Re: [Sidrops] ASPA Validation section in draft-ietf-sidrops-aspa-profile-07
Job Snijders <job@fastly.com> Thu, 31 March 2022 13:36 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC723A0FE3 for <sidrops@ietfa.amsl.com>; Thu, 31 Mar 2022 06:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qFak-iuHcOs5 for <sidrops@ietfa.amsl.com>; Thu, 31 Mar 2022 06:36:47 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6903A0EAF for <sidrops@ietf.org>; Thu, 31 Mar 2022 06:36:47 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id p15so48132990ejc.7 for <sidrops@ietf.org>; Thu, 31 Mar 2022 06:36:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=hd3OSHmg7MXCooVr2VzlTJKO8a11EIufq93NygDy6xQ=; b=Oj5V4c/+UN66iiwZohrcAEyxebAdAwp7Ubv3AyfP9ZPtnJsEWEpxU9RPudZcSjwePC ZMRXi7mMRNt/MvDCjCG9prynNaQLLUz39q0HC4TkFOWU7HZXrUH6msJ1FuRiRR0l3cYJ Bx2PHUAawQOhjvH0BHSqut8twnkqh0Zk4+lDE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=hd3OSHmg7MXCooVr2VzlTJKO8a11EIufq93NygDy6xQ=; b=GmzOX40NlhmQtIjE4wdydjb/kbcVmSsp6qNI0votr9VrqJFPaLF4fxBLFkNyxVvcaZ coZTpqngyTYxriZVwPy3j6heBpISnywW6dQqVm8axZ1E+q/gguMFhgUdchb23v611nG6 YDD0wLTr3uownvVXG9hPQmHFC/IJRsBiYe/w9t9xEKf/UiaRhGmquIUSBZ4UGgfBCh7V PZZKGo8mcsb9zZ2GJRrI6xmuTT6fCJSbEKQ5XbUIOICh8xs/MNrdzONk4d5mH5/nTqvB NB0eC7MZYvTXz6VHeE4XHpfmAhmi1HPjFVWAA87yO0gqoqn0q/xCDFhVaJxLruLbUg4z tZsQ==
X-Gm-Message-State: AOAM532fTQ/jhAzYR43g4M4tsvHoogFb17AcKfFw4ktQ/g7ovXvBqMhw 4JtfeA5LVMVUj8gvwLZIr3qpIg/7F0jcsw==
X-Google-Smtp-Source: ABdhPJwv/ccwrwLeu2yVCNlE/oWtWN1x/kBGxv5hHXQdPU1+gaaD8oAJFNaiVx1v0fh0WnjNo0A8Fg==
X-Received: by 2002:a17:906:cc93:b0:6e0:afec:b005 with SMTP id oq19-20020a170906cc9300b006e0afecb005mr4933189ejb.219.1648733805627; Thu, 31 Mar 2022 06:36:45 -0700 (PDT)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id hr13-20020a1709073f8d00b006dfcc331a42sm9309980ejc.203.2022.03.31.06.36.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 31 Mar 2022 06:36:44 -0700 (PDT)
Date: Thu, 31 Mar 2022 15:36:42 +0200
From: Job Snijders <job@fastly.com>
To: Ties de Kock <tdekock@ripe.net>
Cc: SIDR Operations WG <sidrops@ietf.org>
Message-ID: <YkWuagAbTc+7mE77@snel>
References: <E6E5618C-31D1-4555-B848-236511D4D575@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <E6E5618C-31D1-4555-B848-236511D4D575@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/e0n_HITb7_sbhJlPNFH8fRQmpy4>
Subject: Re: [Sidrops] ASPA Validation section in draft-ietf-sidrops-aspa-profile-07
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 13:36:53 -0000
Hi Ties, Thanks for reviewing On Thu, Mar 31, 2022 at 02:32:28PM +0200, Ties de Kock wrote: > I just reviewed a parser/generator for the ASPA object profile, and I > realised that the ASPA validation section currently only includes a > single ASPA-specific validation step. I want to propose expanding this > section. > > At a minimum, I would recommend that this section (also) lists checks > that ensure that: > > * The version is 0 I think this already is covered in the draft: § 3.1 states "The version number of the ASProviderAttestation MUST be v0." The above type of text triggers RP developers to implement checks like these: https://github.com/openbsd/src/blob/326af693966ccfc600796f445a88b37549ae3e64/usr.sbin/rpki-client/roa.c#L276-L294 > * The eContentType and content-type signed attribute contain the > correct OID. I think those aspects are covered through RFC 6488, specially § 2.1.3.1 "The eContentType is an OID specifying the type of payload in this signed object and MUST be specified by the Internet Standards Track document that defines the object. > Please let me know what you think. Section 4 of draft-ietf-sidrops-aspa-profile seems to have taken inspiration from RFC 6493 (GBRs) and RFC 6482 (ROAs)'s section on validation, by referencing to RFC 6488. This makes for concise text. Personally I think there is an advantage to making it very clear the RPKI signed object template model is followed, rather than (redundantly) outlining (a subset of) the full decision tree. On the other hand, perhaps this type of section historically has suffered from brevity, and more elaboration is useful? I'm somewhat undecided. Kind regards, Job
- [Sidrops] ASPA Validation section in draft-ietf-s… Ties de Kock
- Re: [Sidrops] ASPA Validation section in draft-ie… Job Snijders
- Re: [Sidrops] ASPA Validation section in draft-ie… Ties de Kock
- Re: [Sidrops] ASPA Validation section in draft-ie… Job Snijders