IETF Logo Mail Archive

Re: [Drip] DIME Apex Allocation

Alex Pershyn <ap.ab.ca@gmail.com> Wed, 27 March 2024 19:46 UTC

Return-Path: <ap.ab.ca@gmail.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40D96C14F683 for <tm-rid@ietfa.amsl.com>; Wed, 27 Mar 2024 12:46:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.213
X-Spam-Level:
X-Spam-Status: No, score=-6.213 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LT0ZhVpNlX8Q for <tm-rid@ietfa.amsl.com>; Wed, 27 Mar 2024 12:46:45 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0D17C14F5FC for <tm-rid@ietf.org>; Wed, 27 Mar 2024 12:46:45 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-6ea7eff5f3cso58733b3a.0 for <tm-rid@ietf.org>; Wed, 27 Mar 2024 12:46:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711568805; x=1712173605; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=ZYGNdp/rKz1ejhCSCKyUhbuoGh1ywsNit+K8rd3xyUQ=; b=WGoew3VyOwbog5tbU6GwcXxcJQ/auKds8VW/LNBhWpnnJcGui8LkSgU4iZr82CetNL it7Qo957O96dySIkmFdOI/79aYPPeY+jv0nBHcUZSA5lZqRQxZGukwLsEZ7cYrbOODAs WGVKSMDCxAeS5yEn8sugzaJdV6tcnXN8IUhry8XmiNa93wzXxa7eEbyzLQMtIGWBBqgl s12tO6elxDkHOT9CvUk1hwQqkIHR/Bx8Bmz0VUf9pMfUgRI+bpY8X79fypa3OahWJv33 bKlKUHwgRufNUN2S+zIg1Plp9jGt72dK9f4lHZW+6uhB6zmrFdExorgcQfwZSqBT31lO PhYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711568805; x=1712173605; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZYGNdp/rKz1ejhCSCKyUhbuoGh1ywsNit+K8rd3xyUQ=; b=gq9O2u1Gmfvo4UfOIqFmVnJExea8ycHvTYknrSDcSflTZ7zoOBcnNhRVswIAXiNDT2 Rgzj0Q5m9NA9RfWCklEHLUhwE8H8lWyzy0/HYS7HyDXh7f3TMx1goMcRYAIbPu/ucVPe Obz6Y6NFEyjrDko/gEdoCjkEUnH5BDCC3NQGoUM/Ld5e/CqOw7jEHZb2WfQwaCgdU+L4 LPpLKd1gQiKfQz4tq4SqWITnMAJN0b3urfmWt9IX+LwgzdAUiVN13jM0vn1SJgC/88Zn zRSNVZ81FWuaGgjMvFPzOaHNU3R2/Lq4U+XmnxGEpsHQpRAw2Q9iqs2t1hlUbNdLKWMZ GUxg==
X-Forwarded-Encrypted: i=1; AJvYcCUkbT89XWkWC1tOB+m1RbNN+5CbbSS1/+QKKW2doU3hF2kWrTg5D5P53JVeKumexdapgbTflygElX9XHTedFA4=
X-Gm-Message-State: AOJu0Yy/3Cl5M8Es1B4rK1070Z6GlvA/UvNC23TLbDTnlCHHZUrrmQDM JP8DgMgc8GiRQ+lwrY720lysnjEx9QBnEE3IPpcpsVdkjMQJcHOx
X-Google-Smtp-Source: AGHT+IEt8c024e0MZ504oK96KWRZg95iSx4L6wbD+ADfr/aExxPEyFbEZl/bQmoiRdlPjAxJ7SKHtw==
X-Received: by 2002:a05:6a20:8413:b0:1a3:c3e6:aef9 with SMTP id c19-20020a056a20841300b001a3c3e6aef9mr1211844pzd.1.1711568804626; Wed, 27 Mar 2024 12:46:44 -0700 (PDT)
Received: from smtpclient.apple (S01061c937c5d2b43.cg.shawcable.net. [68.146.161.209]) by smtp.gmail.com with ESMTPSA id q20-20020aa79834000000b006e4432027d1sm8496108pfl.142.2024.03.27.12.46.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Mar 2024 12:46:43 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-86F7A46B-3C2B-4DA0-A299-A12D37A8DEC5"
Content-Transfer-Encoding: 7bit
From: Alex Pershyn <ap.ab.ca@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 27 Mar 2024 13:46:32 -0600
Message-Id: <2DF2B5F6-930E-45BA-ACCF-F000BBFAB180@gmail.com>
References: <CADZyTknYKFitqLsEuWnMQeOaiRnsHWN1RsnbwUF3xyNzp2kB_A@mail.gmail.com>
Cc: Adam Wiethuechter <Adam.Wiethuechter@axenterprize.com>, tm-rid@ietf.org
In-Reply-To: <CADZyTknYKFitqLsEuWnMQeOaiRnsHWN1RsnbwUF3xyNzp2kB_A@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/TpkWN4ljJv2O3FTudPb7bCYjgmw>
Subject: Re: [Drip] DIME Apex Allocation
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 19:46:50 -0000

Thank you Adam, I’ll do
Sent from my iPhone

On Mar 27, 2024, at 12:26, Daniel Migault <mglt.ietf@gmail.com> wrote:




On Wed, Mar 27, 2024 at 1:17 PM Adam Wiethuechter <adam.wiethuechter@axenterprize.com> wrote:
All,

I am currently working through Daniels comments, thanks Dan!

I have run across this specific set of comments (spanning Section 4 and Section 4.1) and wish to engage in a discussion of the WG to see what other people think.

<mglt>
I think it would be good to clarify the meaning of the acronyms.
We should also explain what RAA/HDA differs from the generic RAAs/HDAs.
DET defines RAA and HDA as some bits, and it seems that some sort of delegation exists between RAA and HDAs. However, there are no bits for Apex and as such Figure 1 does not seem to represent that delegation induced by the DET fields but instead as a specific "administrative entity" that uses special bits values for RAA and HDA. Maybe that is clarified after, but the current description is missing to specify that it represents business entities or administrations. All of them will be encoded on the RAA and HDA bits.
</mglt>

4.1.  Apex

   The Apex is a special DIME role that holds the values of RAA=0-3 and
   HDA=0.
 It serves as the branch point from the larger DNS system in
   which DETs are defined.  The Apex is the owner of the IPv6 prefix
   portion of the DET associated with it (2001:30/28) which is assigned
   by IANA from the special IPv6 address space for ORCHIDs.

<mglt>
I think I am missing the text that explains briefly why we need to have an Apex. If that is the administrative contact of the prefix why do we need to assign a specific RAA/HDA code point.
</mglt>

The primary discussion is I wish to raise is around if the Apex needs allocations in RAA/HDA space.

The Apex is to be run by some entity. At the moment it is agreed to be IANA until ICAO can fill its place. There will obviously be X.509 certificates that we will need to shadow as mentioned in -dki.

Technically if the Apex is not given a DET out of this space there cannot be a Broadcast Endorsement for the Apex. Currently it is defined that the Broadcast Endorsement for the Apex is self-signed. If this is removed a few things happen:

  1. drip-auth has one whole Broadcast Endorsement removed from its chain. This is good as then less is needed to be sent over the air. This is bad as the Apex is written into the document in Section 6.
  2. RAA level Broadcast Endorsement's become self-signed, and clients must jump into the shadow X.509 PKI to confirm if the RAA is legitimate and continue up the chain to the Apex.

I think we have two options to move forward with this comment:

  1. Remove the allocation of a DET for the Apex (i.e. RAA=0-3, HDA=0) and have it solely be in the X.509 (as the Root CA?) chain. Text would need to be added explaining that X.509s would be required between the Apex and RAAs to confirm legitimate registration.
  2. Add text justifying the DET for the Apex.

On a technical level I believe it should stay the same, however on a conceptual level legitimacy ends, at least to most end users, at their CAA (which would be the RAA).

Thoughts?

Thanks for the question. 

I understand the role of the Apex as ensuring the delegation of a given prefix is well redirected to the legitimate entity - in other words providing the right NS. The reverse resolution goes from IANA to Apex to RAA to HAD. Of course various aggregation can exist. 
It could be I am missing something, but I do not see any reason for the Apex to be associated with an RAA/HDA. They do play an important part in the delegation but do not appear in the DNS scheme. They are like the admin of an NS server. 

X509 or DNSSEC could be used to validate the full path. RAA/HDA could also have specific RRsets that might be helpful. 

I remain of course open to other feedbacks, but I tend to favor option 1).  

Yours 
Daniel


--------
73,
Adam T. Wiethuechter
Software Engineer; AX Enterprize, LLC
--
Tm-rid mailing list
Tm-rid@ietf.org
https://www.ietf.org/mailman/listinfo/tm-rid" rel="noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/tm-rid


--
Daniel Migault
Ericsson
--
Tm-rid mailing list
Tm-rid@ietf.org
https://www.ietf.org/mailman/listinfo/tm-rid

v2.23.0 | Report a Bug | By Email