IETF Logo Mail Archive

Re: [Sidrops] Test objects: ASPA and BGPSec Router Certificate

Tim Bruijnzeels <tim@nlnetlabs.nl> Mon, 25 July 2022 00:06 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01CFC06B99E for <sidrops@ietfa.amsl.com>; Sun, 24 Jul 2022 17:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkOgEJUQPS_X for <sidrops@ietfa.amsl.com>; Sun, 24 Jul 2022 17:06:34 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [185.233.34.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A2EC072EA4 for <sidrops@ietf.org>; Sun, 24 Jul 2022 17:06:33 -0700 (PDT)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 4LrgLt1GvxzLH; Mon, 25 Jul 2022 00:06:30 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1658707589; bh=27n3lLXp2DpJQMc0bGEg2oh7M05EKT9i5gKq+A1M4cg=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=NXmXDZMoKJydvILw8QIHPiVtPgTX12Nw98l0MQyDSAXiIV8qFWfBa3mp1LppnW7+M o/mtvw5QK/CpirenC3HTuaNJhD9gmFoLUWJOefxBPJapDdfZ0bijtsau8A6iEzak4h eMHYUqExDpqWL/b13oJL335MCyCkJfth7ytcJVRv/44UFV3hkVitaHN1HmHPSrBGSn XAKEBJol8Nq3QnSrutvaQ/FT+sUI6k0ytFd5y68nHZNkXNKcey1KBU61W/9AZRLUjD clqSAnM3fv83PUW4yYhahHIuQVlJsMblTwNDLj3SmWsaZzkFxZC2q/zfng2mclPYe1 1cyjdRbW2FCTg==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <127BBB15-7F9A-4983-9D7F-742B43F28B05@rpstir.net>
Date: Sun, 24 Jul 2022 20:06:25 -0400
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A4FA576-E506-4376-8837-BF3CD62FCC82@nlnetlabs.nl>
References: <DADDAAB3-109E-4B83-A54A-2AAF65E2FA62@nlnetlabs.nl> <127BBB15-7F9A-4983-9D7F-742B43F28B05@rpstir.net>
To: Di Ma <madi@rpstir.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/YabTPchQPNaQ8OaMywkXqB4tJiI>
Subject: Re: [Sidrops] Test objects: ASPA and BGPSec Router Certificate
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 00:06:38 -0000


> On 24 Jul 2022, at 12:25, Di Ma <madi@rpstir.net> wrote:
> 
> Tim,
> 
> Thanks for your efforts.
> 
> I am reporting two issues with RPSTIR2 testing it.
> 
> 1) We manage to decode and validate the asa object grammatically only if we use the very EE as TA, for we cannot locate its parent cert with aki of the EE cert in question.

maybe related to #2? It has the same AKI as the manifest.

> 2) The asa is not calculated into MFT.

That is the other issue I mentioned.. without going into details.

I guess it's what I get for rushing the release candidate ahead
of the IETF week.. did not mean to make you and others waste time.

I will have a fix during the week, test it better this time,
and let you know!

Thanks for the feedback.

Tim


> 
> Di
> 
>> 2022年7月22日 21:02,Tim Bruijnzeels <tim@nlnetlabs.nl> 写道:
>> 
>> Dear WG,
>> 
>> I just published a BGPSec Router Certificate and an ASPA
>> object under a test CA in our testbed. The CA uses the
>> following rsync base:
>> 
>> rsync://testbed.krill.cloud/repo/local-testbed-child/0/
>> 
>> The TAL for this testbed lives here:
>> https://testbed.krill.cloud/testbed.tal
>> 
>> BGPSec:
>> -------
>> 
>> file: ROUTER-00033979-17316903F0671229E8808BA8E8AB0105FA915A07.cer
>> 
>> This is valid according to our own probing, but please let
>> me know if you find any issues with it.
>> 
>> ASPA:
>> -----
>> 
>> file: AS211321.asa
>> 
>> The ASPA file still follows the aspa-profile-08, which I
>> believe is unchanged from what was discussed around the end
>> of 2021. I can change this after consensus has been reached,
>> but it may be helpful to have an actual object to look at.
>> 
>> Please let me know if you find any issues with either object.
>> 
>> Thanks!
>> 
>> Tim
>> 
>> _______________________________________________
>> Sidrops mailing list
>> Sidrops@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidrops
>> 
>

v2.23.0 | Report a Bug | By Email