Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
Russ Housley <housley@vigilsec.com> Fri, 20 May 2022 17:52 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B9DC1B92B2 for <sidrops@ietfa.amsl.com>; Fri, 20 May 2022 10:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oaPrGypwVzA for <sidrops@ietfa.amsl.com>; Fri, 20 May 2022 10:52:06 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E92FAC19E87C for <sidrops@ietf.org>; Fri, 20 May 2022 10:52:05 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 7D6F5103050; Fri, 20 May 2022 13:52:04 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 685CD1035AE; Fri, 20 May 2022 13:52:04 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20220520135826.23h6eaurre7zvqxs@benm-laptop>
Date: Fri, 20 May 2022 13:52:03 -0400
Cc: Randy Bush <randy@psg.com>, Job Snijders <job@fastly.com>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <17C2DA7E-A5CB-49EE-8148-FB223A12D992@vigilsec.com>
References: <165298105049.28270.14685971986743868185@ietfa.amsl.com> <YoZ/bsYUeHpCW3Mc@snel> <D55CE24C-36E2-4976-84BB-BDB19E0E2CC2@vigilsec.com> <DB9P190MB10839201BF38E8D1BCD485BBC0D09@DB9P190MB1083.EURP190.PROD.OUTLOOK.COM> <3BDB58DF-0431-4676-9606-611C129A4B0B@vigilsec.com> <m2o7ztfe4d.wl-randy@psg.com> <20220520012253.zu4abj7kotvg3m3z@benm-laptop> <80AD7E72-1F42-4314-B0A8-69819904F2EB@vigilsec.com> <20220520135826.23h6eaurre7zvqxs@benm-laptop>
To: Ben Maddison <benm@workonline.africa>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/guz3s8uOCrsBcb5tqdBAlF49bB8>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2022 17:52:08 -0000
Ben: >>>>> Sorry that I was not clear. Since the goal is to align with RFC 3779, >>>>> we should use the same definition as was used there, which is OCTET >>>>> STRING (SIZE (2..3)). >>>> >>>> this makes more sense to me, as i do not see a win in having rules that >>>> apply on wednesdays and fridays and not on other days of the week. one >>>> wants to be able to write tools that are not complicated unnecesarily. >>>> >>> I think I am explaining the intent poorly. I will try again. >>> >>> The intent is not to align with the ASN.1 definitions of 3779, but with >>> the DER wire-format produced by implementations of 3779. >>> > [..] >>> >>> In the specific case of the addressFamily field, allowing the SAFI-byte >>> in the ASN.1, but then requiring that it MUST be absent in normative >>> text (as is the case in other RPKI RFCs, e.g. 6487) would run contrary >>> to the above goals. >>> Implementors would be forced to do the constraint check by hand, even if >>> they were generating the other constraints from the ASN.1 definitions. >>> >>> Hope that makes more sense? >> >> Not for me. As you explain, you want compatibility with the library. >> It produces a 2 octet value. That is compatible with OCTET STRING >> (SIZE (2..3)). >> > Yes, agreed. It is also compatible with OCTET STRING (SIZE (2)). > >> I do not want someone to encode a value with the ASN.1 in RFC 3779 and >> then have a decode failure by an implementation that uses this ASN.1. >> > Not all possible values of 3779 types are permitted in the eContent of > an RSC. > > If someone encodes a value using an 3779 implementation that, for > example, contains 'inherit' or a 3-octet addressFamily, puts that value > in the eContent of an RSC, and then tries to decode the object, then a > decode error *is* the proper outcome. This is the RFC 3779 syntax: IPAddrBlocks ::= SEQUENCE OF IPAddressFamily IPAddressFamily ::= SEQUENCE { -- AFI & optional SAFI -- addressFamily OCTET STRING (SIZE (2..3)), ipAddressChoice IPAddressChoice } IPAddressChoice ::= CHOICE { inherit NULL, -- inherit from issuer -- addressesOrRanges SEQUENCE OF IPAddressOrRange } IPAddressOrRange ::= CHOICE { addressPrefix IPAddress, addressRange IPAddressRange } IPAddressRange ::= SEQUENCE { min IPAddress, max IPAddress } IPAddress ::= BIT STRING The inherit part has nothing to do with the size of the OCTET STRING. The OCTET STRING (SIZE (2..3)) is explained with this code: The addressFamily element is an OCTET STRING containing a two-octet Address Family Identifier (AFI), in network byte order, optionally followed by a one-octet Subsequent Address Family Identifier (SAFI). AFIs and SAFIs are specified in [IANA-AFI] and [IANA-SAFI], respectively. I understand that you are saying that the third octet will never be present in this context. The difference in our position is whether a decode failure should happen if someone put it there. In my view, a decode error creates an additional barriers to debugging. Russ
- [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Randy Bush
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… George Michaelson
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Theo Buehler
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley