Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-07.txt
Job Snijders <job@fastly.com> Thu, 14 October 2021 16:24 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFCAF3A1735 for <sidrops@ietfa.amsl.com>; Thu, 14 Oct 2021 09:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edHkUfh4vxnj for <sidrops@ietfa.amsl.com>; Thu, 14 Oct 2021 09:24:37 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B67623A1AF8 for <sidrops@ietf.org>; Thu, 14 Oct 2021 09:22:56 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id t16so26385785eds.9 for <sidrops@ietf.org>; Thu, 14 Oct 2021 09:22:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=feARxEiPCwCLzpBhtiKSvhBZvvruNroR9XnlX97ux+E=; b=u8rR/arisWCXWqKekSzfHniRfO4Wom+eV25setkJLx5rdpoOGbGzRCrwZM3QcSHUVR FBMkrKiJxmAyj5mR7XR2/6PCzQNZ91ifdEdpq1kXGHK1h3rRXbW6d7WAwuvFGiHuaLVe Xig/Z29tbUIHtzIvZUMkUHATeBcYUfoa40bN4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=feARxEiPCwCLzpBhtiKSvhBZvvruNroR9XnlX97ux+E=; b=szwF/Ge9NqrzqiQIJTX4/fuOvRvhr9euSEeCSKbFOZCfQK3rQEMmJlnYdeEsBkdChh AyLMn7tQQNre/WknSrKH9QLUNsWznhsGMa6Zi6r4p3Gt8mf25xUrFyTh8LAkf5HHG4vX YtP3Df3Lc8KqddDNeVmFKbCaOaaYhIaTMmLi3Fg+WuIymhl8bIruFeYG1YndXfz/Goo2 9cYjrHHa4+ZCgeg8vthWzdVprDBpTquuuNQjeG/h9sgbQtSRW+/tvXtmIClzldzXV6p4 xJU9vSjDnGht0iyJ0i8QwCY9f2dLqMsx16kwfeAlLk8gQYMc1BJzXsrzvVKLR9IpjAgG Vsgg==
X-Gm-Message-State: AOAM530T6+kA1I3yDGrz6naRFYpb5usZK0DNv2MY4Or78Y2loMq2MQ70 brSHEzMGZqgFmIfulVKq7GScxQ==
X-Google-Smtp-Source: ABdhPJy9f8Tk974PxXAG8RbYOnThrRW2e0jsiAr10Qg4TrjHi7YlH5wlOpBWP8Z/ye2/kRz+DflPiQ==
X-Received: by 2002:a17:906:48ce:: with SMTP id d14mr5049704ejt.336.1634228574030; Thu, 14 Oct 2021 09:22:54 -0700 (PDT)
Received: from snel ([2a10:3781:276:1:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id v13sm3033640edl.69.2021.10.14.09.22.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 09:22:53 -0700 (PDT)
Date: Thu, 14 Oct 2021 18:22:52 +0200
From: Job Snijders <job@fastly.com>
To: Ties de Kock <tdekock@ripe.net>
Cc: SIDR Operations WG <sidrops@ietf.org>
Message-ID: <YWhZXN//4VVuDc+k@snel>
References: <163422093055.5218.7049827726010929590@ietfa.amsl.com> <C368116D-179F-4A2D-A9D9-613A422F0AE1@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <C368116D-179F-4A2D-A9D9-613A422F0AE1@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/raT-2yYdot9gr5CQBp-YqGjD-nw>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 16:24:42 -0000
On Thu, Oct 14, 2021 at 05:07:33PM +0200, Ties de Kock wrote: > > 4.2.1: > > > > This field is an integer that is incremented (by 1) each time a > > new manifest is issued for a given publication point. This field > > allows an RP to detect gaps in a sequence of published manifests. > > I would really like it if we could leave this open and allow arbitrary > increments. It's what is out there in the wild, and RPs can not check anything > against manifestnumber either: Not all of them are guaranteed to be visible. But isn't that kind of the point though? To be able to detect whether an RP saw all of them, because it is not guaranteed an RP will have visibility into all of them? > Strict incrementing counters are also a point of contention in implementations > due to database locking on the parent CA. Can you elaborate on this aspect? > Existence/absense of manifests of a compliant CA is visible through the CRL. And > it does not make behaviour of a sloppy CA invisible. > > I would also like to revisit 4.2.2. > > > letter extension. The extension MUST be one of those enumerated in > > the "RPKI Repository Naming Scheme" registry maintained by IANA > > [IANA-NAMING]. > > Since the content of the registry is dynamic, I think it would be good to > clarify that encountering an unknown extension must not result in a failed fetch. > If RPs become intolerant to new filenames using an extension not in the > registry (for example .asa) would require a flag day. > > While reducing ambiguity in the results that RPs have when processing manifests > is good I don't think rejecting unknown types is worth the downside. A flag day can be avoided by putting the .asa object in its own Publication Point: then the PP fails on older RPs (which is not a problem), and works as expected on newer RPs. Since for (for example) the .asa object type the early allocation process is used, I think there is sufficient time between 'new idea' -> IANA registry update -> 'deployment in the wild'. RP implementers need to stay up-to-date on what RPKI object types currently exist, which seems reasonable. I think there is value in clear guidance on what RPs should expect and not expect. For example, rpki-client only attempts to sync currently known filetypes, this hopefully limits the (potential) garbage RPs pull in: https://github.com/openbsd/src/commit/22ca817fdd32d4cc08710821dad014cf18d1cd85 Kind regards, Job
- [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486… Stephen Kent
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486… Ties de Kock
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486… Job Snijders