Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-prefixlist-01.txt

Job Snijders <job@fastly.com> Thu, 25 January 2024 14:47 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D339C14F6B1 for <sidrops@ietfa.amsl.com>; Thu, 25 Jan 2024 06:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mi0s0wHiIVaG for <sidrops@ietfa.amsl.com>; Thu, 25 Jan 2024 06:47:51 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03794C14F61B for <sidrops@ietf.org>; Thu, 25 Jan 2024 06:47:50 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-42a35c720b8so25376811cf.3 for <sidrops@ietf.org>; Thu, 25 Jan 2024 06:47:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1706194070; x=1706798870; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=MG++Gb20RTVss+QdmU5fIk4C4AvC4zwTmpse6KInILM=; b=calhQLHYb30SqDnOalYK2w+9BVXgY313xb3gA5rQIihtjuf/1+bKLMeY2shf+hMxNd uGHBIz4wD0xXlSq5f1bvw7Re0e+nrSJTxZjdCcXqjOubGIiZuXTo4xxHxdz+JVJJIClE lDRnavBuBkkCNbc9betzLw246LTXXbiX8j5ZY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706194070; x=1706798870; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MG++Gb20RTVss+QdmU5fIk4C4AvC4zwTmpse6KInILM=; b=bHzGq9usAovF4kUWjpP+EI44n7fvpbPqQ/tdpfvZ9W298Pxi0hzGEmxmY7ET1FdoLB Zyg8VqxWDYI6SwdJ5t2BIlXYwKl16aL5K98s6eT9Ukvxr8P8kvU27XGOzyL6Wl69dWwH Bske5nbxTwhaGOSMNwxXXT/Dv6e9WL19sUvroteucItrHWL44wPQbr0f/rTQEVMD0uXl uYNqIb8g/28vbBAhrRPnJYbyJVE+HkIpXBurI9Pg/W2I4L+fKSgII5fP+TmS9W60MEpr pMy/DS4xwDUc970hGyiFPn9xbmyG5NNXqg17NUoHZiu4M4rGjSsScklkXWMR94UqXMsW mhxg==
X-Gm-Message-State: AOJu0YxaI3LEuihASfcTpJEv85CSBOqADjtEYXt3AIfADNS9g06B8bBa hkLLhejEt5yH1atqBtRStAz2eSRQS+tkubCqgJWJM+WL5AkMkNu0lpY8N7o2oPY=
X-Google-Smtp-Source: AGHT+IG13tJeuTnTXkxkpY8yKfo4YQ1Y16F/yx6/U4Um+ZTLKzYyJYC5vu4mxeiIjvgWtnspJYWphA==
X-Received: by 2002:ac8:5f0c:0:b0:42a:51ca:9919 with SMTP id x12-20020ac85f0c000000b0042a51ca9919mr1374256qta.130.1706194069808; Thu, 25 Jan 2024 06:47:49 -0800 (PST)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id ca9-20020a05622a1f0900b00429b97f01dcsm5461298qtb.9.2024.01.25.06.47.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 06:47:49 -0800 (PST)
Date: Thu, 25 Jan 2024 15:47:47 +0100
From: Job Snijders <job@fastly.com>
To: Russ Housley <housley@vigilsec.com>
Cc: sidrops <sidrops@ietf.org>
Message-ID: <ZbJ0k7yNeTa924P1@snel>
References: <170612503890.46313.7195737912432658695@ietfa.amsl.com> <2360628E-B1CF-47B0-B5D9-AC81954F147F@vigilsec.com> <ZbGLJ1hmpoz_XTAg@snel> <9BB525E7-0797-4827-B36F-0E17AC002270@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9BB525E7-0797-4827-B36F-0E17AC002270@vigilsec.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/oOQ0qBRMQ2S5QvqnPGZPIRqm3Io>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-prefixlist-01.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 14:47:55 -0000

On Thu, Jan 25, 2024 at 09:32:09AM -0500, Russ Housley wrote:
> > On Wed, Jan 24, 2024 at 04:07:06PM -0500, Russ Housley wrote:
> >> I am confused by this change in the syntax:
> >> 
> >>   IPv4Prefixes ::= SEQUENCE (SIZE(1..MAX)) OF AddressPrefix{32}
> >>   IPv6Prefixes ::= SEQUENCE (SIZE(1..MAX)) OF AddressPrefix{128}
> >> 
> >>   AddressPrefix {INTEGER: len} ::= BIT STRING (SIZE(0..len))
> >> 
> >> What does it mean when the prefix is a zero length BIT STRING?
> > 
> > That would be 0.0.0.0/0 or ::/0, right?
> > 
> > As I understand it a BIT STRING value can have any length, including
> > zero. Same approach is used in draft-ietf-sidrops-rfc6482bis.
>
> I was trying to figure out where rpki-prefixlist would use 0.0.0.0/0
> or ::/0.

To me that is an open question, one I intended to address after some
proof-of-concept software materalizes :-).

The question at hand being whether the working group would want
Autonomous Systems to document the possible origination of default
routes, or make that more implicit. If the WG prefers to not having to
append ::/0 and 0.0.0.0/0 to a Signed Prefix List, it indeed would make
sense to change "SIZE(0..ub)" to "SIZE(1..ub)".

However, related to the above, a suggestion was shared with me at
IETF118 whether 'ge' (greater than or equal), and 'le' (less than or
equal) constructs [1] or 'longer', 'orlonger', 'through', 'upto'-style
constructs [2] could be introduced in Signed Prefix Lists to make
makking to existing infrastructure in Router's Routing Policy Language
Engines easier. With that kind of complication in mind, it seems
plausible that zero-length address prefix BIT STRINGS would be a
necessity to support.

For me it still is up in the air whether the above mentioned 'advanced'
routing policy constructs should be made part of the Signed Prefix List
profile, and I'd like to let a bit of experimentation guide us.

Kind regards,

Job

[1]: https://learningnetwork.cisco.com/s/question/0D56e0000CcXAD0CQO/prefix-lists-what-are-ge-and-le-used-for
[2]: https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/policy-configuring-route-lists-for-use-in-routing-policy-match-conditions.html