Re: [GROW] draft-ss-grow-rpki-as-cones-00
"Randy Bush" <randy@psg.com> Wed, 23 May 2018 18:21 UTC
Return-Path: <randy@psg.com>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9A31127869 for <grow@ietfa.amsl.com>; Wed, 23 May 2018 11:21:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mDtWkJGkuHOn for <grow@ietfa.amsl.com>; Wed, 23 May 2018 11:21:13 -0700 (PDT)
Received: from mail.rg.net (mail.rg.net [198.180.150.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5008F127863 for <grow@ietf.org>; Wed, 23 May 2018 11:21:13 -0700 (PDT)
Received: from [75.8.210.205] (helo=[10.7.100.131]) by mail.rg.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1fLYNp-0004WK-Jk; Wed, 23 May 2018 18:21:09 +0000
From: Randy Bush <randy@psg.com>
To: Job Snijders <job@ntt.net>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, grow@ietf.org
Date: Wed, 23 May 2018 11:21:07 -0700
X-Mailer: MailMate (1.11.2r5479)
Message-ID: <57356A8C-B82D-4084-9BC0-B6F1A23CCCF5@psg.com>
In-Reply-To: <CACWOCC8NvWZQYN9b1y65C_s4J8VATRWmUkKDR-n8CL9J1QY-_g@mail.gmail.com>
References: <8c2da168-af67-9463-adbc-d6a0b778f24d@stucchi.ch> <m2tvr0eq0f.wl-randy@psg.com> <20180523134849.GV56139@hanna.meerval.net> <m2h8mybei6.wl-randy@psg.com> <20180523170728.GW73966@vurt.meerval.net> <CAH1iCir7_oddkaeJGJ-qNyUgwumd55R-0AC8CMPrKmNKGiaxqQ@mail.gmail.com> <CACWOCC8NvWZQYN9b1y65C_s4J8VATRWmUkKDR-n8CL9J1QY-_g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/grow/nUgKeU9y7KbSl2MtT5SmtdJRKZI>
Subject: Re: [GROW] draft-ss-grow-rpki-as-cones-00
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/grow/>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 18:21:15 -0000
> I believe the fundamental problem is (1) the same AS-SET name can
> exist in
> multiple databases (duplication), (2) you don’t know which as-set
> belongs
> to which ASN (ownership), and which as-set to use (discovery).
i think these may be part of the same confuddle; what is the
“identity” of an as-set? in the irr, it is the maintainer (even
ignoring multiple irr bases); but we have no such concept in the rpki.
my understanding is that an as-set is a short-hand name for a collection
of names of ASs and the names of other as-sets. when you ask that an AS
owner sign an as-set, you are making an assertion of ownership/scope
that i am not sure i understand. the signing AS is saying that the
nickname is a valid list in some sense (part of brian’s question)?
as the old rpki joke goes, you can use your cert to sign a gif of naked
furries or a bank transaction. but what is the security *meaning* of
your doing so?
from the draft:
> to enable operators to define a set of customers that can be found as
> "right
> adjacencies", or transit customer networks, facilitating the
> construction of
> prefix filters for a given ASN’
so, when AS42 signs a list {AS1, AS2}, is AS42 trying to say that
someone peering with AS42 should expect any prefixes for which there are
ROAs with AS42, AS1, or AS2 in the ROA’s asID. but *anyone* can put
an arbitrary AS number in an asID.
i keep following the heffalump tracks around this tree, but am becoming
more and more confused.
randy
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Andrei Robachevsky
- [GROW] draft-ss-grow-rpki-as-cones-00 Massimiliano Stucchi
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Gert Doering
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Randy Bush
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Randy Bush
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Brian Dickson
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Jared Mauch
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Randy Bush
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Nick Hilliard
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Christopher Morrow
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Job Snijders
- Re: [GROW] draft-ss-grow-rpki-as-cones-00 Brian Dickson