IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Tim Bruijnzeels <tim@nlnetlabs.nl> Sat, 25 March 2023 21:38 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB92C151B01 for <sidrops@ietfa.amsl.com>; Sat, 25 Mar 2023 14:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myy97kN1Dfjl for <sidrops@ietfa.amsl.com>; Sat, 25 Mar 2023 14:38:28 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [185.233.34.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899A8C151B03 for <sidrops@ietf.org>; Sat, 25 Mar 2023 14:38:17 -0700 (PDT)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4PkXWB5Jfrz6x; Sat, 25 Mar 2023 21:38:14 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.99]) by soverin.net (Postfix) with ESMTPSA id 4PkXW909YSzFx; Sat, 25 Mar 2023 21:38:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1679780294; bh=UEcDXvuLHJLcQKRjcYEuzOBS5EaJaBeeEptxsGt2WsM=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=FNe7bMLybrCtafXDuwalzYiFioHbEhW8UIGvkcmvKAFtofLpbF/M7Q64tqpG7OtFX KNc5JfcG4PQvllYEqXZp4naSsgdq56Zrb8rfSW54i1mlxFsu2kgfwHosuNw+ku8yb4 QU9Il764lWkWrhwkltjrsHmgpoI9UG0jnsbVLnVnXgvBi1piH5dwKEk/0zGmDcLXC7 RdAsGkK6MsYk4/wSZI+eFu2084g/Rtx7VElP0gbyA21q3MFkuGhfprURAPA3Uv85En M+/1mTJMT57qHjpnSJrxdKXAIRiE0ouFFEnLQ697VoASS2aV3FHxooyp+kmuXXcYDO HQIKQa1hWB3kw==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
X-Soverin-Authenticated: true
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <CAMFGGcDOWPhZE0MECbvkM+=2V9ahXWDYXvSMfuGSzC4nPWvSrw@mail.gmail.com>
Date: Sun, 26 Mar 2023 06:37:56 +0900
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7DC58EB-F2F8-4667-A751-3FA2DD39E9A8@nlnetlabs.nl>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com> <ZBxcTHebGjhJGpzh@snel> <CAB5NZESXFF68ez7NwK6s3hqYY6ChkHyu_r8jPggO3ysHQB0emA@mail.gmail.com> <619522318a5c40edac5a8d0635195456@huawei.com> <fa682854-5168-4368-9f18-2750e363e03b@akamai.com> <CAMFGGcDOWPhZE0MECbvkM+=2V9ahXWDYXvSMfuGSzC4nPWvSrw@mail.gmail.com>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/_sL1PhPGCOcquXuLTjlVialVGGc>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2023 21:38:32 -0000

Hi,

> On 25 Mar 2023, at 23:41, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> 
> Hi Igor,
> 
> On Sat, 25 Mar 2023 at 12:29, Lubashev, Igor <ilubashe=40akamai.com@dmarc.ietf.org> wrote:
> An alternative to a special 'AS 0 ASPA' would be allowing a zero-length Provider AS list. Then there are no special rules at all. 
> 
> 
> Please take a moment to appreciate Section 7 of 
> https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile
> 
> At this point in time a very strong justification would be required in order to change the ASPA object profile.
> 
> Changing to “zero-length” requires a non-trivial update to the ASN.1 profile in the internet-draft, and requires a number of implementers to change their code. Are you maintaining a Relying Party or Signer implementation yourself?
> 
> 
> But if 'AS 0 ASPA' is used, a further special rule is needed to describe how a 'union' is taken when both 'AS 0 ASPA' and a 'normal' ASAP are present (maybe from different RPKI registries).
> 
> 
> A sentence to clarify that if two valid ASPA objects are present, AND their respective ProviderSets are different, AND one contains a ProviderSet that contains a single entry listing AS 0 as provider, the latter object might as well not exist, because it contains superfluous information?
> 
> (That’s how it kinda works for ROAs when one ROA authorises AS0 and another ROA for the same IP Prefix(ex) authorises some other ASN.)
> 

That could work, and perhaps it's appealing because it feels clean.

On the other hand, you could also just merge the object VAPs. The result would be a ProviderSet that includes AS0, but it would no longer have length 1.

If you do not want to see AS0 in multi-elements ProviderSets in routers then you should also remove surplus surplus AS0 from any 'normal' VAPs where you did not need to do any merging.

But, as with ROAs, it doesn't matter really if the router sees a surplus AS0 - it would not affect the outcome of validation - or am I missing something here? So, to conclude.. I think we should just accept that surplus AS0 can exist and does nothing - similar to ROAs.

Tim


> Kind regards,
> 
> Job
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email