IETF Logo Mail Archive

Re: [Drip] DIME Apex Allocation

Daniel Migault <mglt.ietf@gmail.com> Wed, 27 March 2024 18:26 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8584DC15109E for <tm-rid@ietfa.amsl.com>; Wed, 27 Mar 2024 11:26:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbkAQO5InWxx for <tm-rid@ietfa.amsl.com>; Wed, 27 Mar 2024 11:26:37 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 887DDC14F604 for <tm-rid@ietf.org>; Wed, 27 Mar 2024 11:26:37 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a4dfe6564b6so15478066b.3 for <tm-rid@ietf.org>; Wed, 27 Mar 2024 11:26:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711563995; x=1712168795; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eF7iFBUQEOryjpM/KJZ4L3HBp/K4ddqNRJLm5atndSg=; b=dyK1kbWZWaA8VdJrPwgSYkJMNIhpNSt+FccAOUnSm+gZwF+toh0FkJd5Qs1aQVIXe2 jC+nx2lcrcXBGWhs5JJu/LSIGrPqb/2rdrC+XFWeARC+GKWirnuNAu2B2brfgpf5P6+B THPr4n5gW9El/KDQ43iCiT1/G2UHMeJkLW28bX0ZmYdnZEkJfHr5JdylTtm59EbgYjpD Kiwy9KDYcBQ5KlZxSErAqVns020EdW/mXs8tdzHSBgZDjtb/Dw03iwPt4TQNu16Eo0h2 50gj7GJzhYPctiiTrKQLxhj3io+ALdPjBVaFAOwIEgzGkS5BJVu91UQOigPT+YXvvLD5 Rb+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711563995; x=1712168795; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eF7iFBUQEOryjpM/KJZ4L3HBp/K4ddqNRJLm5atndSg=; b=B2yFH7kvYPe9uGYSCOc+/xcUgVqikzbT72SR9Wh2KQpJZWaFTdZgaoFHmAVvIv9cQI 5VtbH2NzsnzIuT3XRyBd3JUScL7fGgZl2L7rvuZrCzum26raG5cmV2dbfkcKRZ44wU27 3Ytd4gmWGgcmWKUHJbsqHYohiHgTJ52FRx9UlaIEKP1sL2G1P2sXaxHAdXERroAKBNb3 3MXkJVNyEsYeDRkil6tX+YTU5Z/hLPw+HYuMyMsQGbO0O0lFRlkSJYn9p0oxvZdFV7tw OLvUYyw4DM0JnZT+xu7X/5tzNFoo9YWJwkxZktXsb4B+4cONhiQsISjWVBzNpTidr3yT s2ng==
X-Gm-Message-State: AOJu0YygBJqPlNNYHi45f3ANihhGOvHMIxm4qa2Kap5Cca342lkOGXqP Xp/tgbjl24DBu6B7if2CtubpCdac+LeY8999UGmF+XDZKBeR3r28g9iWic1uKyV8s5u/njsGtV4 Y+iAH9qg3jsmyEnnHjzwz5SojaZaAOAdm
X-Google-Smtp-Source: AGHT+IH73WYEXGdSxTdE21E78WyY5PFiA3g/Svm1FoODUgfgsGK7c+YmM4Ysrg8awvpr8MDgyov7cPg5GKV+M+EBXng=
X-Received: by 2002:a17:906:a10e:b0:a4a:348c:de85 with SMTP id t14-20020a170906a10e00b00a4a348cde85mr199005ejy.37.1711563994471; Wed, 27 Mar 2024 11:26:34 -0700 (PDT)
MIME-Version: 1.0
References: <SA3PR13MB651581117E8CBCF288892CE988342@SA3PR13MB6515.namprd13.prod.outlook.com>
In-Reply-To: <SA3PR13MB651581117E8CBCF288892CE988342@SA3PR13MB6515.namprd13.prod.outlook.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 27 Mar 2024 14:26:22 -0400
Message-ID: <CADZyTknYKFitqLsEuWnMQeOaiRnsHWN1RsnbwUF3xyNzp2kB_A@mail.gmail.com>
To: Adam Wiethuechter <adam.wiethuechter@axenterprize.com>
Cc: "tm-rid@ietf.org" <tm-rid@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6a9240614a88bfa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/Oz4P3qquhGa81KCwuwNOzva20bU>
Subject: Re: [Drip] DIME Apex Allocation
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 18:26:41 -0000

On Wed, Mar 27, 2024 at 1:17 PM Adam Wiethuechter <
adam.wiethuechter@axenterprize.com> wrote:

> All,
>
> I am currently working through Daniels comments, thanks Dan!
>
> I have run across this specific set of comments (spanning Section 4 and
> Section 4.1) and wish to engage in a discussion of the WG to see what other
> people think.
>
> <mglt>
> I think it would be good to clarify the meaning of the acronyms.
> We should also explain what RAA/HDA differs from the generic RAAs/HDAs.
> DET defines RAA and HDA as some bits, and it seems that some sort of
> delegation exists between RAA and HDAs. However, there are no bits for Apex
> and as such Figure 1 does not seem to represent that delegation induced by
> the DET fields but instead as a specific "administrative entity" that uses
> special bits values for RAA and HDA. Maybe that is clarified after, but the
> current description is missing to specify that it represents business
> entities or administrations. All of them will be encoded on the RAA and HDA
> bits.
> </mglt>
>
> 4.1.  Apex
>
>    The Apex is a special DIME role that holds the values of RAA=0-3 and
>    HDA=0.
>  It serves as the branch point from the larger DNS system in
>    which DETs are defined.  The Apex is the owner of the IPv6 prefix
>    portion of the DET associated with it (2001:30/28) which is assigned
>    by IANA from the special IPv6 address space for ORCHIDs.
>
> <mglt>
> I think I am missing the text that explains briefly why we need to have an
> Apex. If that is the administrative contact of the prefix why do we need to
> assign a specific RAA/HDA code point.
> </mglt>
>
>
> The primary discussion is I wish to raise is around if the Apex needs
> allocations in RAA/HDA space.
>
> The Apex is to be run by some entity. At the moment it is agreed to be
> IANA until ICAO can fill its place. There will obviously be X.509
> certificates that we will need to shadow as mentioned in -dki.
>
> Technically if the Apex is not given a DET out of this space there cannot
> be a Broadcast Endorsement for the Apex. Currently it is defined that the
> Broadcast Endorsement for the Apex is self-signed. If this is removed a few
> things happen:
>
>
>    1. drip-auth has one whole Broadcast Endorsement removed from its
>    chain. This is good as then less is needed to be sent over the air. This is
>    bad as the Apex is written into the document in Section 6.
>    2. RAA level Broadcast Endorsement's become self-signed, and clients
>    must jump into the shadow X.509 PKI to confirm if the RAA is legitimate and
>    continue up the chain to the Apex.
>
>
> I think we have two options to move forward with this comment:
>
>
>    1. Remove the allocation of a DET for the Apex (i.e. RAA=0-3, HDA=0)
>    and have it solely be in the X.509 (as the Root CA?) chain. Text would need
>    to be added explaining that X.509s would be required between the Apex and
>    RAAs to confirm legitimate registration.
>    2. Add text justifying the DET for the Apex.
>
>
> On a technical level I believe it should stay the same, however on a
> conceptual level legitimacy ends, at least to most end users, at their CAA
> (which would be the RAA).
>
> Thoughts?
>

Thanks for the question.

I understand the role of the Apex as ensuring the delegation of a given
prefix is well redirected to the legitimate entity - in other words
providing the right NS. The reverse resolution goes from IANA to Apex to
RAA to HAD. Of course various aggregation can exist.
It could be I am missing something, but I do not see any reason for the
Apex to be associated with an RAA/HDA. They do play an important part in
the delegation but do not appear in the DNS scheme. They are like the admin
of an NS server.

X509 or DNSSEC could be used to validate the full path. RAA/HDA could also
have specific RRsets that might be helpful.

I remain of course open to other feedbacks, but I tend to favor option 1).

Yours
Daniel


--------
> 73,
> Adam T. Wiethuechter
> Software Engineer; AX Enterprize, LLC
> --
> Tm-rid mailing list
> Tm-rid@ietf.org
> https://www.ietf.org/mailman/listinfo/tm-rid
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email