Re: [Sidrops] 6486bis: referenced object validation
Job Snijders <job@ntt.net> Fri, 04 December 2020 14:37 UTC
Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6C53A0BE7 for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 06:37:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h48JNLRGGNEq for <sidrops@ietfa.amsl.com>; Fri, 4 Dec 2020 06:37:27 -0800 (PST)
Received: from mail4.dllstx09.us.to.gin.ntt.net (mail4.dllstx09.us.to.gin.ntt.net [IPv6:2001:418:3ff:5::192:26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CB533A0BD4 for <sidrops@ietf.org>; Fri, 4 Dec 2020 06:37:26 -0800 (PST)
Received: from bench.sobornost.net (mieli.sobornost.net [45.138.228.4]) by mail4.dllstx09.us.to.gin.ntt.net (Postfix) with ESMTPSA id 9EF91EE007D; Fri, 4 Dec 2020 14:37:24 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id 455543c1; Fri, 4 Dec 2020 14:37:21 +0000 (UTC)
Date: Fri, 04 Dec 2020 14:37:21 +0000
From: Job Snijders <job@ntt.net>
To: Benno Overeinder <benno@nlnetlabs.nl>
Cc: Tim Bruijnzeels <tim@nlnetlabs.nl>, SIDR Operations WG <sidrops@ietf.org>, Martin Hoffmann <martin@opennetlabs.com>, Ben Maddison <benm=40workonline.africa@dmarc.ietf.org>
Message-ID: <X8pJoTEUDwpE6iIi@bench.sobornost.net>
References: <20201203224213.gnb2nawujxm7a32q@benm-laptop> <20201204111651.4e865d7d@glaurung.nlnetlabs.nl> <X8oSBlR1pDhX83nH@bench.sobornost.net> <62CCDADA-E2B5-4354-82E5-995837633307@nlnetlabs.nl> <X8on7A4R63HYUnpz@bench.sobornost.net> <d518f9de-850c-ad10-49a5-1eee4c85fa6b@NLnetLabs.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <d518f9de-850c-ad10-49a5-1eee4c85fa6b@NLnetLabs.nl>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/nAp9fE6_Rs9zs-ivLuvPA8b9FGo>
Subject: Re: [Sidrops] 6486bis: referenced object validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 14:37:28 -0000
On Fri, Dec 04, 2020 at 02:13:40PM +0100, Benno Overeinder wrote: > Not looking back, but looking ahead, I want to focus on how we solve > issues and discuss them in sidrops. And indeed, if there is an > impasse, organise a virtual meeting and discuss the matter to make > progress. Yes, I took it as a sign of convergent thinking. Progress indeed. However, my question remains, looking forward, what can be done differently in the future? Some suggestions from my side: - SIDROPS must require multiple implementations before sending an Internet-Draft towards the IESG. To meet this requirement, Implementers should write an implementation report and share it with the group, at least detailing the behavior for each normative term. - Please listen to operators who report (hard to troubleshoot, hard to explain) network outages which resulted from RPKI processing. RPKI ROV is supposed to be an incrementally deployable 'fail open' mechanism. - Implementers should more often share/construct the actual X.509 files rather than attempting to document the hypothetical states of the RPKI in natural language (avoid English or Dutch). We can all load X.509 files into our implementations, set currenttime to the test case at hand, and discuss results. - Implementers should feel empowered to make improvements to their software (for the benefit of their users), especially if there is perceived ambiguity in RFC texts. An implementer doesn't need the blessing of the whole IETF before making a change. - Sometimes RFCs are wrong, or worse: the then-WG kicked the ball down the road and state 'up to the implementer' (aka 'local policy'); in which case the implementer will have to weigh the advantages of perceived 'RFC compliance' vs the effects of the behavior in the BGP Default-Free Zone. See the previous point. - The RPKI is a system that has been deployed on the Internet, this sometimes means operators need to quickly deploy fixes to address ongoing issues. Time is of the essence when it comes to security or reliability issues. So 'code first, RFC later', which goes well with point 1: 'implementations first, then publish RFC'. You mentioned some kind of testbed, indeed it would be wonderful if we can easily reproduce states of the RPKI and allow implementers to provide annotations on why software (versions) behaves in a certain way. The December 1st, 2020 case is definitely one I'd add to the testbed archive. > > The real goal is to keep the network running, where in this context > > our role is to create software for network operators for them to > > securely validate the wishes of the Internet number resource > > holders. > > Agree to that! > > Let's keep the good spirit of collaboration and learning together. For sure! Kind regards, Job
- [Sidrops] 6486bis: referenced object validation Ben Maddison
- Re: [Sidrops] 6486bis: referenced object validati… George Michaelson
- Re: [Sidrops] 6486bis: referenced object validati… Martin Hoffmann
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Tim Bruijnzeels
- Re: [Sidrops] 6486bis: referenced object validati… Ties de Kock
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Ties de Kock
- Re: [Sidrops] 6486bis: referenced object validati… Tim Bruijnzeels
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Ties de Kock
- Re: [Sidrops] 6486bis: referenced object validati… Benno Overeinder
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Tim Bruijnzeels
- Re: [Sidrops] 6486bis: referenced object validati… Lukas Tribus
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Tim Bruijnzeels
- Re: [Sidrops] 6486bis: referenced object validati… Job Snijders
- Re: [Sidrops] 6486bis: referenced object validati… Tony Tauber
- [Sidrops] www.rpkiviews.org - geographically dive… Job Snijders
- Re: [Sidrops] www.rpkiviews.org - geographically … Tim Bruijnzeels
- Re: [Sidrops] www.rpkiviews.org - geographically … Job Snijders