[{"author": "Job Snijders", "text": "

allo!

", "time": "2023-03-29T04:00:41Z"}, {"author": "Warren Kumari", "text": "

Huge huge thanks to Nathalie for having served.

", "time": "2023-03-29T04:01:53Z"}, {"author": "Job Snijders", "text": "

yes, she helped bring some order to the proceedings of SIDROPS - which I appreciate

", "time": "2023-03-29T04:02:32Z"}, {"author": "Randy Bush", "text": "

^H

", "time": "2023-03-29T04:02:56Z"}, {"author": "Michael Hollyman", "text": "

Happy to try the notes

", "time": "2023-03-29T04:03:19Z"}, {"author": "Warren Kumari", "text": "

Moar bits to sign! :-P

", "time": "2023-03-29T04:11:52Z"}, {"author": "Keyur Patel", "text": "

thank you Michael

", "time": "2023-03-29T04:12:57Z"}, {"author": "Ties de Kock", "text": "

Do routers take the union of VRPs over the connected RTR sessions in practice? Or does that differ by vendor?

", "time": "2023-03-29T04:13:17Z"}, {"author": "Ties de Kock", "text": "

Thanks for the answer!

", "time": "2023-03-29T04:14:33Z"}, {"author": "Job Snijders", "text": "

The solution is simple: TCP over Multicast!

", "time": "2023-03-29T04:21:41Z"}, {"author": "Rob Austein", "text": "

RPKI over NNTP

", "time": "2023-03-29T04:25:11Z"}, {"author": "Ties de Kock", "text": "

Head of line blocking probably would be less apparent with the RIPE validator because all retrieval was asynchronous there..

", "time": "2023-03-29T04:25:14Z"}, {"author": "Ties de Kock", "text": "

The downside of async fetching is that revalidation is needed more often - which is computationally expensive as well.

", "time": "2023-03-29T04:27:09Z"}, {"author": "Ties de Kock", "text": "

_every_ complete update of a repository causes a revalidation of the trees under one or more TALs

", "time": "2023-03-29T04:29:23Z"}, {"author": "Rob Austein", "text": "

Well, maybe. Refetch doesn't have to imply full revalidation, particularly if nothing has changed.

", "time": "2023-03-29T04:30:22Z"}, {"author": "George Michaelson", "text": "

\"there was a lively discussion at the microphone\" seems to me to cover this in the notes

", "time": "2023-03-29T04:31:09Z"}, {"author": "Rob Austein", "text": "

In fairness, Steve Kent was advocating decoupling fetch from validation from day one, implementors mostly didn't listen because it was painful. In retrospect, he was right.

", "time": "2023-03-29T04:31:43Z"}, {"author": "Ties de Kock", "text": "

Rob Austein said:

\n
\n

Well, maybe. Refetch doesn't have to imply full revalidation, particularly if nothing has changed.

\n
\n

For future implementations I would indeed recommend more memoisation than we did have at the time. We bet on parallelism there. Think we ended with ~ 70s mean delay after a TAL published a new notification file

", "time": "2023-03-29T04:33:22Z"}, {"author": "Jeffrey Haas", "text": "

Is there anyone that works on rrdp in the room that I can ask a question after the session?

", "time": "2023-03-29T04:37:29Z"}, {"author": "Rob Austein", "text": "

Define \"the room\" :)

", "time": "2023-03-29T04:38:55Z"}, {"author": "Nan Geng", "text": "

So, there are 5 aspa objects in the rpki repo now?

", "time": "2023-03-29T04:39:03Z"}, {"author": "Jeffrey Haas", "text": "

Rob Austein said:

\n
\n

Define \"the room\" :)

\n
\n

Physically present for speech based knowledge transfer without the need to setup remote presence. At least first round.

", "time": "2023-03-29T04:40:26Z"}, {"author": "Romain Fontugne", "text": "

How hard is it to create ASPA objects?

", "time": "2023-03-29T04:42:35Z"}, {"author": "George Michaelson", "text": "

You need access to 3779 bearing certificates and keys.

", "time": "2023-03-29T04:51:52Z"}, {"author": "George Michaelson", "text": "

a delegated CA makes that simpler, otherwise you need the supplier of signing services to accept a TBS either as ASN.1 specified binary or by a GUI to specify the things to be put into the ASN1 to be signed over

", "time": "2023-03-29T04:52:26Z"}, {"author": "Ties de Kock", "text": "
\n

otherwise you need the supplier of signing services to accept a TBS either as ASN.1 specified binary or by a GUI to specify the things to be put into the ASN1 to be signed over

\n
\n

And keep the artifact on the manifest

", "time": "2023-03-29T04:52:59Z"}, {"author": "George Michaelson", "text": "

yes. they need to be published.

", "time": "2023-03-29T04:53:29Z"}, {"author": "Ties de Kock", "text": "

There is an API to create ASPA objects on RIPE NCC's pilot environment, but this is not enabled in production.

", "time": "2023-03-29T04:54:22Z"}, {"author": "Rob Austein", "text": "

Because of the need to publish and renew and all, other than hand-constructed test cases, adding new object type involves code changes both engine and UI, so software update cycle.

", "time": "2023-03-29T04:54:24Z"}, {"author": "George Michaelson", "text": "

https://krill.docs.nlnetlabs.nl/en/stable/manage-aspas.html

", "time": "2023-03-29T04:54:56Z"}, {"author": "Tom Hill", "text": "

So.. what's the equivalent to a route object in the IRR, but for signalling upstream ASNs?

", "time": "2023-03-29T04:56:37Z"}, {"author": "Tom Hill", "text": "

In the interest of maintaining good hygiene that lets us go straight to invalid

", "time": "2023-03-29T04:57:03Z"}, {"author": "Tom Hill", "text": "

I'll laugh if anyone says RPSL, for the record :grinning_face_with_smiling_eyes:

", "time": "2023-03-29T04:58:04Z"}, {"author": "Jeffrey Haas", "text": "

Chairs should remind people to wear their masks and do so properly.

", "time": "2023-03-29T05:07:02Z"}, {"author": "Ties de Kock", "text": "

This _sounds_ like we need conformance testing files

", "time": "2023-03-29T05:10:51Z"}, {"author": "Rob Austein", "text": "

Keep in mind that one of the reasons for SLURM was concerns about country A generating RPKI data that country B considered illegal and requiring ISPs in country B to filter. One can argue about whether governments should do such things and about whether the IETF should make this easier, but part of the point was having a mechanism that was simple enough that one could reasonably expect to get the same result from feeding the same set of filter rules into two RPs.

", "time": "2023-03-29T05:13:18Z"}, {"author": "Randy Bush", "text": "

and why would you ever believe a slurm file from anyone else?

", "time": "2023-03-29T05:18:15Z"}, {"author": "Rob Austein", "text": "

Because the somebody else inthis case is a government that will shut you down or arrest you if you don't accept that SLURM file. \"Believe\" may not be the word you're looking for here :)

", "time": "2023-03-29T05:20:03Z"}, {"author": "Randy Bush", "text": "

bingo geoff!!!

", "time": "2023-03-29T05:34:55Z"}, {"author": "George Michaelson", "text": "

Signed objects do have a lifetime however

", "time": "2023-03-29T05:39:22Z"}, {"author": "George Michaelson", "text": "

(to Rudiger)

", "time": "2023-03-29T05:39:29Z"}, {"author": "Rob Austein", "text": "

geoff's suggestion made a lot of sense to me

", "time": "2023-03-29T05:40:11Z"}, {"author": "Job Snijders", "text": "

Jeffrey Haas said:

\n
\n

Is there anyone that works on rrdp in the room that I can ask a question after the session?

\n
\n

I can help

", "time": "2023-03-29T05:41:10Z"}, {"author": "Jeffrey Haas", "text": "

Job Snijders said:

\n
\n

Jeffrey Haas said:

\n
\n

Is there anyone that works on rrdp in the room that I can ask a question after the session?

\n
\n

I can help

\n
\n

Please join Ties and I briefly at end. Thanks!

", "time": "2023-03-29T05:42:54Z"}, {"author": "Job Snijders", "text": "

Ties de Kock said:

\n
\n

This _sounds_ like we need conformance testing files

\n
\n

what is this a reference to if you don't mind repeating?

", "time": "2023-03-29T05:51:40Z"}, {"author": "Rob Austein", "text": "

This stuff needs to be written down in a form that someone can actually analyze. I agree that we should look into these problems, but just asserting that problems exist and that we therefore need to rev protocols is a bit hasty.

", "time": "2023-03-29T05:51:48Z"}, {"author": "Ties de Kock", "text": "
\n

Conformance testing \u2014 an element of conformity assessment, and also known as compliance testing, or type testing \u2014 is testing or other activities that determine whether a process, product, or service complies with the requirements of a specification, technical standard, contract, or regulation. Wikipedia

\n
", "time": "2023-03-29T05:52:51Z"}, {"author": "Ties de Kock", "text": "

In practice: A set of inputs + set of expected outputs

", "time": "2023-03-29T05:53:10Z"}, {"author": "Job Snijders", "text": "

right, but what is 'this' in your message?

", "time": "2023-03-29T05:53:18Z"}, {"author": "Ties de Kock", "text": "

It was SLURM-ASPA and a comment about implementations having the exact same behaviour

", "time": "2023-03-29T05:53:38Z"}, {"author": "Job Snijders", "text": "

ah, yes, good idea

", "time": "2023-03-29T05:53:51Z"}, {"author": "Ties de Kock", "text": "

So a few combination of inputs and outputs to slurm(raw_vrps_aspa_and_keys, aspa_file) -> effective_vrps_aspa_keys that contain the scenarios that we want to describe

", "time": "2023-03-29T05:55:03Z"}, {"author": "Job Snijders", "text": "

Romain Fontugne said:

\n
\n

How hard is it to create ASPA objects?

\n
\n

you can use:

\n\n
$ echo 302002023cca301a300402020b6230040202205b3005020300c7903005020303259e | xxd -r -ps > econtent\n$ openssl genrsa -out ee.key 2048\n$ openssl req -new -key ee.key -out ee.csr -subj "/CN=$(date +%s)"\n$ openssl ca -batch -config openssl.cnf -in ee.csr -out ee.cert -extensions signing_ca_ext -days 365\n$ openssl cms -sign -binary -nodetach -nosmimecap -keyid -econtent_type 1.2.840.113549.1.9.16.1.49 -signer ee.cert -inkey ee.key -in econtent -outform DER -out ASPA.asa\n
", "time": "2023-03-29T05:56:01Z"}, {"author": "Ties de Kock", "text": "

@Romain Fontugne https://mailarchive.ietf.org/arch/msg/sidrops/xBKeFYOtaSeeHxkoKzLwQq2JBWw/ for an API in our pilot environment

", "time": "2023-03-29T05:57:06Z"}, {"author": "Job Snijders", "text": "

Ties de Kock said:

\n
\n

So a few combination of inputs and outputs to slurm(raw_vrps_aspa_and_keys, aspa_file) -> effective_vrps_aspa_keys that contain the scenarios that we want to describe

\n
\n

yes, in an implementation/interop report I'd hope that can be demonstrated to have been validated for the implementations claiming compliance (I believe SIDROPS requires 2 implementations before things can move forward to IESG, such conformance testing would be 1 way of demonstrating that)

", "time": "2023-03-29T05:57:40Z"}, {"author": "Rob Austein", "text": "

I want problem analysis for what Tim is talking about before we decide what protocol changes are needed. Best practice document is reasonable.

", "time": "2023-03-29T05:58:32Z"}]