IETF Logo Mail Archive

Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Tue, 06 December 2022 17:05 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54596C1524B2; Tue, 6 Dec 2022 09:05:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.856
X-Spam-Level:
X-Spam-Status: No, score=-2.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.759, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aYVvYJJ-A3i; Tue, 6 Dec 2022 09:05:23 -0800 (PST)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20722.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::722]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072AEC1524AB; Tue, 6 Dec 2022 09:05:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ra6ZfCB/OAa4NuIvvXTOsicoZzIv6v8SFA2hmc1J7PP+TIQBeIGvwK2L1MXguYFODhaGHlKsfuGF9A3wnBl0iwCe6nizgasFO7crKIA6Iunmdk63kv+h/8GPwK1p2N35cFs/2+psSf9yFZomT9J/A+wiRtNXTAxLdGSidpoQwrxdGPdBidpoOx9+WmcqNsbVkA60IOS/9+aWpGAmhGziTYvPHYhdaA5ZDH65ombQE7jL1nhB30eLzxh2OGZ2PD+C7MPWeL7VNKn81AkgPq7aOdKc8l+pqqZxghJE3ehUe9Cju95sQ0QPnJNQKYUUi5OA6zy06iBh5Ny9jBL5lIrlXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ol3Z7CFfSSArmdeOzN/ocqvFtxBGf7hQZkR+Sd3iRXY=; b=kAYaRxrnr9Ki9aARBFEwDNQ2E9lGKSK1U+3QHRn0ZVsPRpsqs6JwKLl21j7PSMdhtrXrVcZGseOG/wmVdGHW2tgyIfw1sGdMivBhdbJFKZ4jU7DEd51KzEdeFTLIbQV+ixQvrBFezJpb33Z6t7Aa6sMVgwPV0OYOW1sULF75ZjmnrEY8tdb5mevxxFMQtQgddCk3o8AwI80BKTuF06fCL1kie/XEK2lZ+VaGv3Z3O48SfRws7Z43avfd8df25Ui3uWG5j1Qrjew7Tg+BKqxhcbD+Dxxha1KnsJbTBeuBkR5GDqW55WWHMtw81zxX0fjjFGp9aacKGip+41CtxutRuw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ol3Z7CFfSSArmdeOzN/ocqvFtxBGf7hQZkR+Sd3iRXY=; b=SLQ/wYarzmt20qkFZLV7aih6sG/3vpfeoo/I+opXQ9p1l3HOh8Eqy89DnzuRQow4ALl0reKKoCYYyml0sSU7lq+Kyu0/xScbJKkBCWV2whEi8kZRxnLQiw5rkDqFYpMPvrv2hwund3mCkxi4GTa2fh34nV+Z9Fpeh9G/pEFmDk/X5yw6Ah0m8kOJ9zBS4g2A09atPNgHyRwxDSOb+er5WnFCTMQ90xadZrhfyBedjhDXR6YQ7LZoYhzZDwb22Pib3gYq1AjjECnTobr/ZSI4YfLTdxQokTmgdmTOM30ds2bLm9aK1z6MXR3Om4PAgi7PMF+wtT31cO7oSQxDJ5z8+w==
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA0PR09MB7354.namprd09.prod.outlook.com (2603:10b6:806:76::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.14; Tue, 6 Dec 2022 17:05:15 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::d449:203d:fe:2568]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::d449:203d:fe:2568%4]) with mapi id 15.20.5880.014; Tue, 6 Dec 2022 17:05:15 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Erik Rozendaal <erozendaal@ripe.net>
CC: "sidrops@ietf.org" <sidrops@ietf.org>, "draft-ietf-sidrops-aspa-profile@ietf.org" <draft-ietf-sidrops-aspa-profile@ietf.org>
Thread-Topic: Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects
Thread-Index: AdkJj3MS6G4+4jllTgC9GYCOAh97FA==
Date: Tue, 06 Dec 2022 17:05:15 +0000
Message-ID: <SA1PR09MB8142F7C99E553E6610A925DF841B9@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR09MB8142:EE_|SA0PR09MB7354:EE_
x-ms-office365-filtering-correlation-id: f455faac-3fb9-4497-aeac-08dad7ac0b8e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 307i6FX8WwT/Yx5f3VcauvXXUIahoBnS6ebAkJjd7UlqhRm0TxZEpGo+dHEQ5RUaF7O0WORsVLxqfa3UZS4Xfgz08Qn1Nv5EhaqJtVudA7yd897eDsG6twV5PaeedGlfFpWK4p+zry/nauvThjqoSxaZJUJU5jxTP/ZLXJHsj44NbGtlfITCr7OLvKyZWVjapGlDOmIHUXwtzAFTUVJ1gxGaXQ0kjG4fzVdUzqocJUZPWIOkAxLDZmaQdI8skVuJhjidYVROyKyBfKmcwc2Ku98efbnIGbvah4Atxsi+7aOVtJzGVyBwGIzjdaHK5dgZUAp61brYNYEUrXSIkdcBVYvHc73gBqFJqfTUzpldnEUjJrwZ74fFMxi6nMkAgH+xONwfTOfJvh4P3ywa/Q3Tsx6ui4b9ydRIskjRomqVBHk1VC5Wvs2c3DRVkQYiVsl14Z709vq43/2qgxoZeVFLSi4nYuRXAWieGzoFFC63bn/LbYhKyb8FoSTGDLY/Bv1IfeagSiEkiRMIL7b18hjmGsOU2+FNNdc/IeJitgMWbdeKo2MCI5OAifptblpqGrHR5nMT5Utiu/V+vbKObZUxrSXFS25q9IRZ9+wIme9C8su1P6N5Xsa78rSXaCPYe/C9Y1NdMKnuYLrWOkn5XJTEULwoWPAHUe2H+OT75xCYYS4MYMB9vmx1ENE/yuaK8FHCBW7jJqhUnhmvr5Dzzr2w7pc1bewNMybfyeecw6Jeg39faG9m52obG0Ir9yW/MqG7
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(366004)(451199015)(7696005)(6506007)(9686003)(2906002)(26005)(71200400001)(38070700005)(52536014)(498600001)(8936002)(966005)(5660300002)(55016003)(186003)(66574015)(86362001)(83380400001)(82960400001)(38100700002)(33656002)(122000001)(66946007)(76116006)(66446008)(64756008)(4326008)(66556008)(8676002)(66476007)(6916009)(54906003)(569784001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5vmMMN8RSxJ25RUlH5jHj1xmkMEAXXatIdoYBRPoPRTNSqjYbx5R0+5whmiu78TDDWpkzvg8TooPW+ei0JVEZ4RpyRG+LZxg4F4+a2ZK/SXKh668dCssEYQsjvoio1EVWjPNQUmrx/kOjfQX8+837KnI40MP9XKBkfLRDvW1Diqpj0s/yrOR1NXod+d/B11kCfhulIVSTXpr9dv45jHd9BMiVJby0T/G6LxTj83Vpn1Jr/ss33NiF/zj5i5l0PaV+STp3sGtFZ9rFZqmsF9NBJg6DXr406XVPExR8isEcvItCHuJbkMzHxXEmQYi4WHbrGHl8v4xZBOezcHvK6b7EfBtvDrx7GeEBccJcu5sl7aO6/lFpj92MNI9L5s3shIAe1lU4UIVNCO3XNNc1pwa0x4gpmEcIpwCaOV7Rg4lPT/4avNSX1747ANv8Zmr5VGE2NDfz4CvvGvi/SEmCur5wALED2MorN3bBtxJ3hLibI/Xs0BTtqfLrRSCxJen/AVggUycRqAG8GJasyov/RcdJTi/e/sFXi8xM11dTfLgnNSZPZ2K/6Fj7y0M0pLXQQYkBy1ERKPRoZ31vKoRs+Y7Yg5mTMWbSwOcVVIYKJKOC2amSbABszVWd8daYud7dEH68fKzHRwtd7/1abdtQVU+sR861rGSfZVa9Zl36g2QfSWm1ZJoFNbCilel/EGeqfihtblR5DhkOLjZ5RT2dewD2errZULcns4LK5NlED8cWIKd3IdF1usmSpNJHBnNHgyXIf3vx4GMcIjgU4wnwfratyZSbtermnIHYuZEPAnJyW2xn3SvV9IYml3i1mfswqFb7ugHB/gZNKSF6j1EIvt1lT4Faz6GqrNA1m8/PmzAR5GAqMb6MDMcjsB2jKknVR0QL3NoF6gXf7LJOiHbn4c5FfyWNNxbRJxUWvZZtfK+UuISnzi6O4PE6WwKNVIRUMpqjXKMrZQ8pJ3qxYokmJppRLOhWdgvjbBdp6T/vwFmZ9I4+FYjon/cfOfNInusAc4B6GSRu+BN8PMqg4mrzhOer+e7LU3GWICTZmPsWbsofB7yBRtgZi8obgfVwTRW0gzRP3O+rTWvWdbFupwP+RlguPubfnPmxcps26cSYb35Vcxq5kXWPbqNU/Zlugduvadc70xksbi5LRzfmLOorVWJxHZXFS6u+iVAJocDLwYFSEOYlbDEazUFoeEOGvWL1KCXZNX26kVJNCL60Ug6FH/1aZmmpJ3K3cP3khNM+eV3trxfScXSNiLM1ht6CRCwAqEoTKUKJWCFVFkfYY3BGxCRjxNQwcfdpScETG47Ta/P6htaYqVZEbi3lWh+NcK2JYrtbPuUQfyByR7FxzWiZsY/fXj3KsideL3Y/4X5GxxRjtKjv9+qAPk7UUOrxqVMm6USPBSKuvYrD8gkvvoTU3Xa63wuvkOWXdMMti8qguqiXkGRFw161iOr8sbjPTXGc8TsV8UO1CE1N50QvFBB/EnqAwCtruQo2uOjLNfWisDdhURjLKmsXeUUGaQkrMKIMnqnn8tnrL9DenR6KI/TgMfe7ZXXUVH03AJQHd0ObOluen8=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f455faac-3fb9-4497-aeac-08dad7ac0b8e
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2022 17:05:15.3967 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR09MB7354
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/mhQkVl1FI1OZpn6Yk-iWkIV6frg>
Subject: Re: [Sidrops] RIPE NCC RPKI pilot for ASPA objects
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2022 17:05:27 -0000

Hi Erik,

Thank you for the work. Just for my clarification... why the terminology in the RIPE ASPA configuration API does not seem to match that in the ASPA profile draft (v-11)?

'RIPE ASPA configuration API' vs. 'ASPA profile draft':
customerAsn  <-->  customerASID
ProviderASSet  <-->  providers
providerAsn  <-->  providerASID
afiLimit  <-->  afiLimit  (this matches)

For the afiLimit, the profile draft (v-11) says... "if present... the value MUST be either 0001 or 0002."
But the RIPE ASPA configuration API seems to allow a value ANY. The example in your post says: { "providerAsn": "AS64500", "afiLimit": "ANY" }.

Sriram 

--------------------------------
From: Erik Rozendaal <erozendaal@ripe.net> Mon, 21 November 2022 14:00 UTCShow header

ASPA (Autonomous System Provider Authorisation[1]) is a new RPKI
object type and the first additional object type supported by the RIPE
NCC RPKI software since its original introduction. ASPA is currently
in draft status, and we implemented draft version 11 of the object
profile [2].

We built this ASPA pilot to help the community advance the work in the
IETF SIDR Operations (SIDROPS)working group. The initial version runs
in the RIPE NCC localcert[3] pilot environment, and we plan to make it
available in the production environment soon after the ASPA proposal
reaches RFC status.

Below you can find the description of the RIPE NCC RPKI ASPA
configuration API. Please contact us at sw-enhancements@ripe.net if
you have any questions or problems.

# ASPA configuration API

The ASPA configuration can only be retrieved and updated in this pilot
environment using the RPKI Management API[4]. We added two new API
endpoints for ASPA:

## Retrieve the current ASPA configuration

API endpoint: `GET /api/rpki/aspa`

Returns a JSON representation of your current ASPA configuration and
an `entityTag`. This `entityTag` describes the current version of the
configuration.

Example response body:

    {
      "entityTag": "\"PUwiLtHQSA9LqD5mvUW3Rp7WqPCsS28p/5a52N9AcS8=\"",
      "aspaConfigurations": [{
          "customerAsn": "AS64496",
          "providers": [
              { "providerAsn": "AS64500", "afiLimit": "ANY" }
          ]
      }]
    }

## Update the ASPA configuration

API endpoint: `PUT /api/rpki/aspa`

Atomically replaces the current ASPA configuration with the provided
configuration. You must provide the `entityTag` of your current
configuration in the `ifMatch` field. If the provided tag no longer
matches, you will get an `HTTP 412 precondition failed`[5]
response. This mechanism prevents conflicting updates of the ASPA
configuration.

After the configuration is updated, the RIPE NCC RPKI system will
update the ASPA CMS objects and publish them to the RIPE NCC RPKI
repositories. This process usually takes less than 30 minutes but may
be slower, with a long tail up to the time limit described in our CPS.

Example request body:

    {
      "ifMatch": "\"PUwiLtHQSA9LqD5mvUW3Rp7WqPCsS28p/5a52N9AcS8=\"",
      "aspaConfigurations": [{
        "customerAsn": "AS64496",
        "providers": [
            { "providerAsn":"AS64500", "afiLimit": "IPv4" }
        ]
      }]
    }

Note: it is also possible to use the HTTP `ETag`[6] response header
and `If-Match`[7] request header instead of the JSON object fields.

## ASPA configuration JSON

The ASPA configuration JSON has the following format. All fields are
required:

`aspaConfigurations`: a (possibly empty) list of ASPA configuration
objects with two fields: customerAsn and providers.

`customerAsn`: your ASN, which must be part of your certified
resources.

`providers`: a non-empty list of objects with two fields:
`providerAsn` and `afiLimit`.

`providerAsn`: the ASN of the authorised provider or internet exchange
point route server.

`afiLimit`: one of `ANY`, `IPv4`, or `IPv6` (case sensitive) to limit
the kind of traffic that is authorised.

# References

[1]: https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/
[2]: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification
[3]: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/rpki-test-environment
[4]: https://www.ripe.net/support/documentation/developer-documentation/rpki-management-api
[5]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/412
[6]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
[7]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Match

v2.29.0 | Report a Bug | By Email | System Status