draft-harrison-sidrops-manifest-number-01, presented at IETF 119

•

0 gefällt mir•354 views

Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024

Internet

1
draft-harrison-sidrops-manifest-numbers-01
●●●
Tom Harrison (tomh@apnic.net)
George Michaelson (ggm@apnic.net)
Job Snijders (job@fastly.com)
IETF 119 SIDROPS Working Group

2
What is this about? (1)
● Manifests include a field called manifestNumber
● RFC 6486: Manifests for the RPKI (February 2012)
– “This field is an integer that is incremented each time a new manifest is
issued for a given publication point”
– “Manifest verifiers MUST be able to handle number values up to 20 octets”
● RFC 9286: Manifests for the RPKI (June 2022)
– “Each RP MUST verify that a purported "new" manifest contains a higher
manifestNumber than previously validated manifests”
– “If the purported "new" manifest contains a manifestNumber value equal to
or lower than manifestNumber values of previously validated manifests, the
RP SHOULD use locally cached versions of objects”

3
What is this about? (2)
● A strict reading of the text requires that relying parties reject new manifests once the largest
signed 20-byte value (i.e. 1 << ((20 * 8) - 1) – 1, called MN_MAX from here) is
reached
– The CA can’t be used from that point onwards
● But MN_MAX is a very large number?
– Yes: if manifestNumber is incremented by one on reissuance, MN_MAX would not be reached
in billions of years, even if issuing billions of manifests per second
– But the manifest number can be set to an arbitrary value by the issuer
● E.g. ARIN’s TA’s manifestNumber is currently ~1x1045
(~1/128 of MN_MAX)
– And bugs or similar could cause manifestNumber to be set to a large value, or to increment
by large values
– In particular, if a TA becomes unusable, requires new root key issuance
● Time-consuming, plus long tail of users still using old TAL

4
How should RPs handle this?
● Draft includes strawman proposal: if the manifest filename changes, reset the manifest number
check
– This is the current behaviour in rpki-client
● See appendix A for a detailed description of the rpki-client implementation
● Based on reading 9286 as referring to manifest numbers on a per-manifest-filename
basis, rather than a per-CA basis
– Pros:
● Simple to implement
● If there is consensus that this is required by 9286 as-is, then no further draft work
required
– Cons:
● 9286 can be interpreted as though this is not required, or even permitted
– See also RFC 8488 (RIPE NCC's Implementation of Resource Public Key
Infrastructure (RPKI) Certificate Tree Validation)

5
What are the other options?
● Remove the manifestNumber check
● Make the largest manifestNumber a function of the current
time
● Use serial number arithmetic to facilitate rollover
● Leave as-is on the RP side
– Up to CAs/TAs to ensure manifestNumber makes sense
on the server side before publication

6
RP support for 9286
Manifest number
reuse
Accepted Accepted Accepted Rejected
Manifest number
regression
Accepted Accepted Accepted Rejected
Manifest number of
MN_MAX Rejected Accepted Accepted Accepted
Manifest number >
MN_MAX Rejected Accepted Rejected Accepted
Manifest number of
MN_MAX_2* Rejected Accepted Rejected Accepted
Manifest number >
MN_MAX_2* Rejected Accepted Rejected Rejected
https:/
/github.com/APNIC-net/rpki-mft-number-demo
* (1 << (20 * 8)) – 1 (i.e. the largest unsigned 160-bit value, rather than the largest signed 160-bit value)

7
Next steps
●
Get feedback on current draft approach and
potential alternatives

Weitere ähnliche Inhalte

Ähnlich wie draft-harrison-sidrops-manifest-number-01, presented at IETF 119

Row #9: An architecture overview of APNIC's RDAP deployment to the cloud

APNIC

Speaker: Poorna Chandra, from Cask Big Data Applications Meetup, 07/27/2016 Palo Alto, CA More info here: http://www.meetup.com/BigDataApps/ Link to talk: https://www.youtube.com/watch?v=I1GLRXyQlx8 About the talk: Twill is an Apache incubator project that provides higher level abstraction to build distributed systems applications on YARN. Developing distributed applications using YARN is challenging because it does not provide higher level APIs, and lots of boiler plate code needs to be duplicated to deploy applications. Developing YARN applications is typically done by framework developers, like those familiar with Apache Flink or Apache Spark, who need to deploy the framework in a distributed way. By using Twill, application developers need only be familiar with the basics of the Java programming model when using the Twill APIs, so they can focus on solving business problems. In this talk I present how Twill can be leveraged and an example of Cask Data Application Platform (CDAP) that heavily uses Twill for resource management.

Building Enterprise Grade Applications in Yarn with Apache Twill

Cask Data

Born at Facebook, Presto is an open source high performance, distributed SQL query engine. With the disaggregation of storage and compute, Presto was created to simplify querying of all data lakes - cloud data lakes like S3 and on premise data lakes like HDFS. Presto's high performance and flexibility has made it a very popular choice for interactive query workloads on large Hadoop-based clusters as well as AWS S3, Google Cloud Storage and Azure blob store. Today it has grown to support many users and use cases including ad hoc query, data lake house analytics, and federated querying. In this session, we will give an overview on Presto including architecture and how it works, the problems it solves, and most common use cases. We'll also share the latest innovation in the project as well as the future roadmap.

Presto – Today and Beyond – The Open Source SQL Engine for Querying all Data...

Dipti Borkar

Introducing TiDB @ SF DevOps Meetup

Kevin Xu

Stream processing with Apache Flink @ OfferUp

Bowen Li

This webinar recording introduces potential users in the energy industry to the communications specification defined by TROLIE, an LF Energy project aiming to establish an open conformance standard and cultivate a software ecosystem to accelerate the implementation of reliable, secure, and interoperable systems for the exchange of transmission facility ratings and related information. With FERC Order 881 being implemented next year in the United States, most organizations involved in the operation of the transmission system in North America now need to exchange ratings and related information in an automated, frequent manner. This project will help accelerate their implementation and simplify interoperability. This webinar provides a technical introduction as well as "how to" content from the perspective of TROLIE's primary users - reliability coordinators and transmission owners. The webinar was presented by Christopher Atkins of MISO and Tory McKeag of GE Vernova. Learn more about the TROLIE project at https://lfenergy.org/projects/trolie/.

LF Energy Webinar: Introduction to TROLIE

DanBrown980551

The recent surge of network I/O performance has put enormous pressure on memory and software I/O processing subsystems for many cloud and data center applications, such as key-value stores and real-time analytics frameworks. A major reason for the high memory and processing overheads is the inefficient use of these resources by network interface cards. Offloading functionality to a programmable NIC can help, but what to offload needs to be carefully chosen. This presentation will cover a number of reusable offloading mechanisms that can help data center software processing efficiency. It will show how to implement these mechanisms in the P4 programming language and discuss their efficiency using experiments run on the Netronome Agilio-CX NIC.

Accelerating Networked Applications with Flexible Packet Processing

Open-NFP

The networking industry has made good progress in the last few years on developing programmable interfaces and protocols for the control plane to enable a more dynamic and efficient infrastructure. Despite this progress, some parts of networking risk being left behind, most notably network management and configuration. The state-of-the-art in network management remains relegated to proprietary device interfaces (e.g., CLIs), imperative, incremental configuration, and lack of meaningful abstractions. We propose a framework for network configuration guided by software-defined networking principles, with a focus on developing common models of network devices, and common languages to describe network structure and policies. We also propose a publish/subscribe framework for next generation network telemetry, focused on streaming structured data from network elements themselves.

SDN in the Management Plane: OpenConfig and Streaming Telemetry

Anees Shaikh

Apache Ratis - In Search of a Usable Raft Library

Tsz-Wo (Nicholas) Sze

Pivotal Real Time Data Stream Analytics

kgshukla

IETF 118: regext-rdap-rir-search

APNIC

TiDB + Mobike by Kevin Xu (@kevinsxu)

Kevin Xu

Building Pinterest Real-Time Ads Platform Using Kafka Streams (Liquan Pei + Boyang Chen, Pinterest) Kafka Summit SF 2018 In this talk, we are sharing the experience of building Pinterest’s real-time Ads Platform utilizing Kafka Streams. The real-time budgeting system is the most mission-critical component of the Ads Platform as it controls how each ad is delivered to maximize user, advertiser and Pinterest value. The system needs to handle over 50,000 queries per section (QPS) impressions, requires less than five seconds of end-to-end latency and recovers within five minutes during outages. It also needs to be scalable to handle the fast growth of Pinterest’s ads business. The real-time budgeting system is composed of real-time stream-stream joiner, real-time spend aggregator and a spend predictor. At Pinterest’s scale, we need to overcome quite a few challenges to make each component work. For example, the stream-stream joiner needs to maintain terabyte size state while supporting fast recovery, and the real-time spend aggregator needs to publish to thousands of ads servers while supporting over one million read QPS. We choose Kafka Streams as it provides milliseconds latency guarantee, scalable event-based processing and easy-to-use APIs. In the process of building the system, we performed tons of tuning to RocksDB, Kafka Producer and Consumer, and pushed several open source contributions to Apache Kafka. We are also working on adding a remote checkpoint for Kafka Streams state to reduce the time of code start when adding more machines to the application. We believe that our experience can be beneficial to people who want to build real-time streaming solutions at large scale and deeply understand Kafka Streams.

Building Pinterest Real-Time Ads Platform Using Kafka Streams

confluent

Have you ever thought about how your site’s performance compares to the web as a whole? Or maybe you’re curious how popular a particular web feature is. How much is too much JavaScript? The HTTP Archive has been keeping track of how the web is built since 2010. It enables you to find answers to questions about the state of the web past and present. Rick Viscomi, developer relations at Google, and Paul Calvano, web performance architect at Akamai, will explore how the HTTP Archive works, some of the ways people are using this dataset, and discuss some ways that Akamai has leveraged data within the HTTP Archive to help our customers. The session will include: (1) an intro to the HTTP Archive (what it does, how it works, who uses it, and how to get started quickly), and (2) case studies on compression research, third-party research, server analysis, and how to identify common performance errors across sites

Tracking the Performance of the Web Over Time with the HTTP Archive

Akamai Developers & Admins

Akamai Edge: Tracking the Performance of the Web with HTTP Archive

Rick Viscomi

JCIS 2022 - Smart LAMA API: Automated Capacity Analysis of Limitation-Aware M...

Rafael Apellidos

Index conf sparkml-feb20-n-pentreath

Chester Chen

Datomic R-trees

jsofra

Datomic rtree-pres

jsofra

Outsourcing IT Projects to Managed Hosting of the Cloud

Rackspace

Ähnlich wie draft-harrison-sidrops-manifest-number-01, presented at IETF 119 (20)

Row #9: An architecture overview of APNIC's RDAP deployment to the cloud

Building Enterprise Grade Applications in Yarn with Apache Twill

Presto – Today and Beyond – The Open Source SQL Engine for Querying all Data...

Introducing TiDB @ SF DevOps Meetup

Stream processing with Apache Flink @ OfferUp

LF Energy Webinar: Introduction to TROLIE

Accelerating Networked Applications with Flexible Packet Processing

SDN in the Management Plane: OpenConfig and Streaming Telemetry

Apache Ratis - In Search of a Usable Raft Library

Pivotal Real Time Data Stream Analytics

IETF 118: regext-rdap-rir-search

TiDB + Mobike by Kevin Xu (@kevinsxu)

Building Pinterest Real-Time Ads Platform Using Kafka Streams

Tracking the Performance of the Web Over Time with the HTTP Archive

Akamai Edge: Tracking the Performance of the Web with HTTP Archive

JCIS 2022 - Smart LAMA API: Automated Capacity Analysis of Limitation-Aware M...

Index conf sparkml-feb20-n-pentreath

Datomic R-trees

Datomic rtree-pres

Outsourcing IT Projects to Managed Hosting of the Cloud

Mehr von APNIC

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...

APNIC

APNIC Updates presented by Paul Wilson at CaribNOG 27

APNIC

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0

APNIC

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

APNIC

APNIC Updates presented by Paul Wilson at ARIN 53

APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

APNIC

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...

APNIC

On Starlink, presented by Geoff Huston at NZNOG 2024

APNIC

Networking in the Penumbra presented by Geoff Huston at NZNOG

APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119

APNIC

Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119

APNIC

IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119

APNIC

Is DNS ready for IPv6, presented by Geoff Huston at IETF 119

APNIC

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...

APNIC

APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85

APNIC

NANOG 90: 'BGP in 2023' presented by Geoff Huston

APNIC

DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston

APNIC

APAN 57: APNIC Report at APAN 57, Bangkok, Thailand

APNIC

Lao Digital Week 2024: It's time to deploy IPv6

APNIC

AINTEC 2023: Networking in the Penumbra!

APNIC

Mehr von APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...

APNIC Updates presented by Paul Wilson at CaribNOG 27

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

APNIC Updates presented by Paul Wilson at ARIN 53

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...

On Starlink, presented by Geoff Huston at NZNOG 2024

Networking in the Penumbra presented by Geoff Huston at NZNOG

IP addressing and IPv6, presented by Paul Wilson at IETF 119

Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119

IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119

Is DNS ready for IPv6, presented by Geoff Huston at IETF 119

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...

APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85

NANOG 90: 'BGP in 2023' presented by Geoff Huston

DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston

APAN 57: APNIC Report at APAN 57, Bangkok, Thailand

Lao Digital Week 2024: It's time to deploy IPv6

AINTEC 2023: Networking in the Penumbra!

Kürzlich hochgeladen

The+Prospects+of+E-Commerce+in+China.pptx

laozhuseo02

The AI Powered Organization-Intro to AI-LAN.pdf

SiskaFitrianingrum

How to Use Contact Form 7 Like a Pro.pptx

Gal Baras

Pvtaan Social media marketing proposal.pdf

Pvtaan

UTS毕业证原版定制【微信：176555708】【悉尼科技大学毕业证成绩单-学位证】【微信：176555708】（留信学历认证永久存档查询）采用学校原版纸张、特殊工艺完全按照原版一比一制作（包括：隐形水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠，文字图案浮雕，激光镭射，紫外荧光，温感，复印防伪）行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备，十五年致力于帮助留学生解决难题，业务范围有加拿大、英国、澳洲、韩国、美国、新加坡，新西兰等学历材料，包您满意。 ◆◆◆◆◆ — — — — — — — — 【留学教育】留学归国服务中心 — — — — — -◆◆◆◆◆ 【主营项目】一.毕业证【微信：176555708】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等！二.真实使馆公证(即留学回国人员证明,不成功不收费) 三.真实教育部学历学位认证（教育部存档！教育部留服网站永久可查）四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度) 如果您处于以下几种情况： ◇在校期间，因各种原因未能顺利毕业……拿不到官方毕业证【微信：176555708】 ◇面对父母的压力，希望尽快拿到； ◇不清楚认证流程以及材料该如何准备； ◇回国时间很长，忘记办理； ◇回国马上就要找工作，办给用人单位看； ◇企事业单位必须要求办理的 ◇需要报考公务员、购买免税车、落转户口 ◇申请留学生创业基金留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分→ 【关于价格问题（保证一手价格）我们所定的价格是非常合理的，而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子我给客户的都是第一手的代理价格，因为我想坦诚对待大家不想跟大家在价格方面浪费时间对于老客户或者被老客户介绍过来的朋友，我们都会适当给一些优惠。 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才选择实体注册公司办理，更放心，更安全！我们的承诺：可来公司面谈，可签订合同，会陪同客户一起到教育部认证窗口递交认证材料，客户在教育部官方认证查询网站查询到认证通过结果后付款，不成功不收费！学历顾问：微信：176555708

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理

aagad

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop

laozhuseo02

Article writing on excessive use of internet.pptx

abhinandnam9997

ER(Entity Relationship) Diagram for online shopping - TAE

Himani415946

How Do I Begin the Linksys Velop Setup Process?

Linksys Velop Login

Talk presented at Kubernetes Community Day, New York, May 2024. Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics. 1) Key patterns for Multi-cluster architectures 2) Architectural comparison of several OSS/ CNCF projects to address these patterns 3) Evolution trends for the APIs of these projects 4) Some design recommendations & guidelines for adopting/ deploying these solutions.

Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines

Sanjeev Rampal

The Use of AI in Indonesia Election 2024: A Case Study

Damar Juniarto

Do you know — how to create stunning faceless videos in less than 60 seconds? The answer is — Intellivid AI Studio. This amazing and ultimate software is the world’s first AI tech that transforms any keyword into stunning faceless videos. The best part is it does this for any niche and language within 60 seconds or less. In today’s time, there are two types of audiences i.e. one who loves watching videos. While others love to create videos to earn some extra bucks. In this PDF you will learn everything about this amazing AI powered Software - Intellivid AI Studio.

The Best AI Powered Software - Intellivid AI Studio

Vikram Brahma (Online-Digital-Entrepreneur)

Kürzlich hochgeladen (12)

The+Prospects+of+E-Commerce+in+China.pptx

The AI Powered Organization-Intro to AI-LAN.pdf

How to Use Contact Form 7 Like a Pro.pptx

Pvtaan Social media marketing proposal.pdf

一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop

Article writing on excessive use of internet.pptx

ER(Entity Relationship) Diagram for online shopping - TAE

How Do I Begin the Linksys Velop Setup Process?

Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines

The Use of AI in Indonesia Election 2024: A Case Study

The Best AI Powered Software - Intellivid AI Studio

draft-harrison-sidrops-manifest-number-01, presented at IETF 119

1. 1 draft-harrison-sidrops-manifest-numbers-01 ●●● Tom Harrison (tomh@apnic.net) George Michaelson (ggm@apnic.net) Job Snijders (job@fastly.com) IETF 119 SIDROPS Working Group

2. 2 What is this about? (1) ● Manifests include a field called manifestNumber ● RFC 6486: Manifests for the RPKI (February 2012) – “This field is an integer that is incremented each time a new manifest is issued for a given publication point” – “Manifest verifiers MUST be able to handle number values up to 20 octets” ● RFC 9286: Manifests for the RPKI (June 2022) – “Each RP MUST verify that a purported "new" manifest contains a higher manifestNumber than previously validated manifests” – “If the purported "new" manifest contains a manifestNumber value equal to or lower than manifestNumber values of previously validated manifests, the RP SHOULD use locally cached versions of objects”

3. 3 What is this about? (2) ● A strict reading of the text requires that relying parties reject new manifests once the largest signed 20-byte value (i.e. 1 << ((20 * 8) - 1) – 1, called MN_MAX from here) is reached – The CA can’t be used from that point onwards ● But MN_MAX is a very large number? – Yes: if manifestNumber is incremented by one on reissuance, MN_MAX would not be reached in billions of years, even if issuing billions of manifests per second – But the manifest number can be set to an arbitrary value by the issuer ● E.g. ARIN’s TA’s manifestNumber is currently ~1x1045 (~1/128 of MN_MAX) – And bugs or similar could cause manifestNumber to be set to a large value, or to increment by large values – In particular, if a TA becomes unusable, requires new root key issuance ● Time-consuming, plus long tail of users still using old TAL

4. 4 How should RPs handle this? ● Draft includes strawman proposal: if the manifest filename changes, reset the manifest number check – This is the current behaviour in rpki-client ● See appendix A for a detailed description of the rpki-client implementation ● Based on reading 9286 as referring to manifest numbers on a per-manifest-filename basis, rather than a per-CA basis – Pros: ● Simple to implement ● If there is consensus that this is required by 9286 as-is, then no further draft work required – Cons: ● 9286 can be interpreted as though this is not required, or even permitted – See also RFC 8488 (RIPE NCC's Implementation of Resource Public Key Infrastructure (RPKI) Certificate Tree Validation)

5. 5 What are the other options? ● Remove the manifestNumber check ● Make the largest manifestNumber a function of the current time ● Use serial number arithmetic to facilitate rollover ● Leave as-is on the RP side – Up to CAs/TAs to ensure manifestNumber makes sense on the server side before publication

6. 6 RP support for 9286 Manifest number reuse Accepted Accepted Accepted Rejected Manifest number regression Accepted Accepted Accepted Rejected Manifest number of MN_MAX Rejected Accepted Accepted Accepted Manifest number > MN_MAX Rejected Accepted Rejected Accepted Manifest number of MN_MAX_2* Rejected Accepted Rejected Accepted Manifest number > MN_MAX_2* Rejected Accepted Rejected Rejected https:/ /github.com/APNIC-net/rpki-mft-number-demo * (1 << (20 * 8)) – 1 (i.e. the largest unsigned 160-bit value, rather than the largest signed 160-bit value)

7. 7 Next steps ● Get feedback on current draft approach and potential alternatives

draft-harrison-sidrops-manifest-number-01, presented at IETF 119

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie draft-harrison-sidrops-manifest-number-01, presented at IETF 119

Ähnlich wie draft-harrison-sidrops-manifest-number-01, presented at IETF 119 (20)

Mehr von APNIC

Mehr von APNIC (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (12)

draft-harrison-sidrops-manifest-number-01, presented at IETF 119