IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Claudio Jeker <cjeker@diehard.n-r-g.com> Tue, 28 March 2023 08:54 UTC

Return-Path: <cjeker@diehard.n-r-g.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01F6C151B18 for <sidrops@ietfa.amsl.com>; Tue, 28 Mar 2023 01:54:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VwtaP6UxqlCo for <sidrops@ietfa.amsl.com>; Tue, 28 Mar 2023 01:54:40 -0700 (PDT)
Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E97DC14CE2B for <sidrops@ietf.org>; Tue, 28 Mar 2023 01:54:38 -0700 (PDT)
Received: (qmail 35191 invoked by uid 1000); 28 Mar 2023 08:54:35 -0000
Date: Tue, 28 Mar 2023 10:54:35 +0200
From: Claudio Jeker <cjeker@diehard.n-r-g.com>
To: Ben Maddison <benm@workonline.africa>
Cc: Aftab Siddiqui <me@aftabsiddiqui.com>, Job Snijders <job=40fastly.com@dmarc.ietf.org>, Amreesh Phokeer <phokeer=40isoc.org@dmarc.ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>, Aftab Siddiqui <Siddiqui@isoc.org>, Max Stucchi <stucchi@isoc.org>, Hanna Kreitem <Kreitem@isoc.org>
Message-ID: <ZCKrS8AamnpQTmnP@diehard.n-r-g.com>
References: <SJ0PR06MB7677230255CC9134CAF94E98D6879@SJ0PR06MB7677.namprd06.prod.outlook.com> <ZBxcTHebGjhJGpzh@snel> <CAB5NZESXFF68ez7NwK6s3hqYY6ChkHyu_r8jPggO3ysHQB0emA@mail.gmail.com> <ZCGdV7KRNMfaEUd9@diehard.n-r-g.com> <20230328084312.zfj2j2qaa24w5wt5@iolcus>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20230328084312.zfj2j2qaa24w5wt5@iolcus>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/jrse9NNGjLgpKOI7-b2DJZTbtFM>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 08:54:40 -0000

On Tue, Mar 28, 2023 at 05:43:12PM +0900, Ben Maddison wrote:
> Hi all,
> 
> On 03/27, Claudio Jeker wrote:
> > On Fri, Mar 24, 2023 at 11:35:35AM +1100, Aftab Siddiqui wrote:
> > > Hi Job,
> > > 
> > > 
> > > >
> > > > >      *   To make it clear “AS 0 ASPA MUST only have AS 0 as Provider
> > > > >          AS”, it doesn’t clearly mention that “normal” ASPA (non AS 0
> > > > >          ASPA) MUST NOT have AS 0 in the Provider AS.
> > > > >      *   In the absence of point ‘b’ what if AS 0 is added as Provider
> > > > >          AS in the ‘normal’ ASPA?
> > > >
> > > > I'm a bit unclear on what is meant with the above two points, can you
> > > > further clarify?
> > > >
> > > 
> > > As per the definition "An ASPA object showing only AS 0 as a provider AS is
> > > referred to as an AS0 ASPA." i.e. {CAS, AS(0)}
> > > Any ASPA which is not "AS 0 ASPA" is referred to in the draft as "normal
> > > ASPA" but it doesn't say that normal ASPA can't have AS 0 in the provider
> > > AS. i.e. {CAS, AS(139038), AS(0)}. Yes, there is no reason to have AS 0 in
> > > the provider AS but make it clear in the draft.
> >  
> > Adding AS0 to any ASPA object with other ASID in the SPAS is not altering
> > the outcome. {CAS, [AS(139038), AS(0)]} and {CAS, [AS(139038)]} are
> > equivalent. The big unsolved question is if the profile spec should limit
> > this alternative encoding (with the RP software enforcing that MUST).
> 
> This point is key. Disallowing AS0 in PAS, other than in the case that
> it is the only item doesn't actually change any behaviour or fix
> anything.
> 
> The only benefit that I can see is that we guarantee a single canonical
> representation.
> 
> Enforcing this in the ASN.1 of the profile can (I think) be done, but
> would significantly complicate the module. I'm not convinced this is a
> price worth paying.
> 
> I do not think that we should introduce new normative restrictions that
> are *not* described by the ASN.1.

But in general non-canonical forms are a big issue when it comes to X.509
since it results in unequal objects that result in the same effect.
I'm not sure if this will affect the security or not.

For the providerAS sequence there are already constrains in place:
    * The CustomerASID value MUST NOT appear in any providerASID field.
    * The elements of providers MUST be ordered in ascending numerical order
      by the value of the providerASID field.
    * Each value of providerASID MUST be unique (with respect to the other
      elements of providers).

Especially number 2 and 3 make verification that AS 0 is the only element in
the sequence fairly trivial. So adding an extra bit for AS 0 should not be
that complex.

-- 
:wq Claudio

v2.23.0 | Report a Bug | By Email