--asn in bgpsec add

[randyqx]

krillc bgpsec add --asn AS65000 --csr ./router-csr.der has the AS in the command. but the relevant AS(s), yes there may be more than one, are in the CSR; see RFC 8209 §3.1.1 and the router certificate does have the AS(s), §3.1.3.5.

Hmmm. OTOH, RFC 8635 says

NOTE: The PKCS#10 certification request does not include the AS
number or the BGP Identifier for the router certificate. Therefore,
the operator transmits the AS it has chosen on the router as well as
the BGP Identifier when it sends the CSR to the CA.

[timbru]

Indeed. This is counter intuitive, but the AS is not included in the CSR (see 3.2 of 8209). So it needs to be supplied explicitly.

[randyqx]

more confusing than counter intuitive :)

which AS? there may be multiple, as seems pretty clear. yes, §3.2 does not mention the AS being in the CSR. but it is, well, they are, in the enclosed cert to be signed.

( gotta love the marketing department closing tickets :)

[russhousley]

RFC 8209 specifies the profile for end entity certificates specified issued to routers within an AS. I am guessing that the --asn argument contains that AS number, even though the router may be able to speak for multiple AS numbers.

[randyqx]

and those AS numbers may, or may not, all be from the same CA chain.

i actually have a router which has two ASs, one from RIPE and one from APNIC. so the router config has to know the CA chain diversity and issue separate CSRs for the separate chains and sign appropriately?

[ email to ticket seems not to work since marketing censored the discussion ]

[timbru]

@russhousley Indeed, the --asn argument carries the ASN for the router certificate. It's not expected on the CSR, but it's included in the JSON that CLI sends to the server.

@randyqx I do not fully trust my memory on this at this point, but I have some vague recollection about first being surprised that the ASN/ASNs were not on the CSR, and then deciding to go the best practice way for ROAs and only support creating single ASN BGPSec Router Certificates. Similar to ROAs with fate sharing prefixes, this may help to avoid certain issues with resource shrinkage in the chain. It will also make it easier to deal with situations where a (logical) CA is a child under multiple parents and/or has ASN entitlements spread out over multiple resource classes.

In principle it should be possible to create multiple BGPSec certificates using the same CSR for different ASNs. But, @AlexanderBand I realise now (looking at the code) that there is a bug. The router certificate file is named after its public key identifier, so this would result in a name collision. So, this code would need to be changed to make this work.

[AlexanderBand]

( gotta love the marketing department closing tickets :)

Regarding my closing the issue: Tim told me that the problem was dealt with and asked me to close it because he no longer can.

Regarding your “marketing department” snark: I provide job security and a safe place for sixteen full-time developers who maintain free, open-source and liberally licensed DNS and routing software you use. Sadly, your lack of respect and knowledge about our foundation is predictable.

We have a code of conduct; please adhere to it. This is your only warning.

[partim]

But, @AlexanderBand I realise now (looking at the code) that there is a bug. The router certificate file is named after its public key identifier, so this would result in a name collision. So, this code would need to be changed to make this work.

That name already consists of the ASN and the key identifier. Presumably you wouldn’t have the two router keys with the same ASN and key under a single CA? Or do I misunderstand something here?