Re: [Sidrops] I-D Action: draft-ietf-sidrops-deprecate-rsync-00.txt

Russ Housley <housley@vigilsec.com> Fri, 04 September 2020 20:34 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5B33A100A for <sidrops@ietfa.amsl.com>; Fri, 4 Sep 2020 13:34:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7VReYYnliWKH for <sidrops@ietfa.amsl.com>; Fri, 4 Sep 2020 13:34:18 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 567213A0A96 for <sidrops@ietf.org>; Fri, 4 Sep 2020 13:34:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F13E8300B92 for <sidrops@ietf.org>; Fri, 4 Sep 2020 16:34:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YIKB6HkaZWnE for <sidrops@ietf.org>; Fri, 4 Sep 2020 16:34:14 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id A411E300B42; Fri, 4 Sep 2020 16:34:14 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <47B41A31-D557-46E1-9EE7-56352C604224@nlnetlabs.nl>
Date: Fri, 4 Sep 2020 16:34:16 -0400
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C011189B-AFEB-41BD-96F9-20AA78699ED2@vigilsec.com>
References: <159890072559.31155.191532586512778700@ietfa.amsl.com> <150E4A91-2EC6-4B88-8AD9-E7C88CC64D31@nlnetlabs.nl> <2B4CE028-03E9-4B06-AEFD-D6D2958D91B8@vigilsec.com> <47B41A31-D557-46E1-9EE7-56352C604224@nlnetlabs.nl>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
X-Mailer: Apple Mail (2.3445.104.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/bHsvosU5BwA76s89rATZdeEnmQo>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-deprecate-rsync-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 20:34:20 -0000

Tim:

>> I think that RFC 6487 should also be updated to adjust the RPKI certificate profile.
> 
> Can you please elaborate why?
> 
> My personal drive with this draft, despite its name perhaps, is to deprecate the *operational* dependency on rsync. In my opinion the rsync URIs can stay and serve as namespaces, even if the servers are not guaranteed to be available. Think XML name spaces. I don't think we need to forbid running rsyncd either.

For example, RFC 6487, Section 4.8.6 says:

   ... The preferred URI access mechanism is a single rsync
   URI ("rsync://") [RFC5781] that references a single inclusive CRL for
   each issuer.

   ... Other access form URIs MAY be used in addition to the
   rsync URI, representing alternate access mechanisms for this CRL.

There are similar words in Sections 4.8.7, 4.8.8.1, and 4.8.8.2.

It seem to me you are changing the "preferred" way to handle these, even if both are allowed for decades.

> 
>> In phase 1, several URLs in the certificate could offer rsync:// and rrdp://, and then in Phase 4 (not documented), the rsync:// can get dropped.
> 
> It may not be aesthetically pleasing, but removing the rsync URIs completely is a much, much bigger effort. Incomplete dump of pointers of what would be affected

I agree, and that it is why I called it Phase 4, which is beyond the scope of this document.

Russ