Re: [Sidrops] RFC 8360 / 6487 (Was: RPKI Outage Post-Mortem)

Tim Bruijnzeels <tim@nlnetlabs.nl> Fri, 15 January 2021 11:22 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5EB83A0B12 for <sidrops@ietfa.amsl.com>; Fri, 15 Jan 2021 03:22:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1vRZbkxR-lO for <sidrops@ietfa.amsl.com>; Fri, 15 Jan 2021 03:22:05 -0800 (PST)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E0C33A0B08 for <sidrops@ietf.org>; Fri, 15 Jan 2021 03:22:05 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 18437606C4 for <sidrops@ietf.org>; Fri, 15 Jan 2021 11:22:02 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1610709721; bh=lJxqn+lxJmSzRSA9XSMYSnsR8/qdKSZhB6r5e/iUIDc=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=kswRPHTUSbPvMHWaJNt225YO9m38MdO3zKsoo28s+lyD891vFWNVVK3jxCFdjWSt1 wAbZ1aA022W2NdRKbl7sfTMMa74Rgf5wzAEpWUKumCOeCWhGF8c+HQtXshJHCG/X44 mUVz3NfIt2FvtPaL3OiroWd9eh3S6RsRwkJxPRQsjy2wyxBGRQaTe5SBuuh8EN1e4E C00qQLhMY35twKjxkJM7oadM9PYMv/u4njs2otfNtAShwgtVwtYVauk/QN3yxeRffh 3SNO9XB9b/hsyLLaEq8cbePLkOB+9uvg+u8ORiEXk7gDAJCJj7nKhTpp4JxUAmpbsv fTfydKj2OWNqQ==
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <X/34H009eeuRcUf1@bench.sobornost.net>
Date: Fri, 15 Jan 2021 12:21:50 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2528A2B4-D5C6-4803-847E-3D138D4C5E14@nlnetlabs.nl>
References: <X/34H009eeuRcUf1@bench.sobornost.net>
To: Job Snijders <job@sobornost.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/lnZ-sEEKGEgE7hO9LmTRPr4_FIc>
Subject: Re: [Sidrops] RFC 8360 / 6487 (Was: RPKI Outage Post-Mortem)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2021 11:22:08 -0000

Hi Job, all,

This might be of renewed interest:
https://tools.ietf.org/html/draft-va-sidrops-deploy-reconsidered-01

Presented at IETF104:
https://www.ietf.org/proceedings/104/slides/slides-104-sidrops-deployment-of-validation-reconsidered-00

The 8360 approach had some controversy in the past. But I would be happy to see a constructive discussion on its deployability. The document above is an attempt at starting that dialogue.

Tim



> On 12 Jan 2021, at 20:27, Job Snijders <job@sobornost.net> wrote:
> 
> Dear group (specifically George, Geoff, Tim, Carlos, Andrew & Daniel),
> 
> I'd like to ask SIDROPS to read this message
> https://www.ripe.net/ripe/mail/archives/routing-wg/2021-January/004220.html
> (please ignore point 1 & 2 as those are now resolved) 
> 
> What is the current plan to get RFC 8360 deployed at scale? Is this on
> anyone's radar?
> 
> The spec has in the making for ~ 8 years and seems to contain a lot of
> valuable insight. To me RFC 8360 seems to be to RPKI what RFC 7606 is to
> BGP. A revision to increase operational robustness, except... 7606
> actually got deployed :-)
> 
> Which of the Trust Anchor will be first to flip the switch?
> 
> Or... do CA implementers & operators consider jumping to the new RFC
> 8360 codepoint too risky of a move... and should an alternative strategy
> be devised?
> 
> Was it (in hindsight) a mistake to not deprecate RFC 6487, but instead
> specify a new optional alternative policy?
> 
> Kind regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops