Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-profile-15.txt
Job Snijders <job@fastly.com> Tue, 13 June 2023 17:55 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B7D2C151098 for <sidrops@ietfa.amsl.com>; Tue, 13 Jun 2023 10:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTmgIwbJGVuG for <sidrops@ietfa.amsl.com>; Tue, 13 Jun 2023 10:55:52 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86EAAC151099 for <sidrops@ietf.org>; Tue, 13 Jun 2023 10:55:52 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1b3f66dda65so5050305ad.1 for <sidrops@ietf.org>; Tue, 13 Jun 2023 10:55:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1686678952; x=1689270952; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Ps4lLHf7zM6M5QLv78XQsD5FXKWNoiIsql3ut8DRuvI=; b=lnasicEOCnYSOyU3UA0j0gtmEgYwL4Ta8jTCkGwzFIV/pY0JRxkahiIl3vOS4E9xLU oyy99WG4T7YA/n9Y/3Syby0jFzN3FtGkU5r8Ihg0Gk4XVDsra5XYNridvWP4YFaKnSAK sX5Z1wz6eYMn7LbT3TZV+ECySFBy666awToTQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686678952; x=1689270952; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ps4lLHf7zM6M5QLv78XQsD5FXKWNoiIsql3ut8DRuvI=; b=K1PQPn/H7BK+fMy7feqThcQq6yuKbbVH/46rqYqHdks87K5eTNnbqGT00WHzMU1BX1 qc78dU3UWONPBXgQQr+OiQARpZyk4vYt/hQqUAVXasN+z6dgYTo6YNbAgXpbF6QLdCdM bR7vkcefpinmNpOkkjKZLXJJryPEf0MjWKwwzYvocBPbKWLUm3NMTuGVAWQusmt3X4ZU s735WnBSdlliwH710C6uD/nyS8i003WhBDl0eqC5jznbtZbpbSp0f25YSPDGP7hqZcuk xXn0ze5M6OCo5PhobFaSSDw8WjuO6EvuXktYO8LOshifxc1mNnx1CaNTaHbP+iqSXf02 ualQ==
X-Gm-Message-State: AC+VfDwH8GdcJaGEsKJBXh+tYfxPYXTJ14lYEaNdaJzFN2CSLxKU/Xm7 gEsgESIGk27c+C0PIznbXfltBr5WwidYBzYCdMTY5aTZOZjzw6i+4bjTe6Nc1tI03G/pxG30lcv sBS4budCsySSAPujYwn6d0DFfc0kEze2054T5smJ2GMCYmIm6HGxnJyjuw+9U
X-Google-Smtp-Source: ACHHUZ5tWb8v6nrYVhfeeLG42kTvBfGXKGGc8wrPKLjBgulfTpxM+/HFqjWXYqRAghaWRMQJXXnw1A==
X-Received: by 2002:a17:903:22d0:b0:1b3:cdfc:3e28 with SMTP id y16-20020a17090322d000b001b3cdfc3e28mr8893449plg.23.1686678951461; Tue, 13 Jun 2023 10:55:51 -0700 (PDT)
Received: from feather.sobornost.net ([50.237.87.214]) by smtp.gmail.com with ESMTPSA id q13-20020a170902dacd00b001b1a2bf5277sm3858959plx.39.2023.06.13.10.55.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Jun 2023 10:55:50 -0700 (PDT)
Date: Tue, 13 Jun 2023 17:55:49 +0000
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <ZIitpTWScXigugLD@feather.sobornost.net>
References: <168621843689.33017.6897451444105786551@ietfa.amsl.com> <ZIGogKIH4Srb8Nxt@snel> <20230608181440.33d6926f@glaurung.nlnetlabs.nl> <0C543A94-F70E-4A40-8350-C98FAAB5A9B5@vigilsec.com> <D100381E-6498-4EAD-B056-18F89836C097@ripe.net> <96D52BC8-C3BA-43C8-90E1-DD2621C2292F@vigilsec.com> <20230613094413.364aaa8c@smaug.local.partim.org> <26E1759F-08FA-430D-8F89-BDC6C3DC4B9D@vigilsec.com> <20230613150156.29022a0e@glaurung.nlnetlabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20230613150156.29022a0e@glaurung.nlnetlabs.nl>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/hGXWlPmSR9C9jzax-MBbecMam-I>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-profile-15.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2023 17:55:56 -0000
On Tue, Jun 13, 2023 at 03:01:56PM +0200, Martin Hoffmann wrote:
> Russ Housley wrote:
> > I do not think we want to have decode failures if the INTEGERS are
> > not in sort order.
>
> I agree, but in the past the consensus in this group has been to
> rigorously reject objects that have something wrong with them. By that
> consensus, an ASPA with unsorted provider ASNs would be rejected on
> grounds of violating the MUST further down. In which case it might as
> well be rejected during decoding.
It seems not every deserializer implementation rejects DER during
decoding if the DER contains a SET OF (unsorted, duplicate) INTEGERS.
Example:
$ echo 310f020107020102020109020107020103 | xxd -r -ps | openssl asn1parse -inform DER
0:d=0 hl=2 l= 15 cons: SET
2:d=1 hl=2 l= 1 prim: INTEGER :07
5:d=1 hl=2 l= 1 prim: INTEGER :02
8:d=1 hl=2 l= 1 prim: INTEGER :09
11:d=1 hl=2 l= 1 prim: INTEGER :07
14:d=1 hl=2 l= 1 prim: INTEGER :03
$ echo $?
0
I suspect the trouble for the deserializer in the above example is that
there is ambiguity in the input data: what encoding rules apply?
With relying parties being unable to rely on (potentially missing)
implicit behaviour of decoders, it seems better to me to specify the
structure of the ASPA eContent data using a SEQUENCE OF, and be explicit
in describing the canonical form. This will help avoid potential
inconsistencies between implementations.
Kind regards,
Job
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-pro… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Claudio Jeker
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Tim Bruijnzeels
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Tom Harrison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Di Ma
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Theo Buehler
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann