Re: [Drip] DIME Apex Allocation
Daniel Migault <mglt.ietf@gmail.com> Mon, 01 April 2024 19:14 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659C8C14CE51 for <tm-rid@ietfa.amsl.com>; Mon, 1 Apr 2024 12:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsjxLs12aWSO for <tm-rid@ietfa.amsl.com>; Mon, 1 Apr 2024 12:14:33 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DE02C14CE25 for <tm-rid@ietf.org>; Mon, 1 Apr 2024 12:14:33 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-515a81928faso5315974e87.1 for <tm-rid@ietf.org>; Mon, 01 Apr 2024 12:14:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711998871; x=1712603671; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H6h6lPqwkoiMerttzhgcGOlYt5rOG7cdYzHBHsYqj+U=; b=IZMUz2kNpRegxbBVC7W8TfBmIQrPMJNFH0jx9EQcr7SvdJVvC5y3qDjIBml6WcXxSE h6OXkUItCv8f3Jg/5YLsMywkT0BlUmaJlUZ3qF1++9X3ae5uW1NeeplX+aPG+0b1I5a6 TgWY/LeqiK3gEOQzzH/rgAv4k5HHn/DOvMg4JrGb6Tlox9aSg+wFKHogRCiJqyYlvZzb DpcKUnxoT9A0oA7yEUsMcPzBYacEcDI+F1KrPpOFb85KWmt9W+lcLlM6aNouNvwgC/fq WwBKi7iczKsx5FFvM+RvKDQcRq2NHxsfynpREL2Ax6JRCJAp9l3S9V4ptS9hbAW3LEbH KJ3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711998871; x=1712603671; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H6h6lPqwkoiMerttzhgcGOlYt5rOG7cdYzHBHsYqj+U=; b=mSgh4HP0mB5kiE0aSruJqPL0B6HtvYji0sIRRUF2h+OKXD1Nr9tt2pudvDMDh+zlDv y458tIdiZWQzn+Y/1xAzu0mU0R2ct07ETHnVwiqvw7at2PSUM/f8v8YPbLCeQq3WFamH S1vLyHGLy+q33FVO5MNw2vzBbRAZj0Z3FqT2ViEpa9crHt4qgtU+uxj0vXtm5XfVva6Q 3wXMPiRIxtBUy2WWQNrRSDFcWp5oNylTBoq6nlXwtTpSg6J1VAjRszbSqq9DfR7Kwzwf lHq9bMrgZGd21OkoSR5QCfMHXqM0J/3YBbEI89XcuIvfPAW+tVdclx/L6Dt3vS+N9GbD LhhQ==
X-Forwarded-Encrypted: i=1; AJvYcCXsh5H2zc7szbpj2GoyZNDv5K4PP8No3IUVz0mPSdl6aZ76hmbD+79EPWD4p0rpi96D99CLTnbm4FTGjPV5eFI=
X-Gm-Message-State: AOJu0YzhmV3xDAxes8fxGCfSCrkrhIG6ZfQ9/6cac9Fhzklto+8hPlyz 7uEC9KSv+HRNDCaCJVR/nJL9hnunC6SrBrXaAG86tqznh2WegXks+YnNzqhnxOaUGkWV93tALhz 2attW8RKAmKRNmGFcRJl10G8WJbwYpvBZ
X-Google-Smtp-Source: AGHT+IF8TZCGf5T6t8XnsvZYYWSNW7gTSDvJa2IQgJFol9mylpJj57e2OySdoT8PkvsjORTx7whKjrGh/8KXLRbWn0I=
X-Received: by 2002:a05:6512:3592:b0:515:bb3a:116a with SMTP id m18-20020a056512359200b00515bb3a116amr6123622lfr.41.1711998870425; Mon, 01 Apr 2024 12:14:30 -0700 (PDT)
MIME-Version: 1.0
References: <SA3PR13MB651581117E8CBCF288892CE988342@SA3PR13MB6515.namprd13.prod.outlook.com> <MN2PR13MB420791F9C210FACF0BDD67B9F8342@MN2PR13MB4207.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB420791F9C210FACF0BDD67B9F8342@MN2PR13MB4207.namprd13.prod.outlook.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 01 Apr 2024 15:14:18 -0400
Message-ID: <CADZyTk=H8L6v+9rRt_Sn_EJ6-QQyeYhUra2_rm93EBMy5BKREQ@mail.gmail.com>
To: Stu Card <stu.card@axenterprize.com>
Cc: Adam Wiethuechter <adam.wiethuechter@axenterprize.com>, "tm-rid@ietf.org" <tm-rid@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000871e4a06150dcc62"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/nDZfWlj94GyM2vL3_GUanP_NAkg>
Subject: Re: [Drip] DIME Apex Allocation
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 19:14:37 -0000
Thanks for submitting a new version. I will go through the new version just published. I think what would help me and probably convince everyone we need a DET for the Apex is to expose what wrong could happen if we do not have a DET for the Apex. If that can help to figure out the issue I have (at least from the previous version of the draft), is that I do see the function of the Apex as purely administrative. Yours, Daniel On Wed, Mar 27, 2024 at 3:48 PM Stu Card <stu.card@axenterprize.com> wrote: > I am strongly in favor of the Apex having a DET as there must be an Apex > for each IPv6 prefix and in applications beyond UAS RID of DRIP (e.g. the > ICAO Trust Framework for the entire civil aviation ecosystem) there will be > more than one prefix, leading to proliferation of RAA level X.509 > cross-certificates between agencies in related sectors and X.509 - DRIP > cross-endorsements such that verifying a full path from a leaf (e.g. UA) to > a root of trust would get complicated. That said, the ICAO Trust Framework > Panel has already gotten push-back from some of its member states, who > understandably do not want to surrender any of their sovereign authority to > ICAO by making the latter the sole global root of trust for civil aviation > computer networking, so cross-certs between RAAs, least one of which has > neither an X.509 cert nor a DET based DRIP endorsement, are very likely to > exist, and we will need to support them. > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android <https://aka.ms/AAb9ysg> > ------------------------------ > *From:* Tm-rid <tm-rid-bounces@ietf.org> on behalf of Adam Wiethuechter < > adam.wiethuechter@axenterprize.com> > *Sent:* Wednesday, March 27, 2024 1:17:16 PM > *To:* tm-rid@ietf.org <tm-rid@ietf.org> > *Subject:* [Drip] DIME Apex Allocation > > All, > > I am currently working through Daniels comments, thanks Dan! > > I have run across this specific set of comments (spanning Section 4 and > Section 4.1) and wish to engage in a discussion of the WG to see what other > people think. > > <mglt> > I think it would be good to clarify the meaning of the acronyms. > We should also explain what RAA/HDA differs from the generic RAAs/HDAs. > DET defines RAA and HDA as some bits, and it seems that some sort of > delegation exists between RAA and HDAs. However, there are no bits for Apex > and as such Figure 1 does not seem to represent that delegation induced by > the DET fields but instead as a specific "administrative entity" that uses > special bits values for RAA and HDA. Maybe that is clarified after, but the > current description is missing to specify that it represents business > entities or administrations. All of them will be encoded on the RAA and HDA > bits. > </mglt> > > 4.1. Apex > > The Apex is a special DIME role that holds the values of RAA=0-3 and > HDA=0. > It serves as the branch point from the larger DNS system in > which DETs are defined. The Apex is the owner of the IPv6 prefix > portion of the DET associated with it (2001:30/28) which is assigned > by IANA from the special IPv6 address space for ORCHIDs. > > <mglt> > I think I am missing the text that explains briefly why we need to have an > Apex. If that is the administrative contact of the prefix why do we need to > assign a specific RAA/HDA code point. > </mglt> > > > The primary discussion is I wish to raise is around if the Apex needs > allocations in RAA/HDA space. > > The Apex is to be run by some entity. At the moment it is agreed to be > IANA until ICAO can fill its place. There will obviously be X.509 > certificates that we will need to shadow as mentioned in -dki. > > Technically if the Apex is not given a DET out of this space there cannot > be a Broadcast Endorsement for the Apex. Currently it is defined that the > Broadcast Endorsement for the Apex is self-signed. If this is removed a few > things happen: > > > 1. drip-auth has one whole Broadcast Endorsement removed from its > chain. This is good as then less is needed to be sent over the air. This is > bad as the Apex is written into the document in Section 6. > 2. RAA level Broadcast Endorsement's become self-signed, and clients > must jump into the shadow X.509 PKI to confirm if the RAA is legitimate and > continue up the chain to the Apex. > > > I think we have two options to move forward with this comment: > > > 1. Remove the allocation of a DET for the Apex (i.e. RAA=0-3, HDA=0) > and have it solely be in the X.509 (as the Root CA?) chain. Text would need > to be added explaining that X.509s would be required between the Apex and > RAAs to confirm legitimate registration. > 2. Add text justifying the DET for the Apex. > > > On a technical level I believe it should stay the same, however on a > conceptual level legitimacy ends, at least to most end users, at their CAA > (which would be the RAA). > > Thoughts? > > -------- > 73, > Adam T. Wiethuechter > Software Engineer; AX Enterprize, LLC > -- > Tm-rid mailing list > Tm-rid@ietf.org > https://www.ietf.org/mailman/listinfo/tm-rid > -- Daniel Migault Ericsson
- Re: [Drip] DIME Apex Allocation Daniel Migault
- Re: [Drip] DIME Apex Allocation Stu Card
- [Drip] DIME Apex Allocation Adam Wiethuechter
- Re: [Drip] DIME Apex Allocation Alex Pershyn
- Re: [Drip] DIME Apex Allocation Daniel Migault