Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
Russ Housley <housley@vigilsec.com> Fri, 20 May 2022 17:52 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B9DC1B92B2 for <sidrops@ietfa.amsl.com>; Fri, 20 May 2022 10:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oaPrGypwVzA for <sidrops@ietfa.amsl.com>; Fri, 20 May 2022 10:52:06 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E92FAC19E87C for <sidrops@ietf.org>; Fri, 20 May 2022 10:52:05 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 7D6F5103050; Fri, 20 May 2022 13:52:04 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 685CD1035AE; Fri, 20 May 2022 13:52:04 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20220520135826.23h6eaurre7zvqxs@benm-laptop>
Date: Fri, 20 May 2022 13:52:03 -0400
Cc: Randy Bush <randy@psg.com>, Job Snijders <job@fastly.com>, "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <17C2DA7E-A5CB-49EE-8148-FB223A12D992@vigilsec.com>
References: <165298105049.28270.14685971986743868185@ietfa.amsl.com> <YoZ/bsYUeHpCW3Mc@snel> <D55CE24C-36E2-4976-84BB-BDB19E0E2CC2@vigilsec.com> <DB9P190MB10839201BF38E8D1BCD485BBC0D09@DB9P190MB1083.EURP190.PROD.OUTLOOK.COM> <3BDB58DF-0431-4676-9606-611C129A4B0B@vigilsec.com> <m2o7ztfe4d.wl-randy@psg.com> <20220520012253.zu4abj7kotvg3m3z@benm-laptop> <80AD7E72-1F42-4314-B0A8-69819904F2EB@vigilsec.com> <20220520135826.23h6eaurre7zvqxs@benm-laptop>
To: Ben Maddison <benm@workonline.africa>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/guz3s8uOCrsBcb5tqdBAlF49bB8>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2022 17:52:08 -0000
Ben:
>>>>> Sorry that I was not clear. Since the goal is to align with RFC 3779,
>>>>> we should use the same definition as was used there, which is OCTET
>>>>> STRING (SIZE (2..3)).
>>>>
>>>> this makes more sense to me, as i do not see a win in having rules that
>>>> apply on wednesdays and fridays and not on other days of the week. one
>>>> wants to be able to write tools that are not complicated unnecesarily.
>>>>
>>> I think I am explaining the intent poorly. I will try again.
>>>
>>> The intent is not to align with the ASN.1 definitions of 3779, but with
>>> the DER wire-format produced by implementations of 3779.
>>>
> [..]
>>>
>>> In the specific case of the addressFamily field, allowing the SAFI-byte
>>> in the ASN.1, but then requiring that it MUST be absent in normative
>>> text (as is the case in other RPKI RFCs, e.g. 6487) would run contrary
>>> to the above goals.
>>> Implementors would be forced to do the constraint check by hand, even if
>>> they were generating the other constraints from the ASN.1 definitions.
>>>
>>> Hope that makes more sense?
>>
>> Not for me. As you explain, you want compatibility with the library.
>> It produces a 2 octet value. That is compatible with OCTET STRING
>> (SIZE (2..3)).
>>
> Yes, agreed. It is also compatible with OCTET STRING (SIZE (2)).
>
>> I do not want someone to encode a value with the ASN.1 in RFC 3779 and
>> then have a decode failure by an implementation that uses this ASN.1.
>>
> Not all possible values of 3779 types are permitted in the eContent of
> an RSC.
>
> If someone encodes a value using an 3779 implementation that, for
> example, contains 'inherit' or a 3-octet addressFamily, puts that value
> in the eContent of an RSC, and then tries to decode the object, then a
> decode error *is* the proper outcome.
This is the RFC 3779 syntax:
IPAddrBlocks ::= SEQUENCE OF IPAddressFamily
IPAddressFamily ::= SEQUENCE { -- AFI & optional SAFI --
addressFamily OCTET STRING (SIZE (2..3)),
ipAddressChoice IPAddressChoice }
IPAddressChoice ::= CHOICE {
inherit NULL, -- inherit from issuer --
addressesOrRanges SEQUENCE OF IPAddressOrRange }
IPAddressOrRange ::= CHOICE {
addressPrefix IPAddress,
addressRange IPAddressRange }
IPAddressRange ::= SEQUENCE {
min IPAddress,
max IPAddress }
IPAddress ::= BIT STRING
The inherit part has nothing to do with the size of the OCTET STRING.
The OCTET STRING (SIZE (2..3)) is explained with this code:
The addressFamily element is an OCTET STRING containing a two-octet
Address Family Identifier (AFI), in network byte order, optionally
followed by a one-octet Subsequent Address Family Identifier (SAFI).
AFIs and SAFIs are specified in [IANA-AFI] and [IANA-SAFI],
respectively.
I understand that you are saying that the third octet will never be present in this context.
The difference in our position is whether a decode failure should happen if someone put it there. In my view, a decode error creates an additional barriers to debugging.
Russ
- [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Randy Bush
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… George Michaelson
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Theo Buehler
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley