Re: [Sidrops] Interim Meeting Follow-up Mail

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 29 October 2020 12:56 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB713A03FC for <sidrops@ietfa.amsl.com>; Thu, 29 Oct 2020 05:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpT696B5TitZ for <sidrops@ietfa.amsl.com>; Thu, 29 Oct 2020 05:56:32 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::215]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2CEF3A0A16 for <sidrops@ietf.org>; Thu, 29 Oct 2020 05:56:31 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 1003460B19; Thu, 29 Oct 2020 12:56:28 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1603976187; bh=ZJGjXkOxb2Kt1yLoXqlI0939Za2Rwpq8k8P+AHmOt44=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Gsjs3JRJjKjcCmspSwMoZnp7NBg4fp1a7GCDWtfAEs0wtwv68MVU25jYfVi/JhUs7 qCSiILSDGusW/qcuFefuyI5aEEHFfX4fcwUag9viiEZXQUg87PAAgIEk/2gkVsSGTK W5Me530DskVdq/4uN6OusvOc8DMKCXkPSwnV4kjXEFyL/GVztwpZOAIX5Fik+geuZp sg25h5rJgWulyc9usXf2FzOVqxZVqDwlKhHLmZiIheOB/YV7jDDfqfPmmQ83NDebzC L4hxNndp4HO/VJ+uDvfvtuJJURxbv8utuJQubCO1m+JOiqlv1ObV2O/d535LapNYYL 5+Q2peW4evGjA==
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <bad467c3-3fc5-d971-bc5b-cfe35fe5cd70@verizon.net>
Date: Thu, 29 Oct 2020 13:56:25 +0100
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <72E7C44B-7478-402B-A0F3-2376A2818657@nlnetlabs.nl>
References: <87zh4ekvz9.wl-morrowc@ops-netman.net> <5660E325-98A9-4A3F-A009-BD13A5C62A47@nlnetlabs.nl> <06995a21-7cc8-1182-0472-00105ac7dd6d@verizon.net> <4A518084-54AB-4719-A9CD-11DD8AA9E63D@nlnetlabs.nl> <bad467c3-3fc5-d971-bc5b-cfe35fe5cd70@verizon.net>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/pYY__ujusgJME384m5_LHCIGMxw>
Subject: Re: [Sidrops] Interim Meeting Follow-up Mail
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 12:56:34 -0000

Hi Steve,

> On 28 Oct 2020, at 17:02, Stephen Kent <stkent=40verizon.net@dmarc.ietf.org> wrote:
> 
> Tim,
> 
> I looked at the revised bullet points we agreed upon and crafted a new Section 6.4 to reflect the last point. (The first three were already covered in this or other sub-sections of Section 6.) The proposed, revised text is below. If you concur, I'll ask that 6486-bis be revised accordingly.
> 
> 
> 
> 
> 6.4.  Acquiring Files Referenced by a Manifest

Right, indeed it's section 6.4 that needs the update. I was a bit confused by the repeated text in 6.7 (Failed Fetches). Maybe this first sentence could be dropped?

   If an RP does not acquire a current valid manifest, or does not
   acquire current valid instances of all of the objects enumerated in a
   current valid manifest as a result of a fetch, then processing of the
   signed objects associated with the CA instance has failed for this
   fetch cycle.

To me this reads like these checks are done as part of 6.7, whereas actually these checks to determine that a fetch failed were all done in earlier sections and that is why implementers were directed to proceed to 6.7, right?


>    The RP MUST acquire all of the files enumerated in the manifest
>    (fileList) from the publication point. If there are files listed in the
>    manifest that cannot be retrieved from the publication point, or if
>    they fail the validity tests specified in [RFC6488], the fetch has
>    failed and the RP MUST proceed to Section 6.7; otherwise, proceed to
>    Section 6.5. Note that the set of retrieved objects may include types that
>    the PR is not prepared to process, e.g., objects other than CRLs, certificates, 
>    and Ghostbuster records (all of which MUST be processed by an RP, if present). 
>    When such objects are encountered by an RP, the RP MUST NOT attempt to validate 
>    the eContent (as described in Section 2.1.3.2 above) of such objects; 
>    encountering such objects does not, per se, result in a failed fetch.

I see you use "e.g." when enumerating types which MUST be processed. But I think it would be better to either enumerate all object types explicitly, or have no enumeration and leave the choice which types MUST be supported out of this context.

If you go for explicit enumeration, then it will most likely need updating by future RFCs. E.g. the ASPA RFC when it comes out could update the list. How about something like this:

   Note that the following objects MUST all be fully validated if present:
    * Manifests (this document)
    * CRLs [RFC6487]
    * Resource Certificates [RFC6487]
    * BGPsec Router Certificates [RFC8209]
    * Ghostbuster Records [RFC6493]
    * Route Origin Authorizations [RFC6482]

   However, the publication point MAY include other object types
   that the RP is not prepared to process. When such objects are encountered
   by an RP, the RP MUST NOT attempt to validate the eContent (as described
   in Section 2.1.3.2 above) of such objects; encountering such objects
   does not, per se, result in a failed fetch.  

As a note to implementers: there is little (inter-)operational experience in producing and validating BGPsec Router Certificates and Ghostbuster Records. I am okay with including them in a list, but I would advise that CAs test with known RP software and collaborate, before deploying these objects in production environments.

Tim




> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>