Re: [Drip] DIME Apex Allocation
Stu Card <stu.card@axenterprize.com> Wed, 27 March 2024 19:48 UTC
Return-Path: <stu.card@axenterprize.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03DF2C14F5FC for <tm-rid@ietfa.amsl.com>; Wed, 27 Mar 2024 12:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=axenterprize.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8LJ6fvMcaj5 for <tm-rid@ietfa.amsl.com>; Wed, 27 Mar 2024 12:48:44 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on20701.outbound.protection.outlook.com [IPv6:2a01:111:f403:200a::701]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96779C14F5FA for <tm-rid@ietf.org>; Wed, 27 Mar 2024 12:48:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g3wyeL/t3k8rB67QwMI6BLA5rUqj05rxcQiUfNp4w77PHPH7otaktxEcWqS0JTpvQOG0bAc3FeiBJmmkRrxpSO94SDzHZNjFYC2v1V9+2m9t5V3faMjPTt6P3VoStN6yiSDoomU+aw6ApILGlQdhXNiLGwyjJXmJoZz7SeJkFB5HF2BI52vrG3RCioOIwCK3I8lH4fOVbje/2ze2co1HpEEpigY0xPVjv4uz6uHvc1xTjgqrntlNMKzVC4/VYwVh9cDkUjq9wlOIxX3uQZ0grI9odu13M6W584PJ/Z0Do5LFWFPDFTvyOmYzmTc52p6ZWLtZKREkmbLsR3UVGs2Sfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GUxRqvmyilllB+AcuLz/zG7lu/wP3Po/+bTLs2OucD8=; b=eIfGaNVxAwgzz1BdwXxl5OnQlzAU8JrbcC9YvjbrIlrgQjSb8YGwdYcj4Nk+jkPbKfOzIEsWhjJqN08rbVG5Rm5O3GMlHWpCKyUjmI0oiDIKMEGu0L5B5KIgYhti6c6fN5VuBEzIWf3e9McyX4ixnJEq0QUW4YMn9iYMyOGZR/FUFSvnOYQQ89gs30bxSSqPeTMjP83XEt1YH9xXu9eb9dPJ9/9/X0oa0l+2N07wDY6QOwN7D2y9vE8k5IrCDxpZ3IHnseSRrY7gqWRjAq6/YS88HwroiCFypKTrIzLH8uDPt/RHK/MzsYJcMKm4YwPry3tPFUo8BqlBnf6P5QbXAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=axenterprize.com; dmarc=pass action=none header.from=axenterprize.com; dkim=pass header.d=axenterprize.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axenterprize.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GUxRqvmyilllB+AcuLz/zG7lu/wP3Po/+bTLs2OucD8=; b=nK9ftbUPr6CgI1aqoz9ZjWPhkDWkKvNHyXiUZrzRfLCO504yrQBEfK49P+TIQSmQmiGl1ljfaQE/MShotlu0dDeAvMIFmL2qLTu3JVSNnAuBiIlOHLMFENnU0gjnGiQAU8khe6fpRJ2IeoNGCdUzAkdd3ZimxpXbBzzthzG0SQM=
Received: from MN2PR13MB4207.namprd13.prod.outlook.com (2603:10b6:208:39::22) by BY1PR13MB6607.namprd13.prod.outlook.com (2603:10b6:a03:4b2::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.33; Wed, 27 Mar 2024 19:47:37 +0000
Received: from MN2PR13MB4207.namprd13.prod.outlook.com ([fe80::546:2695:1e55:7250]) by MN2PR13MB4207.namprd13.prod.outlook.com ([fe80::546:2695:1e55:7250%3]) with mapi id 15.20.7409.031; Wed, 27 Mar 2024 19:47:37 +0000
From: Stu Card <stu.card@axenterprize.com>
To: Adam Wiethuechter <adam.wiethuechter@axenterprize.com>, "tm-rid@ietf.org" <tm-rid@ietf.org>
Thread-Topic: DIME Apex Allocation
Thread-Index: AQHagGRbwlPtKvQfnUaGmBWBJ7QCS7FL+q8Y
Date: Wed, 27 Mar 2024 19:47:37 +0000
Message-ID: <MN2PR13MB420791F9C210FACF0BDD67B9F8342@MN2PR13MB4207.namprd13.prod.outlook.com>
References: <SA3PR13MB651581117E8CBCF288892CE988342@SA3PR13MB6515.namprd13.prod.outlook.com>
In-Reply-To: <SA3PR13MB651581117E8CBCF288892CE988342@SA3PR13MB6515.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR13MB4207:EE_|BY1PR13MB6607:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sC7ud4kcWDiSGKMkUeDBFV6CgVdAu4w4zw0UPxAHriKR9579d8wyAefqH4Nt/Lwg8YtfZMNPkazWrAZOIHUBwGJkZJoHI5pvhh+l5Yfd8HiPDA17fROMVHdSK2GHj0/Sjmuvc+MA1BKV2B2TPj1wF9+EIjfxbRKah6qJPn3BziujzdkHzwUvoYoyLI9uvI43H0ZtwntV93RqopnhGOPslTvvM96oC9NCKB/lHhRTOIyg6f7mD+xYUQFjRYSzHv5vWKcTNq7R/oBSsq7i5JM+YqerJ34BscVfOW6nJXClXdcmTzsvWXBhdyffKabwWTnkdYqee9rTVnusVg8J8gXEy80Vcga38zuRc+gQDTbUlLyjDYvfjQKUlJrP29ZPV8M2Z0SPfAk8uY379KK2pjN68eOpkf+W7oPHdbof+v/zfh/+k1/oxZvBZYOhUV70vOXetQK5jtlyY9fbuzCy1lpozt8xmYUmbg37ILogXI6oAKM7PTB1Fq+N5cVhaC4SnG35MdzNT0gVUwwtcu+ocMEzw4JBo5W2zm8zpVizmz0+KtEHSGTxcUJZ67CMBrwFPbOAkOzJ2NpEYsRUPcBJTscG4g3c9ug6oXaRpY776gBaJwM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB4207.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kSngJb5t6QfB1WikSJXplyF1HOYfQa6rQDAZkh03wTOz7+nP+UqXoVdzKnnmze9TH++z8BOy7AFqmIhIhvGhKjEbtty0LcO4kZLGKk4+voHWQNGy1Fbshpqv4fMkJ2w+Hmfo6JyVPGE9OsvoA15hV7EIGlkUdPjmTFfhveu8zZyjDejB1Gnzz5cf0VO0BpAOcgoo19KepVOinErWEYqI7u0EYpf7oOWcz0wr0NC7Xrizp4CWV9RTOkgIcfKjE6EoeckHmdFgps+xRjTnlXLyIEkd787x/i7y/+hVK74v0qhFMdngu5CQiiGuZPrHmMJH5WP/d6t773xVP8mZsXT54Mj24hFsII/fvD6aastbQn4veqD2EdBrsemZ2pJeAagKfhlgjNp0YcOKzmysSDziEQxDpmFYHgvDtcERUV1pko4ZTWGTkYvSEJ23mweRqp0HQf+0h8G3/gd8dLs8tIqPhc+r6AUfpSBAmrw3myGGxed81qKK6QtCye+Ya+PaGqckZqfd1RdMhJbhLve71atYByZPVSg4+R3skOG+6j+U5euf22m1EYta6PTa/HBgAEk72Z/MPnmU1nCKe7DCoHEaVy1IlbLl4D05s7QO0Jh7cVH/2Hn6YXTdxdlzwWvDW4I59aJGFbZNng2Y0VY3qig/Fhwmn63w/ffhfgw0RO7GCQyCRe6+tplgwZpo/r/b1qhRwJdf3G2jcAZJ9fqsidd+xfSbk2amlCxVzuZ55j3/E6Amwwuc+U88eWbBxzmM8JoTdb9qAJwJ4slvJLEEwyqsqUi84N2A1/k4ugDLZKU8WprdhueJvsQDGQy9z06bvlaZShmePtKm8yAhhZpDIU1vKFJcLnUs+FLr2W9f0XN7ymPOjsZ0wSZVsphDDnMesM77V7eh+yfi2IB2uzje73SsbcfyMx0vWooPd0SzI9O8RSPMvD8kaLdJqYdxGELtK0AW0nmmMbGPrXD+iSiRocpew4Ci3X9bHCcuDkbzwtZ7wrY2S0swRwIbrbHVzR0FIgfQju+ospiVWOXpIhNModNmCbtg5ggfadIR+XOYVfYw25437T7hyC1mxc8Qdu6k46mFeoifIjE0g8Hu8IGDitPK1BXqruM0CbGafi9aXdticIyJn31x2ThmPxvDQzAsHrGqhHeJxOPixdfesxK4ujvBccF1yVjPEKCvk/fe1b6rmqXHIir6+rmGnxXxRafTzE1WRDxrbJSP7jnvtJ2ICI7bnC7cZmfZOIL6kKY8kbBnCZdDaj0nt2eqPbIQHPoAmvHFnowpP3w2KEvr6zb6MNfN3+PikUEyj5hu+1eg2eRJLT2bCHNrWyJ26oCdRHJFKGuSWfpbId61aGGKed/6fpoYK+iHEIlBCNvCVK2ASfQ6zQ5PflguDKz1zAVFZAyFKqgfJZQspC0mTuHWSW1rpCBwf0ASchHQ/IyyfqDFIKUFMG4m1zOBkBjD/cEpgusq1uI7axJxnSFexY/2S8bOrcJatgOf5X7LRRstTCvqkh0/o8Ze2Zjv3Ew9YvKy2KoR9NSdt//bDn7b+NIWz1gkTgiGjc/VVr4dmQ7+p0IcJDm7oWpN4E7yxIJizK7q7M6dD3ddUwOiy43I2F97NeQof5YFzhc6LT5bQ6//HlIRHbNcKTw=
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB420791F9C210FACF0BDD67B9F8342MN2PR13MB4207namp_"
MIME-Version: 1.0
X-OriginatorOrg: axenterprize.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB4207.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 512ec29b-36c2-437f-401d-08dc4e96c174
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2024 19:47:37.7105 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 00ad0178-ead0-441e-96ff-0c72baf3a6fa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nsm0MtWhBu4hP0DJuzDs1Mz1v2Tvg1n2Yb6AjtP/QSB4a5kTx9ipaACxcPbzTIPvg8TILc0iyWemEppZcgr8qSuuHuCc5ro8SDj4JVaMizY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR13MB6607
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/I4PjWhwMknuQPZuk5-vtHeV4Myo>
Subject: Re: [Drip] DIME Apex Allocation
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 19:48:50 -0000
I am strongly in favor of the Apex having a DET as there must be an Apex for each IPv6 prefix and in applications beyond UAS RID of DRIP (e.g. the ICAO Trust Framework for the entire civil aviation ecosystem) there will be more than one prefix, leading to proliferation of RAA level X.509 cross-certificates between agencies in related sectors and X.509 - DRIP cross-endorsements such that verifying a full path from a leaf (e.g. UA) to a root of trust would get complicated. That said, the ICAO Trust Framework Panel has already gotten push-back from some of its member states, who understandably do not want to surrender any of their sovereign authority to ICAO by making the latter the sole global root of trust for civil aviation computer networking, so cross-certs between RAAs, least one of which has neither an X.509 cert nor a DET based DRIP endorsement, are very likely to exist, and we will need to support them. Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Tm-rid <tm-rid-bounces@ietf.org> on behalf of Adam Wiethuechter <adam.wiethuechter@axenterprize.com> Sent: Wednesday, March 27, 2024 1:17:16 PM To: tm-rid@ietf.org <tm-rid@ietf.org> Subject: [Drip] DIME Apex Allocation All, I am currently working through Daniels comments, thanks Dan! I have run across this specific set of comments (spanning Section 4 and Section 4.1) and wish to engage in a discussion of the WG to see what other people think. <mglt> I think it would be good to clarify the meaning of the acronyms. We should also explain what RAA/HDA differs from the generic RAAs/HDAs. DET defines RAA and HDA as some bits, and it seems that some sort of delegation exists between RAA and HDAs. However, there are no bits for Apex and as such Figure 1 does not seem to represent that delegation induced by the DET fields but instead as a specific "administrative entity" that uses special bits values for RAA and HDA. Maybe that is clarified after, but the current description is missing to specify that it represents business entities or administrations. All of them will be encoded on the RAA and HDA bits. </mglt> 4.1. Apex The Apex is a special DIME role that holds the values of RAA=0-3 and HDA=0. It serves as the branch point from the larger DNS system in which DETs are defined. The Apex is the owner of the IPv6 prefix portion of the DET associated with it (2001:30/28) which is assigned by IANA from the special IPv6 address space for ORCHIDs. <mglt> I think I am missing the text that explains briefly why we need to have an Apex. If that is the administrative contact of the prefix why do we need to assign a specific RAA/HDA code point. </mglt> The primary discussion is I wish to raise is around if the Apex needs allocations in RAA/HDA space. The Apex is to be run by some entity. At the moment it is agreed to be IANA until ICAO can fill its place. There will obviously be X.509 certificates that we will need to shadow as mentioned in -dki. Technically if the Apex is not given a DET out of this space there cannot be a Broadcast Endorsement for the Apex. Currently it is defined that the Broadcast Endorsement for the Apex is self-signed. If this is removed a few things happen: 1. drip-auth has one whole Broadcast Endorsement removed from its chain. This is good as then less is needed to be sent over the air. This is bad as the Apex is written into the document in Section 6. 2. RAA level Broadcast Endorsement's become self-signed, and clients must jump into the shadow X.509 PKI to confirm if the RAA is legitimate and continue up the chain to the Apex. I think we have two options to move forward with this comment: 1. Remove the allocation of a DET for the Apex (i.e. RAA=0-3, HDA=0) and have it solely be in the X.509 (as the Root CA?) chain. Text would need to be added explaining that X.509s would be required between the Apex and RAAs to confirm legitimate registration. 2. Add text justifying the DET for the Apex. On a technical level I believe it should stay the same, however on a conceptual level legitimacy ends, at least to most end users, at their CAA (which would be the RAA). Thoughts? -------- 73, Adam T. Wiethuechter Software Engineer; AX Enterprize, LLC
- Re: [Drip] DIME Apex Allocation Daniel Migault
- Re: [Drip] DIME Apex Allocation Stu Card
- [Drip] DIME Apex Allocation Adam Wiethuechter
- Re: [Drip] DIME Apex Allocation Alex Pershyn
- Re: [Drip] DIME Apex Allocation Daniel Migault