspaConfigurations`: a (possibly empty) list of ASPA configuration > objects with two fields: customerAsn and providers. > > `customerAsn`: your ASN, which must be part of your certified > resources. > > `providers`: a non-empty list of objects with two fields: > `providerAsn` and `afiLimit`. > > `providerAsn`: the ASN of the authorised provider or internet exchange > point route server. > > `afiLimit`: one of `ANY`, `IPv4`, or `IPv6` (case sensitive) to limit > the kind of traffic that is authorised. > > # References > > [1]: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/ > [2]: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification > [3]: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/rpki-test-environment > [4]: https://www.ripe.net/support/documentation/developer-documentation/rpki-management-api > [5]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/412 > [6]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag > [7]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Match > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] RIPE NCC RPKI pilot for ASPA objects Erik Rozendaal
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Erik Rozendaal
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Ben Maddison
- Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects Ties de Kock