IETF Logo Mail Archive

Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022

Stephen Kent <stephen.kent@verizon.net> Thu, 10 March 2022 20:46 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14C553A1BF0 for <sidrops@ietfa.amsl.com>; Thu, 10 Mar 2022 12:46:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.112
X-Spam-Level:
X-Spam-Status: No, score=-2.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfKCJQRvi2uN for <sidrops@ietfa.amsl.com>; Thu, 10 Mar 2022 12:46:51 -0800 (PST)
Received: from sonic304-22.consmr.mail.ne1.yahoo.com (sonic304-22.consmr.mail.ne1.yahoo.com [66.163.191.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F1E13A1BEF for <sidrops@ietf.org>; Thu, 10 Mar 2022 12:46:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1646945209; bh=GKe/juS/Ar1iKHyzvndG17en5D5/JOuCIbJ+FpTo8u0=; h=Date:Subject:To:References:From:In-Reply-To:From:Subject:Reply-To; b=GvqqMyynL7uU5y+iODlxqbzwLnrc411TOAt/cY9vTTWRoUJTmzcOlWdVImm9dvyRqAb8YVNVzYb5PCVarsDEb5Y5I8WdUwoTjdZCKYSs6YkBSGQijM4WSr5YPS2VAiBj+ukj5bfX8o9XzDBuKOH0pylZtqd0xS0Wc17h+ECl0YjWvLvluRcxH+3cbuQrUNEwKrkm0ziHVRIkSGxQcNvbr2AQNu4x/jNSHK7jFx9LEeg4VZs5Mb5ggYkRkXlIoTANfxdmvvBU/TJAZ57ejRTijIP9JFnumWgTljdJP9wO/DFkitqZBuuHnUc0UNRAX5k5soiDws4EEF3S5LpS+X8Mlg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1646945209; bh=z82hMlmQYanic6IEb79KmquKyC3fs8IoUZ34Maxyg4l=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=bQl1hswWcyJVPHEj/LLH6AINthGMrVIBPmsG/8nK5gggutncLIy0ARcy4vqYjHHf7noCFtUBAA6KeVlfZJQcnguZEj3ah4XaaARgdRsIvjqWJMDKRoaWEBTxVW5CPV6LplM6GxjYBcSlO9M1wpIdiD/oZE+MTEBLs1f56yCfsq53/i2167nMeUiE8tmdM5W3bBj6OYP9uOdihuY3W8HpTGn6mXl9AU5q7Sl+7NMspkUDaqrd3us/yjabUAQ/bkq6+lQ9z8Ozk1Cx9GRcfd9hWOxo6TRbji1fJAItjNS0rIYf5QnS9DhrV4M9IYRachjedyjQ/0fv/O1gnIysaIzWJA==
X-YMail-OSG: y3ZzW.cVM1lGnqdoZoPQDhV89F0G9Bsx8dp3sIhuApVppz3r_SKy7cyV.j7qw5y thWLEi9Ubjqu8gZpWoe046vtxyroc1DwO331K4Y_Fx_J4zhjPfHgC89nTcklio.snF9R4PPdPElw e01ZKyfT.z1VyOvGSN8jeV9V0Hczd60Sg2u28VeH.ULMIxZtDAATyFqo8tkNXB5JZeDXMgJDCo.5 M2Wb7VCvCMYKP8pREtdVJkVLhCzSxaphDVhplmj30pzD4G.rfciHeg7c1OX8vDLZGw2ecZbUcGIH mENmidzGH_rKtcEoMvo6qrKncLB.E6ElQ7_Zxl8wE.xqSXHhgUQhVmLN58ytEGa4V_dvWRVJL14v _T.EOHxhqNdCLJAdZj.pM_.ihhseHwlDTxJJFs1rZn8aEifaLtmAdgcBfd98MvJ2fhDW6mXUebVk w1c.v.shTEQME9X8YUyJp5CwV5qsY0KcnGiMs8kALlCcJS6pjpeMJrLZznFiGFUCk_puoW_w._nS RBPdmLRIHcT91z55BS7X7h3HRmVw4iQ6r.iAXsJLFQTJ6KGJNlP_twp0oiFes78qnT0705x3V4fN ix7lcOFSAffxWOYac7rFGgvCtDUN5mXfB_jetiF5cGdoGpew3ZU3XhfYoSlExwv9UVHN08SeCB2R GvA2swiorVU7.9wNyze8R30nwwvC1NvwHIuUtPpkLo4XPa6qG1.lb5YtKB6_uQOmaP0QEqVwFQ4u F6m4PRGiVcvWxBV4SwRGmcfwcYKvOGP_UtFfsiJXauYyi86bt.qtHi9nEjDkavtamt.H3Mn8RunG EWZp7EmKPQ7zY3c2M_MjnHVcG8v5yUuISeKYzIB10bRs9h9wSEWDwnaxLK6s_j2c88mZegQntUrb RQ0Tn7uMRCg8JoZ58og__6lBpxNN1Y8IUBhpLEWErh62Jovl7lKVX1WULq2XIqxylXzh3aXzqwzU WRmIwj4LusaurjUP__yaGWB2DHYKhofCcVM5n7BcAWqf_2CK.1c1qGOUEWzUExyZR1QgDUj1.MDD hUZymC__5U3LLVBvh9NIgNTCsmwwT09fKkPHNT0WuGSWrpP5Zzo6t9705RBYhYuE4iHU53szd90b hofpykerZUSYMnCTJAL2KuRX.LnL8sFyvPtVp5PNXQcuyK3720hGLUkg2.ko295ADM_wh91M6XTw JaxQQNfC0_zMkif828Ai9y1XLzRIlI3IrZ6sKb9d88FbWy5X3fd9j2J.vE8LveKEAkQE2qf9VH6N 6NwDBwV_KSWqBEI1P.HKKSR_tX2hGeno3f_G7m6auzq7RaNcSWFR7CC3Tt7Vf7GvW4xJ0Dy2vjrc viV2YqluPMXZiRZ_lFrZmrdC16H2aF3gAIOXZpebI.XBxQvcHXnSqZAsg2SFvKuG6203JGu0UfFF .N8.cCEfDjhKDya8WUQ8NxshLE_Yyvni1ey5HestB.i2TwFUXJhB0IPT.OkikqiSIJ7oYD3Le7eL LE9rgoySfuXbVj2ybyX3CGlEeNrkwpOeLoMe633PRa_StsVzletMhuuoobC6DRM1_vrZm9hZS5qc B8Rpbfk76fCpFZjjeWPdG82bZ.wJJH8C9qQHTU7_bgNQpH0ReXEalxOFZT6y_Reuyepb1xEPYwXK FCqoJ2Um..2HJ2PhdsCYhSObF9gugEkKlpkZfeOiFAm_qHu0G.a5v7efU178AwXleLt7YeSZjw5k T76toFaKL7K7uVVA5gMVCchGBwsLmk26Y3A_97sZzWEJZ2Ah4oTHTMwjKCqIo6aB70a3F3EuVK.P 3PM.HodCR4G5pNi87lcN1joL8B8.vMq_71MLR_vR3RVWIKsudfk0OchQg_Yo7idYJUYqjOGyCN_3 3Ki3fpbr5m3hp2HX3fxhUwRc1aINBBwCc7G94FThqvmtZiaWKPL.zSNY6aD64hm2wz6JVaXy5uXX 1sxVq2qGzxJQS9nHCLHXW2a4Hcvp0qGGJAj91XvLm2HWKQwf5Iz2xVnUyjNr8bNFvJN1zF8iou7I xONmPhQnG7KDNFAyMBM1pAhTDHMB1FwEhHF.IoevGNnasONvcnYVzl.mwWWolAzP6GkOIoTcKltl d1RdR7oX_UX92dQKNOmNPywzfzKNp9sveF24wPhXOhlM6M.9fz1ogkCyKVVZcQPX_beQ6w4dc741 WyDoZhaSNnQBpIvQyvqwe75LlBTUDSHSBkEvF8z9GhqTU_PoMVV0fpnRGG_zl7PDTwfwIoTpF89a rSxXfpmlg
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Thu, 10 Mar 2022 20:46:49 +0000
Received: by kubenode550.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID e731f71dff88f318a1721529e92110c6; Thu, 10 Mar 2022 20:46:44 +0000 (UTC)
Message-ID: <2ca4980f-5b36-13d6-29e8-c73c9f0958bf@verizon.net>
Date: Thu, 10 Mar 2022 15:46:43 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.2
Content-Language: en-US
To: sidrops@ietf.org
References: <BYAPR18MB26961DE9F15501CCA12ECCF1C13D9@BYAPR18MB2696.namprd18.prod.outlook.com> <851649A5-9075-4956-8B57-E51F612DF6BD@nlnetlabs.nl> <m235jqa2fk.wl-randy@psg.com> <D46FDA88-15E2-4EC6-BE07-0A1A93038B64@ripe.net> <m2v8wm8278.wl-randy@psg.com> <8961B085-5022-49C8-8775-77031B3DD814@ripe.net> <m2r17a80zl.wl-randy@psg.com> <9B0B0DBF-9F7A-4A61-9EBE-BCE556150475@apnic.net> <m25yol8srn.wl-randy@psg.com> <56A29364-EB28-4224-96D0-8A5FE95D1880@apnic.net>
From: Stephen Kent <stephen.kent@verizon.net>
In-Reply-To: <56A29364-EB28-4224-96D0-8A5FE95D1880@apnic.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailer: WebService/1.1.19878 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/dpUmJz984V5sCnuq0lbn-LgXXog>
Subject: Re: [Sidrops] [WGLC] draft-ietf-sidrops-roa-considerations-01 - Ends 10/March/2022
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 20:46:56 -0000

Geoff,
>
> agreed, yet we have TLS using just-in-time credential provisioning in the
> initial handshake which has very different scaling properties. The models
> of DNSSEC provisioning also staple the credentials to the data. RPKI
> is one of the few models that attempt to pre-provision the entirety of the
> credential sets to all relying parties all of the time, and I find myself
> wondering why we ever thought that such an approach would scale!
>
> yes, I agree its just one more aspect of the intrinsic brokenness of the
> Internet, and, as you say, we plod on! :-)

TLS creates a pairwise connection between two entities, so transmitting 
the cert of the server is an obvious, simple approach to solve the 
problem in question. And, because of the artificially shallow PKI 
underlying the issuance of certs to servers (thanks to the browser 
vendors and the cabal of for-profit CAs), it's easy to ensure that a 
client gets the certs (and CRLs) it needs.

The RPKI requires essentially ALL RPs to have access to the certs for 
essentially ALL address space holders. It is much more logical to have a 
bulk distribution mechanism to facilitate this, vs. some sort of 
pairwise distribution mechanism of the sorts you cite. The requirements 
for cert and CRL distribution are completely different for the RPKI vs. 
the Web PKI- apples vs. kumquats (as Randy might say).

Steve

v2.23.0 | Report a Bug | By Email