IETF Logo Mail Archive

Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)

Tim Bruijnzeels <tim@nlnetlabs.nl> Sat, 25 March 2023 04:05 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D56BC15152C for <sidrops@ietfa.amsl.com>; Fri, 24 Mar 2023 21:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aiQvB1578pU1 for <sidrops@ietfa.amsl.com>; Fri, 24 Mar 2023 21:05:47 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [IPv6:2a10:de80:1:4092:b9e9:2296:0:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64E8C151532 for <sidrops@ietf.org>; Fri, 24 Mar 2023 21:05:47 -0700 (PDT)
Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4Pk58l4rSHzSr; Sat, 25 Mar 2023 04:05:43 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4Pk58j1G7XzFv; Sat, 25 Mar 2023 04:05:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1679717143; bh=a27SwBViWJEe1ndDHjy/L/levks7/yKcw/6Z5A9bAHU=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=AB5s1lnbNSaFy5OaqYRykBFapQsy+9u2kAYzcfWS2yWvyMFt7nUK28TVhHvyKAAC1 dXH5+s7PL5swmsBf9ymgoLHUCtQfBIRXV7hc+PrQZI4q7QI2r6AKzzrmGhjQVx3tku afFApxNdyOp3MHi1VhgOQyDUNQFPezjmHEmuWPMNSKUJ//eMP9cFxeer2+ofV6wmGY j5OKJgIwPjjbTppxLhoafshnJ2d9HvaM8TMZQFXTmId4bcDEnOfrIB4YJZ8QJgI8Er Cvo6tls111mgbmZN0GsoOYhytKoiiwV8TAis7qMM1wdS50aglZxHTtfY4ip4Ga8JSB TT3s8OFEzv+Bg==
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
X-Soverin-Authenticated: true
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <EDFA2A6D-F7DA-4FCA-9D83-65B08DEE1907@nlnetlabs.nl>
Date: Sat, 25 Mar 2023 13:05:25 +0900
Cc: SIDR Operations WG <sidrops@ietf.org>, "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
Content-Transfer-Encoding: quoted-printable
Message-Id: <94C1B62A-0E38-4412-86F2-4207240A372A@nlnetlabs.nl>
References: <3d9e252c02a342f09c93269779d91328@akamai.com> <EDFA2A6D-F7DA-4FCA-9D83-65B08DEE1907@nlnetlabs.nl>
To: "Lubashev, Igor" <ilubashe=40akamai.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/sJrAtun6h2SU7pktk-0D30Lnu4U>
Subject: Re: [Sidrops] WGLC = draft-ietf-sidrops-aspa-verification - ENDS 03/22/2023 (Mar 22 2023)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2023 04:05:52 -0000

Hi again,

> On 25 Mar 2023, at 12:20, Tim Bruijnzeels <tim@nlnetlabs.nl> wrote:
> 
> Merging the VAPs from multiple ASPA objects for the same CAS can be done as follows. The RPKI Relying Party (Validator) creates two sets of providers ASNs, one for IPv4 and one for IPv6. Any provider ASN in any of the VAPs that is found to have no afiLimit is added to both sets. If there is an afiLimit then the provider ASN is added to the corresponding set only. Duplicates are ignored (i.e. these are sets). At the end of the process a new VAP can be created. Any provider ASNs that are found in only one of the two sets get the corresponding afiLimit. Any provider ASNs that are in both sets get no afiLimit.
> 
> To the authors mainly: please let me know if the above procedure is incorrect. All the more reason for documenting it I would say ;)

Okay, on re-reading my own suggestion let me try to rephrase it in an outcome-driven way, rather than specifying an algorithm which may not be the most efficient.

When merging two VAPs the resulting VAP should have all provider ASNs found in either original VAP. In case the provider ASN is present in both original VAPs the resulting set's corresponding provider ASN should use a value for the afiLimit that includes the original attestations. If afiLimit was absent in either original VAP then it must also be absent in the result. If the two original VAPs used different (complementary) afiLimits, then the intend was to declare the provider for both IPv4 and IPv6 and the resulting VAP must not use an afiLimit. If the afiLimit was the same in both original VAPs then of course the resulting VAP must use the same limit.

Tim

v2.23.0 | Report a Bug | By Email