Re: [Sidrops] 6486bis: referenced object validation

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 04 December 2020 15:58 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8907C3A0DBB for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 07:58:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id llzLQOgKjbYH for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 07:58:10 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE4F33A0DB4 for <sidrops@ietf.org>; Fri, 4 Dec 2020 07:58:09 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id E477C60600; Fri, 4 Dec 2020 15:58:07 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.142]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1607097486; bh=FkcWajNe1HSJWZ1imlJJcTNocmv7qa++2WtfugTUqrk=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=BQCVPRgAZZZGNXlY0Upcg8MJF9ojL1pCj2fZwD3OS6oLtlcIA8ZwpNV17kan52UwX YEeyiDsRimgF9EbD0IKlrlmE/l98KiILw+yhU0F3cH3SEyDOLMuLoEByl5Lq4+M8DX JdfBjHHxtnSQ7QLGuIiszh0TfO8IMrmmjHdVuNISy2F68JndH3LJ8ZhyFZU4m3ZGmx qWTLDOFXd24QmsKPj09sbcq2wDQJrKuE6FTVEAsJ/jI8tfX0N6KU33Iyw5/MzQevvE /sct4qAcbPgh7x/6YdrYg8ORMXCXmkdzodB4Circ+BPAbI6Aq/jSTSLJW4hWno9c3O cKC3IpV+7asJw==
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <X8pJoTEUDwpE6iIi@bench.sobornost.net>
Date: Fri, 4 Dec 2020 16:58:02 +0100
Cc: Benno Overeinder <benno@nlnetlabs.nl>, SIDR Operations WG <sidrops@ietf.org>, Martin Hoffmann <martin@opennetlabs.com>, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <953B1447-1253-4EA2-A805-5DAB9CD394D6@nlnetlabs.nl>
References: <20201203224213.gnb2nawujxm7a32q@benm-laptop> <20201204111651.4e865d7d@glaurung.nlnetlabs.nl> <X8oSBlR1pDhX83nH@bench.sobornost.net> <62CCDADA-E2B5-4354-82E5-995837633307@nlnetlabs.nl> <X8on7A4R63HYUnpz@bench.sobornost.net> <d518f9de-850c-ad10-49a5-1eee4c85fa6b@NLnetLabs.nl> <X8pJoTEUDwpE6iIi@bench.sobornost.net>
To: Job Snijders <job@ntt.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gsUkFPrXTQfvFqTuQ2WaozzEWrk>
Subject: Re: [Sidrops] 6486bis: referenced object validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 15:58:13 -0000

Hi Job, all,

> On 4 Dec 2020, at 15:37, Job Snijders <job@ntt.net> wrote:
> 
> On Fri, Dec 04, 2020 at 02:13:40PM +0100, Benno Overeinder wrote:
>> Not looking back, but looking ahead, I want to focus on how we solve
>> issues and discuss them in sidrops.  And indeed, if there is an
>> impasse, organise a virtual meeting and discuss the matter to make
>> progress.
> 
> Yes, I took it as a sign of convergent thinking. Progress indeed.
> 
> However, my question remains, looking forward, what can be done
> differently in the future?
> 
> Some suggestions from my side:

Thank you for taking the time to suggest ways to improve!

We can continue this discussion here, or perhaps even have a separate thread on this. I don't really mind either way. I am just happy with this effort.

>    - SIDROPS must require multiple implementations before sending an
>      Internet-Draft towards the IESG. To meet this requirement,
>      Implementers should write an implementation report and share it
>      with the group, at least detailing the behavior for each normative
>      term.

works for me

>    - Please listen to operators who report (hard to troubleshoot, hard
>      to explain) network outages which resulted from RPKI processing.
>      RPKI ROV is supposed to be an incrementally deployable 'fail open'
>      mechanism.

Yes, of course.

Also listen to software implementers, and RPKI infrastructure (CA/repo) operators, or anyone who speaks up here. People who do, do so because they all believe strongly in making things better. So, respect each other and trust people's motives. When there is pushback perceived, then this is most likely because the other party is trying to make a point, and not necessarily because they don't acknowledge your issue.

And before I offend anyone with this.. we all suffer from cognitive bias in how we read what the other people wrote, and might have thought, or not said, etc. So, really I mean this as a constructive thought. 1-on-1 emails may also help to get some clarity - now that we do not get to meet anyone in person, before mis communications get out of hand.


>    - Implementers should more often share/construct the actual X.509
>      files rather than attempting to document the hypothetical states
>      of the RPKI in natural language (avoid English or Dutch). We can
>      all load X.509 files into our implementations, set currenttime to
>      the test case at hand, and discuss results.

There has been talk of an effort in the dark past, which was abandoned. But in short, yes, I think it would be great if we had a way to achieve this.

>    - Implementers should feel empowered to make improvements to their
>      software (for the benefit of their users), especially if there is
>      perceived ambiguity in RFC texts. An implementer doesn't need the
>      blessing of the whole IETF before making a change.
> 
>    - Sometimes RFCs are wrong, or worse: the then-WG kicked the ball
>      down the road and state 'up to the implementer' (aka 'local
>      policy'); in which case the implementer will have to weigh the
>      advantages of perceived 'RFC compliance' vs the effects of the
>      behavior in the BGP Default-Free Zone. See the previous point.
> 
>    - The RPKI is a system that has been deployed on the Internet, this
>      sometimes means operators need to quickly deploy fixes to address
>      ongoing issues. Time is of the essence when it comes to security
>      or reliability issues. So 'code first, RFC later', which goes well
>      with point 1: 'implementations first, then publish RFC'.

On the above three points. Generally speaking plausible, and agreed. However, it's not always easy to achieve.

On 6486 in particular there was a strong desire communicated by operators that RPs behave the *same* way. Which is why we were hesitant to implement the changes suggested by you in the GH issue. In fact we even agree with the approach in the issue. But it's different from where the -bis text is headed until now. We felt that the desire for universal behaviour (-bis) outweighed the rush to make a quick change here. You are welcome to disagree with that assessment, but understand that there was well intended reasoning behind it.

> You mentioned some kind of testbed, indeed it would be wonderful if we
> can easily reproduce states of the RPKI and allow implementers to
> provide annotations on why software (versions) behaves in a certain
> way. The December 1st, 2020 case is definitely one I'd add to the
> testbed archive.

It would be. I think this is an effort in itself. Do you have a proposal in mind?

> 
>>> The real goal is to keep the network running, where in this context
>>> our role is to create software for network operators for them to
>>> securely validate the wishes of the Internet number resource
>>> holders.
>> 
>> Agree to that!
>> 
>> Let's keep the good spirit of collaboration and learning together.
> 
> For sure!


For sure!

Tim

> 
> Kind regards,
> 
> Job