Re: [Sidrops] feedback on draft-michaelson-rpki-rta

Stephen Kent <stkent@verizon.net> Tue, 29 December 2020 16:15 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72123A0C2F for <sidrops@ietfa.amsl.com>; Tue, 29 Dec 2020 08:15:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qfLgSLgaPGir for <sidrops@ietfa.amsl.com>; Tue, 29 Dec 2020 08:15:10 -0800 (PST)
Received: from sonic308-2.consmr.mail.bf2.yahoo.com (sonic308-2.consmr.mail.bf2.yahoo.com [74.6.130.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5525B3A0C2A for <sidrops@ietf.org>; Tue, 29 Dec 2020 08:15:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1609258503; bh=brwZxaCIJGrmNBu9Xcv72jXKf8la6AQgv7Gjsms2EAI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=jR8Fpdr8JtRS0QzSh1+wmfPffT0lyii/Ify/z1XUHD22gNp2VxkPEXSMvnHqOWK0FUHbxt+EbHFc8bM3vBuff3GCGeYOClR9wxuw9XyY77b/ZTsgj9UY0wfckeg3i/y3/mpuPz83HJyMvXfFRx3L1lV/kFX0lNBpdL1Ud2Cz2jqKr8tLWRsATB8VGAg7Bv6n81qwEhuk6QVwLPdCK5cwCTYebUu4s2USCSntDLeOpinpE1OoPfECQMnwnXgUEbvcX72XmEYq7J4JVUX0PvVLaFs2mvwniU+XWKoQi2xt15TIpmMZxhsDbisbAa22CEx/ewPqpB8Rcw61i4/bSZSWhw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1609258503; bh=lQdLr28Idt9m5ix0UlpcSI/elMwKU1jQgZEzMPsi9qv=; h=Subject:To:From:Date:From:Subject; b=JPmctj6fD+DtB051nJE4XH+ZP9NfwO7F3D+AS/kRDcT+r/F9xf881ZtaCZHJ01mVDt/N7ufsIs0j0e7fMWKTl0WUsVrdOH/qMOJTdp8uwt9TIAqLD104OKhWHNwWuYPCYJz3aQP71UZmp5BYCAUbto93U36YlonOhPPczmrseVqzkuSyktHBELu7si2KWVMa1g7gb2hpq52LN/VpAajUKabND1XbBv6BaIfF4a4UjDWcKaXN1uUFyvr/DFgcDa3D+Ss+o1ICpC9Z4xFggQYg6Y+l/HXtGY22F+LhPmXLPK1/7aEcrPuV7lP+2Cfkxeeai+zxrS4us8MPgYMFSCnAbA==
X-YMail-OSG: vicsW6MVM1k7u0Jxha5YvfV6..GawmUajFMLioEmnZiSUZkrOksJr9LlGtJmVZY 3r9W4ZVBYnAV.UaPZQaL1LQTmaHZbYp3TLGPzTE2Xz2BD5STi5HmAsct9JT_KYRNqgelbVlB4uBA CIKF5vX0GFE7PwV_eJ3gBbACvhhGjNTIME06q7P3GrSUWdLRUSGV9ZJnaeYBLmr8V0L_Pw96KzSk TG9kdlSUW_0XPjS_hwCLfC8tk3pGwZybi2G7Syvnv1oVdnxzmRRT23OY5319Em8uGe789UBe5n4Z uXXbhO4gyzyeUHM1GDo7zoz7s4sQ89IJfDu4PCaRi8WsLMaB4M.xbtXFCY9tdkUyEz5Vpg7rMuSw QBen3ZdttoEIHlYEcimn4Dv1RUpnFfY_ay2j1IzxihN3qInu2ngssv8DelBTDZEtJwaAmhIBXrts Sm2FFp3fJ1Hdtvs8AfeNlPTy.fdsy4_t9Z2wSlJ4xUmo1tVRrXjoePt8zJybVVtYYjO4aCoQfhBZ 5GBiT1mLECU9to3QnVZ2tWN3Tg0ZYDwWYmuhBmwzdgjUu.4gH31DDdbS8ODIPkjxZOHiXGk7wk.P z1pFlwhQ16chgsKDMfTUSR1In62J52315mgdVDW86u6yhIXCjMsASGN7p.smu3DSjNl1ilTv_iDr v8FJ1xyosUq6hwpuhwCJtWFAq8630eS237D4avYJvHSZRvD4qKig3YjslsN4ijXBQ88cHZRsTCSV xBrBgd36liA7izP.DHV_QYB1SAhrJEgchiZCL.4ZJhDXKn5xf47fBHjpg1__EyQkfvKKGh1gNK2Z b_.ZPDXuo1XJTvXHMIgb3teYehxHIXoJBCcjfo.3y23WMhzzUqgocbrSfWJNQkTf1wX0BGubmbLO CopYTMUctIVSdeYOL2T9YpJywlm0ENZjN5E4CK67hyxnVsbSq5itWMitgvaHjDHmqh.IoGZGsTgo N8c7KxiCxq5WH6OkjMpTo2j3sq3nqUSg6C4A3LC5jgiA7R0.sTFLCM7JsFxBzFCNKcAPG_1qp9gP TIKGaNjvk.UO.LrHl5Oj7QgtsAnnFnrpJ_wxg.4bLcHJLQTMfZziDwclvl_D6qfAldBOmXMR0uqn 63d2PyYv67kLcbxOlHcg4WcCwkGCp2315y1gadK8YEuQ2c.z2uP9Xxksv4zmvNXbzP7E1C1fohtT siXFUOMqzdKGj0DZAcKQQmtAseyU99YtIiGdTtMn.5t.gL5z5hqAkpyGxTQScvPCJL_AJucBRwLI vpkrolxxWWmu8_vS2PoBsiBP328l76KfvalUFXUlBENkCVjjHsrPRLSQT_l3M1Y1pFjAgI.9lVX9 A1GKyh.KlL7Ua19RyeHglia1gVIfNiwzQxRVeFjcJPrfPeFg2ZDmL2VLmX2UxNrYE3CweQc1KZVO 4K_sqKCcrx1IbyvGlED_URGAwva0y0QRciYae.ZAiowd9Ducw.rywlAc7zB.GOgRrzTM3WRKoiAy CNVI_mFzORowXOaHd6l5BL8gAmgxOExZHuchklnw4ZG2tEIVGxxsxs18J9Por03YjpoNrK7HfMzC 2TalCc6srZzbXtaWzTCNgq19VD5W2lQcti6xG5Omtj9VuP7u4T.zrVwSWrL3B0S2pn2fWC_jLq1I T4LXVy_7kfVfWy9H11UG8RFTT7MQSabnDLQ60PamSG8AOCRt9UHG6At3XJa_XFbtPinq1qaHYY72 5HngXAzy0vwYq1IgXVdd_P874wIWU0GRXg8hMdnKBc6p1UJP.VFjj7dfxtkgwf__Q8wVQOU4vouC 7cgDu3TxO_MODgviwWHIx_xEL.cEQgmHsvvPbOZeqXblh12o79RBxkJnQVWT5or335TWKWyMuZDy C5tdbb1rofnP0Wy5S7kC0MPN7RfHXC8u3iDZW7h39uLupuARc2B_4A_n_gbd2BkfAzX.4Bc_2D1t WSzU3NRi8Kfg15aM33Qey3GejBetP0HFng6C.1rQZJNZveS3EAtl0nv_b6q2NyG1ReoDQfnRh4VI UnPdbQl_Qh.1Krav176kNLv8VXGPekIdgPShZ9HPCQR7FpxmicYxS_1RGaNsX6dTMrPa8tPUJI1F hHwmf9nFH.9hAI6EmHIiuIO12n.Pzky3.67nh4tHJJ32K8DBg2QzViRSWewg4Y8sE0ceBGocNT2s QZNxYCE31MZrzYy3vLYdX7XnRPxwGeWuhQyvsPUc_pT1ITrfojaQxaAhpZ6jPMlOSi6RXVzaOdLY INsWY2rTSbxu3C6e3IQ.FAy5Afpph2y4B.uDuhH2SPJ3riL6_aedrIwgvziDIwM8RO9WnWhyicjI e9PcARPAJkw.mR1q4cwtmZClm0u.H.ETE96Zyg5dp.erVt.3gLF9GT7aQSjRpTZsDWE24zBW6L0A EtRlFr6npAMqQPo3.EXCM1.tqp4qDTqxSodn06FUvJMNDcpOEbpThsNH.9g_9.SbIiZZ0CkfMXLg 5tU29MQgLP7PP8myhjJzNDCWYC5B7FFlaG1hZgDZ3Sowe1ZldtVKRRCVo5XLaXqMQEofRFeCvhGK o2ohGHJBYllg-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Tue, 29 Dec 2020 16:15:03 +0000
Received: by smtp418.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID afef25046bfeccaaa12904b30506c516; Tue, 29 Dec 2020 16:14:58 +0000 (UTC)
To: Claudio Jeker <cjeker@diehard.n-r-g.com>
Cc: sidrops@ietf.org
References: <X+d3+e5Rj/Q7Dchv@bench.sobornost.net> <20201229101412.GA56136@diehard.n-r-g.com> <X+scpsd6kDQ72nLa@bench.sobornost.net> <49a8e314-7b3f-0e8d-6e20-7d055fb1a076@verizon.net> <20201229151639.GD56136@diehard.n-r-g.com>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <6c577d9e-05f2-fbdd-a2e1-4c49a781ebb6@verizon.net>
Date: Tue, 29 Dec 2020 11:14:57 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <20201229151639.GD56136@diehard.n-r-g.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.17278 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gx5SQI8DzRFnU2DZrZdH6rdW8Tc>
Subject: Re: [Sidrops] feedback on draft-michaelson-rpki-rta
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Dec 2020 16:15:12 -0000

Claudio,On Tue, Dec 29, 2020 at 07:58:29AM -0500, Stephen Kent wrote:
>> Claudio & Job,
>>
>> RFC 6488 (2.1.6.2) requires use of the SKI in the sid for all "signed
>> objects" in the RPKI.
>>
>> Is the proposal to not use an SKI in the RTA format compatible with this?
> No that is not what I was after.  The usage of SKI as per RFC 6488
> (2.1.6.2) is absolutly fine.  My problem with the RTA draft are these
> points of the draft (section 3):
>
>     The differences between this RTA profile and the profile specified by
>     the RPKI Digitally Signed Object template are as follows:
>
>     o  Section 2.1 of [RFC6488] specifies a single SignerInfo object.  An
>        RTA MAY contain more than one SignerInfo object.
>
>     o  Section 2.1.4, and Section 3 of [RFC6488] specify that the
>        certificates field contains a single EE certificate.  The
>        certificates field of an RTA contains precisely the same number of
>        EE certificates as there are SignerInfo objects in the RTA, where
>        each EE certificate is needed to validate the signature in each
>        SignerInfo.  In addition, the certificates field MAY contain a
>        collection of CA certificates that would allow a RP to validate
>        the EE certificates.
>
> Up until now all objects only had a single EE cert and a single SID and
> all the linking done with the SKI was a 1-to-1 mapping resulting in a
> simple tree structure with the trust anchor as root.
> This draft allows for multiple EE certs and so multiple paths up to the
> trust anchors. This makes handling RTA a lot more complex than any other
> object under RPKI. It also results in a lot more failure conditions since
> there are more EE certs involved in the validation process.
>
thanks for the clarification.

Your characterization of the added complexity and validation failure 
possibilities is worrisome, given the trouble RPs have had just trying 
to deal with the comparatively simple RPKI signed object validation process.

Steve