Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-profile-15.txt
Ties de Kock <tdekock@ripe.net> Fri, 23 June 2023 13:00 UTC
Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A82C14EB1E for <sidrops@ietfa.amsl.com>; Fri, 23 Jun 2023 06:00:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.995
X-Spam-Level:
X-Spam-Status: No, score=-6.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNJEI3zGxFBG for <sidrops@ietfa.amsl.com>; Fri, 23 Jun 2023 06:00:05 -0700 (PDT)
Received: from mail-mx-2.ripe.net (mail-mx-2.ripe.net [IPv6:2001:67c:2e8:11::c100:1312]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30C2FC151078 for <sidrops@ietf.org>; Fri, 23 Jun 2023 06:00:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Cc:Date:Subject:Mime-Version:Content-Type:Message-Id:From ; bh=NLMb/2XhwAV6Nlru0uyikv7LSjsUOAoAKUbgodosQZs=; b=h0a1tm4YjcRcq7qdTjuDqfbs CFNViy976Y18qtpTEF6vWXCUiHVWaS2FpD5VINCOo3/X8gQHoJhGWYzjY2ZNTiY3og5LI1MeLASNX MXgA2RZg8fQ/4/hU8yEuFvMgjwTV3awucWuKlNc6q8SJMJ0UEHCNpkfrdLydW1X9Y6T+Aq0Wjk/6C +U63/nlmuf86KKwsbLzz1AGiW3SRDcBzsF5O8lWLOYoQl4TS7xbaFipms0AtWRs3UvRbYnS+l5124 RjUKlCv3fLlZlOUCKoqR5lujP9bCUrpv0YBDBuEAXU7Pl3yVmZh2je2Ae41LCSbPFpDdPgmoY3lGb 8CHkXZQTPQ==;
Received: from allealle.ripe.net ([2001:67c:2e8:23::c100:170c]:46856) by mail-mx-2.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1qCgOO-00DaWG-2E; Fri, 23 Jun 2023 13:00:00 +0000
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=smtpclient.apple) by allealle.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <tdekock@ripe.net>) id 1qCgOO-0005uL-1z; Fri, 23 Jun 2023 13:00:00 +0000
From: Ties de Kock <tdekock@ripe.net>
Message-Id: <8A5BE901-0BF5-4EDB-9612-ECC297C24D60@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0721789C-6E91-4786-8956-51640AC7C4F0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Fri, 23 Jun 2023 14:59:50 +0200
In-Reply-To: <04D76EAA-AD2E-4A76-8709-0D063E4310EA@ripe.net>
Cc: SIDR Operations WG <sidrops@ietf.org>
To: Job Snijders <job=40fastly.com@dmarc.ietf.org>
References: <168621843689.33017.6897451444105786551@ietfa.amsl.com> <ZIGogKIH4Srb8Nxt@snel> <20230608181440.33d6926f@glaurung.nlnetlabs.nl> <0C543A94-F70E-4A40-8350-C98FAAB5A9B5@vigilsec.com> <D100381E-6498-4EAD-B056-18F89836C097@ripe.net> <96D52BC8-C3BA-43C8-90E1-DD2621C2292F@vigilsec.com> <20230613094413.364aaa8c@smaug.local.partim.org> <26E1759F-08FA-430D-8F89-BDC6C3DC4B9D@vigilsec.com> <20230613150156.29022a0e@glaurung.nlnetlabs.nl> <ZIitpTWScXigugLD@feather.sobornost.net> <04D76EAA-AD2E-4A76-8709-0D063E4310EA@ripe.net>
X-Mailer: Apple Mail (2.3731.600.7)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e19825058394b3d5296c64ddabcfafa26f
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/nNAmZMrr7t9NMzm12jRXU03ABN4>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa-profile-15.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 13:00:09 -0000
Hi all, > On 13 Jun 2023, at 20:04, Ties de Kock <tdekock@ripe.net> wrote: > > Hi Job, > >> On 13 Jun 2023, at 10:55, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: >> >> On Tue, Jun 13, 2023 at 03:01:56PM +0200, Martin Hoffmann wrote: >>> Russ Housley wrote: >>>> I do not think we want to have decode failures if the INTEGERS are >>>> not in sort order. >>> >>> I agree, but in the past the consensus in this group has been to >>> rigorously reject objects that have something wrong with them. By that >>> consensus, an ASPA with unsorted provider ASNs would be rejected on >>> grounds of violating the MUST further down. In which case it might as >>> well be rejected during decoding. > > I agree with Martin's perception of the opinion of the group. Having the SET > may get us a little bit more implementation resiliency here. > >> >> It seems not every deserializer implementation rejects DER during >> decoding if the DER contains a SET OF (unsorted, duplicate) INTEGERS. >> >> Example: >> >> $ echo 310f020107020102020109020107020103 | xxd -r -ps | openssl asn1parse -inform DER >> 0:d=0 hl=2 l= 15 cons: SET >> 2:d=1 hl=2 l= 1 prim: INTEGER :07 >> 5:d=1 hl=2 l= 1 prim: INTEGER :02 >> 8:d=1 hl=2 l= 1 prim: INTEGER :09 >> 11:d=1 hl=2 l= 1 prim: INTEGER :07 >> 14:d=1 hl=2 l= 1 prim: INTEGER :03 >> $ echo $? >> 0 >> >> I suspect the trouble for the deserializer in the above example is that >> there is ambiguity in the input data: what encoding rules apply? >> >> With relying parties being unable to rely on (potentially missing) >> implicit behaviour of decoders, it seems better to me to specify the >> structure of the ASPA eContent data using a SEQUENCE OF, and be explicit >> in describing the canonical form. This will help avoid potential >> inconsistencies between implementations. > > I have implemented the current (draft 15) ASN.1 and requirements that yield a > deterministic form for both validation and in a signer, but I do not mind > changing this to a SET. I realised that I did not share an object for interoperability testing. I have included a sample that is generated by a property test (so values are random) by rpki-commons below. rpki-commons generates and checks for version 1 with tag 0. MIIH0gYJKoZIhvcNAQcCoIIHwzCCB78CAQMxDTALBglghkgBZQMEAgEwggI8BgsqhkiG9w0B CRABMaCCAisEggInMIICI6ADAgEBAgUA22uphDCCAhMCBBLLjmkCBBM0KMUCBBQDTlACBBYS wkICBBaLOgwCBBgIAwkCBBxiVfACBB1W1wMCBCGtbUACBCU9c7UCBCWLQIcCBCcbyEICBCgl 3KMCBCiNWVICBClHPycCBCyBirYCBC2cM1cCBDM1bW4CBDtkCkECBD3Q4xwCBD8P22gCBD84 ZegCBEIx7P8CBEVorCUCBEjds1wCBEvlKBUCBE2FKvcCBE+JT40CBFDs6dkCBFETVU0CBFbY h+ACBFb+OnECBFdM7oECBFdZrPsCBFdnDeUCBFfbOqQCBGH1yK8CBGRuxFICBGXpHWoCBGp1 OMwCBG+7ux8CBHgLi+kCBH9sBgICBQCAvD4YAgUAg87arAIFAIauG1kCBQCHiWtVAgUAi0NQ egIFAI7mzisCBQCS9urkAgUAk2S6rgIFAJSIyy8CBQCVPP64AgUAleRxYQIFAJppUM8CBQCe xdguAgUAny2q/wIFAKDEEBUCBQCk897PAgUAplbcqgIFAKbytCcCBQCs5EAFAgUAsQTQqQIF ALG4LJwCBQCzkNoJAgUAvndK1wIFAL8swCwCBQDAdnZrAgUAzANViwIFAM6/vggCBQDQ5x4B AgUA1Bn0RAIFANTBpxECBQDU5XZxAgUA1n5sEgIFANdAC9QCBQDcmdFGAgUA4mt9BAIFAOKP 8fECBQDyuV2SAgUA+8ZdhQIFAP2bO1KgggO7MIIDtzCCAp+gAwIBAgIBCjANBgkqhkiG9w0B AQsFADARMQ8wDQYDVQQDEwZpc3N1ZXIwHhcNMjMwNjIzMTIyNjA4WhcNMjQwNjIzMTIyNzA4 WjARMQ8wDQYDVQQDEwZpc3N1ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCW 4EmbnsI5HeM/77rXydenLBAO8b6DMmIHj4CqWCK01MLtgOY+H+N7sR8/GoHutqthn3Le4zsg ihxzaScytN1GtDm2U85PhopPVvOIhQK1k4yX4WdgaNQoN48tL52rZ9wGlaWFRU7Va8sfAGBH xvq4bTYGyqdmQzZgmX8lcswOZ6M7G//qC+vI99qPMsDdER0TVmdmYR6Y45s8Nvp5IKA5GTxM qiaVICSLkN464523VW6T/KvPNaFWpvfNX9mPVkKgHcui1fn2UxqtVI9SpjH3zghj+6mxK9i2 nLit3qJVzCeRIGxb26CsBtzwT2T20LbVXfB73ivINipBiq98d9mXAgMBAAGjggEYMIIBFDAd BgNVHQ4EFgQUI+YroGMCUZAa0z52cVb6xpibzqAwHwYDVR0jBBgwFoAUI+YroGMCUZAa0z52 cVb6xpibzqAwDgYDVR0PAQH/BAQDAgeAMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYl cnN5bmM6Ly9jZXJ0aWZpY2F0ZS9yZXBvc2l0b3J5L2NhLmNlcjBHBggrBgEFBQcBCwQ7MDkw NwYIKwYBBQUHMAuGK3JzeW5jOi8vY2VydGlmaWNhdGUvcmVwb3NpdG9yeS9maWxlbmFtZS5h c2EwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjAcBggrBgEFBQcBCAEB/wQNMAugCTAHAgUA 22uphDANBgkqhkiG9w0BAQsFAAOCAQEAITO1OeskMD5zzdW109vwt7Jat4CzRr0LaRP21bZA IOvFdvs3nfvK0uz3dglT7+S4OrUWc0L4lYo1JynWI42FRGzJ6PcSMVywcX1fr+kspWZjhDAP gApNTa2Bxv35Zql6gMp7lUDMB5LxIjRuW+p+OikWF4knJvWr+l4ei0DrBX8DIDyXqB5b7qUw HUtCJ6Attd20a1iNp0Kcl6PVsM2LQ0Q0j1lr88tB3rHExtPBASjl56amyU9OBKBZJ0fRwVcI 7e/w1p3Tcfti8oG7kSmRIsqDP8brjFad6b9sM9xjDLKUwFW6TDz6DmPiLfXK6y5DdFYpR8eR Y0ufZUdTkttc0DGCAaowggGmAgEDgBQj5iugYwJRkBrTPnZxVvrGmJvOoDALBglghkgBZQME AgGgazAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQATEwHAYJKoZIhvcNAQkFMQ8XDTIzMDYy MzEyMjYwOFowLwYJKoZIhvcNAQkEMSIEIN8st7ktc0jTBvMBnu3e9tCWXdsIzz97l3TaSXPj m5lfMA0GCSqGSIb3DQEBCwUABIIBACHTBpiD4lkzjYsBRxZKZ7BpECnr14DGidTK0/2tgd63 VIvpdeOT7NKyOm8tbx7HJUEOqKet3uutzQ0n2mzg5z31WGJvRpPgorZ/qXMnN7FgY/bXofvV mpwaaFfLzDNHFpc2n7Cg7H+qA/UomV5S7QZZmDMqtSl2H/EQJa6xRhK3uaPVPWoAOKUCQC1F D5pLfhhUmES9ZWVl7K5b/CAWFFmFpdfkvnJWN6elJ59m0ytkS1CKnWKLdVFQVxUGnnQOiBZV uU9uI09Z9rfQlOXjipH0cVeSF98+kbtkTxltKrCBNdBXQOFOSWg7r3nh8IbiZih9+fAAoPHQ We2cmYPK888= Kind regards, Ties
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-pro… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Claudio Jeker
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Sriram, Kotikalapudi (Fed)
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Tim Bruijnzeels
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Tom Harrison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Di Ma
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Theo Buehler
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-aspa… Martin Hoffmann