IETF Logo Mail Archive

Re: [Drip] DIME Apex Allocation

Daniel Migault <mglt.ietf@gmail.com> Mon, 01 April 2024 19:14 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659C8C14CE51 for <tm-rid@ietfa.amsl.com>; Mon, 1 Apr 2024 12:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsjxLs12aWSO for <tm-rid@ietfa.amsl.com>; Mon, 1 Apr 2024 12:14:33 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DE02C14CE25 for <tm-rid@ietf.org>; Mon, 1 Apr 2024 12:14:33 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-515a81928faso5315974e87.1 for <tm-rid@ietf.org>; Mon, 01 Apr 2024 12:14:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711998871; x=1712603671; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H6h6lPqwkoiMerttzhgcGOlYt5rOG7cdYzHBHsYqj+U=; b=IZMUz2kNpRegxbBVC7W8TfBmIQrPMJNFH0jx9EQcr7SvdJVvC5y3qDjIBml6WcXxSE h6OXkUItCv8f3Jg/5YLsMywkT0BlUmaJlUZ3qF1++9X3ae5uW1NeeplX+aPG+0b1I5a6 TgWY/LeqiK3gEOQzzH/rgAv4k5HHn/DOvMg4JrGb6Tlox9aSg+wFKHogRCiJqyYlvZzb DpcKUnxoT9A0oA7yEUsMcPzBYacEcDI+F1KrPpOFb85KWmt9W+lcLlM6aNouNvwgC/fq WwBKi7iczKsx5FFvM+RvKDQcRq2NHxsfynpREL2Ax6JRCJAp9l3S9V4ptS9hbAW3LEbH KJ3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711998871; x=1712603671; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H6h6lPqwkoiMerttzhgcGOlYt5rOG7cdYzHBHsYqj+U=; b=mSgh4HP0mB5kiE0aSruJqPL0B6HtvYji0sIRRUF2h+OKXD1Nr9tt2pudvDMDh+zlDv y458tIdiZWQzn+Y/1xAzu0mU0R2ct07ETHnVwiqvw7at2PSUM/f8v8YPbLCeQq3WFamH S1vLyHGLy+q33FVO5MNw2vzBbRAZj0Z3FqT2ViEpa9crHt4qgtU+uxj0vXtm5XfVva6Q 3wXMPiRIxtBUy2WWQNrRSDFcWp5oNylTBoq6nlXwtTpSg6J1VAjRszbSqq9DfR7Kwzwf lHq9bMrgZGd21OkoSR5QCfMHXqM0J/3YBbEI89XcuIvfPAW+tVdclx/L6Dt3vS+N9GbD LhhQ==
X-Forwarded-Encrypted: i=1; AJvYcCXsh5H2zc7szbpj2GoyZNDv5K4PP8No3IUVz0mPSdl6aZ76hmbD+79EPWD4p0rpi96D99CLTnbm4FTGjPV5eFI=
X-Gm-Message-State: AOJu0YzhmV3xDAxes8fxGCfSCrkrhIG6ZfQ9/6cac9Fhzklto+8hPlyz 7uEC9KSv+HRNDCaCJVR/nJL9hnunC6SrBrXaAG86tqznh2WegXks+YnNzqhnxOaUGkWV93tALhz 2attW8RKAmKRNmGFcRJl10G8WJbwYpvBZ
X-Google-Smtp-Source: AGHT+IF8TZCGf5T6t8XnsvZYYWSNW7gTSDvJa2IQgJFol9mylpJj57e2OySdoT8PkvsjORTx7whKjrGh/8KXLRbWn0I=
X-Received: by 2002:a05:6512:3592:b0:515:bb3a:116a with SMTP id m18-20020a056512359200b00515bb3a116amr6123622lfr.41.1711998870425; Mon, 01 Apr 2024 12:14:30 -0700 (PDT)
MIME-Version: 1.0
References: <SA3PR13MB651581117E8CBCF288892CE988342@SA3PR13MB6515.namprd13.prod.outlook.com> <MN2PR13MB420791F9C210FACF0BDD67B9F8342@MN2PR13MB4207.namprd13.prod.outlook.com>
In-Reply-To: <MN2PR13MB420791F9C210FACF0BDD67B9F8342@MN2PR13MB4207.namprd13.prod.outlook.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 01 Apr 2024 15:14:18 -0400
Message-ID: <CADZyTk=H8L6v+9rRt_Sn_EJ6-QQyeYhUra2_rm93EBMy5BKREQ@mail.gmail.com>
To: Stu Card <stu.card@axenterprize.com>
Cc: Adam Wiethuechter <adam.wiethuechter@axenterprize.com>, "tm-rid@ietf.org" <tm-rid@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000871e4a06150dcc62"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/nDZfWlj94GyM2vL3_GUanP_NAkg>
Subject: Re: [Drip] DIME Apex Allocation
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 19:14:37 -0000

Thanks for submitting a new version. I will go through the new version just
published. I think what would help me and probably convince everyone we
need a DET for the Apex is to expose what wrong could happen if we do not
have a DET for the Apex. If that can help to figure out the issue I have
(at least from the previous version of the draft), is that I do see
the function of the Apex as purely administrative.

Yours,
Daniel

On Wed, Mar 27, 2024 at 3:48 PM Stu Card <stu.card@axenterprize.com> wrote:

> I am strongly in favor of the Apex having a DET as there must be an Apex
> for each IPv6 prefix and in applications beyond UAS RID of DRIP (e.g. the
> ICAO Trust Framework for the entire civil aviation ecosystem) there will be
> more than one prefix, leading to proliferation of RAA level X.509
> cross-certificates between agencies in related sectors and X.509 - DRIP
> cross-endorsements such that verifying a full path from a leaf (e.g. UA) to
> a root of trust would get complicated. That said, the ICAO Trust Framework
> Panel has already gotten push-back from some of its member states, who
> understandably do not want to surrender any of their sovereign authority to
> ICAO by making the latter the sole global root of trust for civil aviation
> computer networking, so cross-certs between RAAs, least one of which has
> neither an X.509 cert nor a DET based DRIP endorsement, are very likely to
> exist, and we will need to support them.
>
> Sent from my Verizon, Samsung Galaxy smartphone
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* Tm-rid <tm-rid-bounces@ietf.org> on behalf of Adam Wiethuechter <
> adam.wiethuechter@axenterprize.com>
> *Sent:* Wednesday, March 27, 2024 1:17:16 PM
> *To:* tm-rid@ietf.org <tm-rid@ietf.org>
> *Subject:* [Drip] DIME Apex Allocation
>
> All,
>
> I am currently working through Daniels comments, thanks Dan!
>
> I have run across this specific set of comments (spanning Section 4 and
> Section 4.1) and wish to engage in a discussion of the WG to see what other
> people think.
>
> <mglt>
> I think it would be good to clarify the meaning of the acronyms.
> We should also explain what RAA/HDA differs from the generic RAAs/HDAs.
> DET defines RAA and HDA as some bits, and it seems that some sort of
> delegation exists between RAA and HDAs. However, there are no bits for Apex
> and as such Figure 1 does not seem to represent that delegation induced by
> the DET fields but instead as a specific "administrative entity" that uses
> special bits values for RAA and HDA. Maybe that is clarified after, but the
> current description is missing to specify that it represents business
> entities or administrations. All of them will be encoded on the RAA and HDA
> bits.
> </mglt>
>
> 4.1.  Apex
>
>    The Apex is a special DIME role that holds the values of RAA=0-3 and
>    HDA=0.
>  It serves as the branch point from the larger DNS system in
>    which DETs are defined.  The Apex is the owner of the IPv6 prefix
>    portion of the DET associated with it (2001:30/28) which is assigned
>    by IANA from the special IPv6 address space for ORCHIDs.
>
> <mglt>
> I think I am missing the text that explains briefly why we need to have an
> Apex. If that is the administrative contact of the prefix why do we need to
> assign a specific RAA/HDA code point.
> </mglt>
>
>
> The primary discussion is I wish to raise is around if the Apex needs
> allocations in RAA/HDA space.
>
> The Apex is to be run by some entity. At the moment it is agreed to be
> IANA until ICAO can fill its place. There will obviously be X.509
> certificates that we will need to shadow as mentioned in -dki.
>
> Technically if the Apex is not given a DET out of this space there cannot
> be a Broadcast Endorsement for the Apex. Currently it is defined that the
> Broadcast Endorsement for the Apex is self-signed. If this is removed a few
> things happen:
>
>
>    1. drip-auth has one whole Broadcast Endorsement removed from its
>    chain. This is good as then less is needed to be sent over the air. This is
>    bad as the Apex is written into the document in Section 6.
>    2. RAA level Broadcast Endorsement's become self-signed, and clients
>    must jump into the shadow X.509 PKI to confirm if the RAA is legitimate and
>    continue up the chain to the Apex.
>
>
> I think we have two options to move forward with this comment:
>
>
>    1. Remove the allocation of a DET for the Apex (i.e. RAA=0-3, HDA=0)
>    and have it solely be in the X.509 (as the Root CA?) chain. Text would need
>    to be added explaining that X.509s would be required between the Apex and
>    RAAs to confirm legitimate registration.
>    2. Add text justifying the DET for the Apex.
>
>
> On a technical level I believe it should stay the same, however on a
> conceptual level legitimacy ends, at least to most end users, at their CAA
> (which would be the RAA).
>
> Thoughts?
>
> --------
> 73,
> Adam T. Wiethuechter
> Software Engineer; AX Enterprize, LLC
> --
> Tm-rid mailing list
> Tm-rid@ietf.org
> https://www.ietf.org/mailman/listinfo/tm-rid
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email