Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anapaya review #50

Closed
nicorusti opened this issue Jul 9, 2024 · 7 comments
Closed

Anapaya review #50

nicorusti opened this issue Jul 9, 2024 · 7 comments
Assignees
@shitz
Labels
Prio 1
Milestone
-06

Comments

@nicorusti
Copy link
Member

nicorusti commented Jul 9, 2024
edited
Loading

Following the first wave of ISE feedback, we did quite some work, especially on the control plane draft:

Please review (sorted by urgency):

  • mtu: add clarifications. #63
  • 2.3.3. Effects of Clock Inaccuracy
  • 2.4. Path Discovery Time and Scalability
    1. Security Considerations
  • Control Service gRPC API (appendix)

Other pointers:

@shitz @oncilla @sgmonroy could one of you have a look at the overall changes and provide some feedback? If you feel, you can directly open a PR. We are planning to have a new submission when datatracker reopens on 21.07, before our panrg session to address #48 , and it would be great if we could also incorporate some of your feedback.
@nicorusti nicorusti added this to the -05 milestone Jul 9, 2024
@nicorusti nicorusti modified the milestones: -05, -06 Jul 22, 2024
@nicorusti nicorusti changed the title Anapaya review -04 Anapaya review Sep 24, 2024
@oncilla
Copy link

oncilla commented Oct 7, 2024

The expiration of a SCION AS certificate typically ranges from
3h to 5 years.

Where does this number come from. Most typically it is 3days, and in some very special cases we have 5 days.
I have never seen 5 years outside of some private ISDs

@oncilla
Copy link

oncilla commented Oct 7, 2024

Once
this number grows above the maximum recommended best PCBs set size of
50,

Where does this number come from?
Default is 20. AFAIK:
https://github.com/scionproto/scion/blob/aa917bb458d6675efc55b4a23fda2c694094553e/control/beacon/policy.go#L43

@nicorusti
Copy link
Member Author

The expiration of a SCION AS certificate typically ranges from
3h to 5 years.

Where does this number come from. Most typically it is 3days, and in some very special cases we have 5 days. I have never seen 5 years outside of some private ISDs

This comes from 297e8d2 @jiceatscion do you have more background?

@oncilla you're right, in the PKI draft we write The RECOMMENDED maximum validity period of a CP AS certificate is: 3 days. I don't think, however, we set an upper bound to the validity.

I see two action items:

  • Correct CP draft to say "3h to 5 days".
  • Shall we set an upper bound for validity in the PKI draft? Or alternatively say that validity may be up to 5 days instead of 3?

@nicorusti
Copy link
Member Author

nicorusti commented Oct 8, 2024
edited
Loading

The comes from the first version of the draft: b652927

Once
this number grows above the maximum recommended best PCBs set size of
50,

Where does this number come from? Default is 20. AFAIK: https://github.com/scionproto/scion/blob/aa917bb458d6675efc55b4a23fda2c694094553e/control/beacon/policy.go#L43

It comes from the initial version of the draft:
b652927
I could not find where this comes from

@jiceatscion I'd skim through #46 that has some considerations from ETH on beaconing

@jiceatscion
Copy link
Contributor

jiceatscion commented Oct 8, 2024
edited
Loading

Once
this number grows above the maximum recommended best PCBs set size of
50,

Where does this number come from? Default is 20. AFAIK: https://github.com/scionproto/scion/blob/aa917bb458d6675efc55b4a23fda2c694094553e/control/beacon/policy.go#L43

These numbers aren't described as recommended values, but as recommended maxima. It came from some back-of-the-envelope calculations made by Matthias and used as worst-case examples in the scalability/Intra-ISD Beaconing section.

The code says the default is 20, but then, that isn't a recommended value, just a mechanical place holder: it is 20 even for a core AS (if I managed to follow the code), which, wouldn't be such a good idea, would it?

I'll try and clarify that notion in the text.

@jiceatscion
Copy link
Contributor

The expiration of a SCION AS certificate typically ranges from
3h to 5 years.

Where does this number come from. Most typically it is 3days, and in some very special cases we have 5 days. I have never seen 5 years outside of some private ISDs

I have no recollection. In all likeliness I was looking for the maximum range ever used and someone must have mentioned the existence the 5y case. If that is such an outlier, I can change the text to emphasize what the reasonable range is.

@jiceatscion
Copy link
Contributor

The expiration of a SCION AS certificate typically ranges from
3h to 5 years.

Where does this number come from. Most typically it is 3days, and in some very special cases we have 5 days. I have never seen 5 years outside of some private ISDs

This comes from 297e8d2 @jiceatscion do you have more background?

@oncilla you're right, in the PKI draft we write The RECOMMENDED maximum validity period of a CP AS certificate is: 3 days. I don't think, however, we set an upper bound to the validity.

I see two action items:

* [ ]  Correct CP draft to say "3h to 5 _days_".

* [ ]  Shall we set an upper bound for validity in the PKI draft? Or alternatively say that validity may be up to 5 days instead of 3?

As usual, I can take a Jesuitic approach and make a distinction between common and recommended. That way we leave the pki draft and its recommendation of 3 days alone. In the cp draft I will made the same recommendation and mention 5 days as an outlier. Let's forget the 5y.

@jiceatscion jiceatscion mentioned this issue Oct 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shitz shitz

Labels
Prio 1
Projects
None yet
Milestone
-06
Development

No branches or pull requests
4 participants
@shitz @oncilla @nicorusti @jiceatscion