Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
George Michaelson <ggm@algebras.org> Fri, 20 May 2022 22:25 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F102C20D64B for <sidrops@ietfa.amsl.com>; Fri, 20 May 2022 15:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dW6U3eCeno-U for <sidrops@ietfa.amsl.com>; Fri, 20 May 2022 15:25:52 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D0DEC20D647 for <sidrops@ietf.org>; Fri, 20 May 2022 15:25:51 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id p22so16553378lfo.10 for <sidrops@ietf.org>; Fri, 20 May 2022 15:25:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=v9Q1LcuWvwT9y0FRZ4h/6ubsbZ5m8GMjPimyi3HPPlw=; b=hiv2v5QxbG8w6DyZmyemh6wa8qKTLfh2ofPRBwp9WPDUgNxWBnZeSpTnnRl6N17V8s P98IpQz6PjZtd1Td9HTrLuznxLDSq1nMIqMcxb7fEK4g+FCBXI/Q7fOx0Ek+L4lAO1tN OUMRBmKhtJ+xQJ4AxxEvEe4ejVtR+ZGgU/OsmKEi9Kxkv9KV2dlZwyyv5BfgaGZTonat H38JngGBCCHiKvuya+YlsGXqmqOpyNBhibN+xlRUG07C+o0Ku3qrrejumzdvu94kDqM6 iFPdfKNHJCPRjeZ84TnpLBIGEWU9Sf9HfCo2wNYoZh0BRSL9Y6tBYGX9g/ZIjGst3nrU 4Daw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=v9Q1LcuWvwT9y0FRZ4h/6ubsbZ5m8GMjPimyi3HPPlw=; b=NEecy3BZrmSaVTJoq3D3Tz8g7DyBDnTgQioFKp/5aXe9eOcjWw/KaYixKdGBH4ppy8 JNKXFXkGfxMu9cZZUKHALWyNsfFDyxQtJsik11T/SvD8YGsDFKyGuWO0dC70h47g/Hww v24PZ8cK/GNKV3ZsA2KZdW+qT5okSHm1GTnofTTF9FIJSQKk2ULwPYhr5zceEycG/Hmo sh9PbqRa+7gb3GSJseUKXvgTdR3+ol1D0MlY258w3LSEtqIC6lus0CY9c3Dj2iJDTr/s N6a6eXQlHumamK6tt15M7Zb++Ki3T16P61jhUDzB00PI20P2gi+OWnXwNsHVRylXe7ZV Y2vQ==
X-Gm-Message-State: AOAM533tyQ3mbmiI7i2kDyXnmfyFO7ekD+/G8KL08LsgeMSZaj2ETeeL zIY6fN8LfXh6uVfPJ9AxY07E2H50W6v7RENE7a0Lkg==
X-Google-Smtp-Source: ABdhPJyqong2/dnKZn1xJBsR3awppmH1oRMDSf9ygyK/+LHWFuCjRXG25bndVH5LXBeloZV2d5AJRxKQ/imV4TunAJY=
X-Received: by 2002:a05:6512:168d:b0:471:6cb9:c20f with SMTP id bu13-20020a056512168d00b004716cb9c20fmr8471963lfb.229.1653085548721; Fri, 20 May 2022 15:25:48 -0700 (PDT)
MIME-Version: 1.0
References: <165298105049.28270.14685971986743868185@ietfa.amsl.com> <YoZ/bsYUeHpCW3Mc@snel> <D55CE24C-36E2-4976-84BB-BDB19E0E2CC2@vigilsec.com> <DB9P190MB10839201BF38E8D1BCD485BBC0D09@DB9P190MB1083.EURP190.PROD.OUTLOOK.COM> <3BDB58DF-0431-4676-9606-611C129A4B0B@vigilsec.com> <m2o7ztfe4d.wl-randy@psg.com> <20220520012253.zu4abj7kotvg3m3z@benm-laptop> <80AD7E72-1F42-4314-B0A8-69819904F2EB@vigilsec.com> <20220520135826.23h6eaurre7zvqxs@benm-laptop> <17C2DA7E-A5CB-49EE-8148-FB223A12D992@vigilsec.com>
In-Reply-To: <17C2DA7E-A5CB-49EE-8148-FB223A12D992@vigilsec.com>
From: George Michaelson <ggm@algebras.org>
Date: Sat, 21 May 2022 08:25:38 +1000
Message-ID: <CAKr6gn1vcma0=2v4k9i+i6C3Z4odx5A=vn+yFVQZJVkFicZwRA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Ben Maddison <benm@workonline.africa>, Randy Bush <randy@psg.com>, Job Snijders <job@fastly.com>, SIDR Operations WG <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ea4b9d05df78f8e1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vFw-HgTSeS7XcX7fbo4A_4fP7Zg>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2022 22:25:58 -0000
My personal view is that the most likely path to code, is code reuse and changing encoding of these elements for one element like this is a tiny saving in ASN.1 outcome for a higher degree of uncertainty in compatibility should anyone fail to notice the difference. It's a long time since I coded to asn.1 in anger but I still think POLA and caution says "don't do this change" Keep it aligned. I think I'm agreeing with Russ and Randy basically. On Sat, 21 May 2022, 3:52 am Russ Housley, <housley@vigilsec.com> wrote: > Ben: > > >>>>> Sorry that I was not clear. Since the goal is to align with RFC > 3779, > >>>>> we should use the same definition as was used there, which is OCTET > >>>>> STRING (SIZE (2..3)). > >>>> > >>>> this makes more sense to me, as i do not see a win in having rules > that > >>>> apply on wednesdays and fridays and not on other days of the week. > one > >>>> wants to be able to write tools that are not complicated unnecesarily. > >>>> > >>> I think I am explaining the intent poorly. I will try again. > >>> > >>> The intent is not to align with the ASN.1 definitions of 3779, but with > >>> the DER wire-format produced by implementations of 3779. > >>> > > [..] > >>> > >>> In the specific case of the addressFamily field, allowing the SAFI-byte > >>> in the ASN.1, but then requiring that it MUST be absent in normative > >>> text (as is the case in other RPKI RFCs, e.g. 6487) would run contrary > >>> to the above goals. > >>> Implementors would be forced to do the constraint check by hand, even > if > >>> they were generating the other constraints from the ASN.1 definitions. > >>> > >>> Hope that makes more sense? > >> > >> Not for me. As you explain, you want compatibility with the library. > >> It produces a 2 octet value. That is compatible with OCTET STRING > >> (SIZE (2..3)). > >> > > Yes, agreed. It is also compatible with OCTET STRING (SIZE (2)). > > > >> I do not want someone to encode a value with the ASN.1 in RFC 3779 and > >> then have a decode failure by an implementation that uses this ASN.1. > >> > > Not all possible values of 3779 types are permitted in the eContent of > > an RSC. > > > > If someone encodes a value using an 3779 implementation that, for > > example, contains 'inherit' or a 3-octet addressFamily, puts that value > > in the eContent of an RSC, and then tries to decode the object, then a > > decode error *is* the proper outcome. > > This is the RFC 3779 syntax: > > IPAddrBlocks ::= SEQUENCE OF IPAddressFamily > > IPAddressFamily ::= SEQUENCE { -- AFI & optional SAFI -- > addressFamily OCTET STRING (SIZE (2..3)), > ipAddressChoice IPAddressChoice } > > IPAddressChoice ::= CHOICE { > inherit NULL, -- inherit from issuer -- > addressesOrRanges SEQUENCE OF IPAddressOrRange } > > IPAddressOrRange ::= CHOICE { > addressPrefix IPAddress, > addressRange IPAddressRange } > > IPAddressRange ::= SEQUENCE { > min IPAddress, > max IPAddress } > > IPAddress ::= BIT STRING > > The inherit part has nothing to do with the size of the OCTET STRING. > > The OCTET STRING (SIZE (2..3)) is explained with this code: > > The addressFamily element is an OCTET STRING containing a two-octet > Address Family Identifier (AFI), in network byte order, optionally > followed by a one-octet Subsequent Address Family Identifier (SAFI). > AFIs and SAFIs are specified in [IANA-AFI] and [IANA-SAFI], > respectively. > > I understand that you are saying that the third octet will never be > present in this context. > > The difference in our position is whether a decode failure should happen > if someone put it there. In my view, a decode error creates an additional > barriers to debugging. > > Russ > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops >
- [Sidrops] I-D Action: draft-ietf-sidrops-rpki-rsc… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Randy Bush
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Ben Maddison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… George Michaelson
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Theo Buehler
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Job Snijders
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-rpki… Russ Housley