Re: [sidr] about grandparenting
Arturo Servin <aservin@lacnic.net> Fri, 10 August 2012 21:19 UTC
Return-Path: <aservin@lacnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB22021F853B for <sidr@ietfa.amsl.com>; Fri, 10 Aug 2012 14:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B02oF60Dr1mb for <sidr@ietfa.amsl.com>; Fri, 10 Aug 2012 14:19:45 -0700 (PDT)
Received: from mail.lacnic.net.uy (mail.lacnic.net.uy [IPv6:2001:13c7:7001:4000::3]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3FD21F8526 for <sidr@ietf.org>; Fri, 10 Aug 2012 14:19:44 -0700 (PDT)
Received: from 85-7-200.lacnic.net.uy (unknown [200.7.85.90]) by mail.lacnic.net.uy (Postfix) with ESMTP id B3E2E30844D; Fri, 10 Aug 2012 18:19:41 -0300 (UYT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Arturo Servin <aservin@lacnic.net>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F625F5556C@Hermes.columbia.ads.sparta.com>
Date: Fri, 10 Aug 2012 18:19:38 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <32FD2C03-7508-43B9-9AF0-D9192A5BDD7B@lacnic.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F5556C@Hermes.columbia.ads.sparta.com>
To: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
X-Mailer: Apple Mail (2.1278)
X-LACNIC.uy-MailScanner-Information: Please contact the ISP for more information
X-LACNIC.uy-MailScanner: Found to be clean
X-LACNIC.uy-MailScanner-SpamCheck:
X-LACNIC.uy-MailScanner-From: aservin@lacnic.net
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] about grandparenting
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 21:19:46 -0000
The problem with a grandparent is that it cannot certify a grandchild unless it has specific information about it, normally it would come from the son/daughter. I think the idea of the grandparent has good will, but I am not sure that we are following the right path. Regards, as On 10 Aug 2012, at 17:45, Murphy, Sandra wrote: > speaking as regular ol' member > > This is a discussion of grandparenting, NOT a discussion of adoption of the grandparenting draft. > > There have been suggestions of several different actions a grandparent might do. Most of the comments so far focus on issuance of CA certificates to a grandchild. But there are other actions a grandparent might take. > > For example. One action already mentioned would be issuing ROAs for the grandchild, by the grandparent. That doesn't disturb the consistency with the allocation system. We have long discussed that providers might issue ROAs for RPKI-unprepared children. The RPKI structure allows for multiple ROAs for the same prefix (for multihoming) and for multiple ROAS for more specifics inside the same space signed by the same entity (eg for TE advertisements). > > For example. The grandparent could also host a CA service for the child. That's allowed and is currently practiced. Under that hosted CA service, the grandparent could issue a cert for the grandchild. The process controlling this would be a matter for the agreement about the hosting service. > > For example. The grandparent could issue a CA cert for the grandchild and reclaim that address space from the child by issuing new CA certs for the child that omit the reclaimed space. (For: it keeps allocation and RPKI consistent. Against: it fractures allocations and can produce routing table bloat.) I think I saw this in one message on the thread. How, when, where, why, with what proof or limitations - all that is out-of-band process and can vary per situation. > > For example. The grandparent could issue a ROA that it itself was allowed to originate the grandchild's address space, and forward traffic to the child with the expectation that the child will forward traffic to the grandchild. (This only works in cases where there is continued connectivity from child to grandchild.) There's no CA cert action there, so it doesn't disturb the consistency with the allocation system. > > I presume there are lots of others. > > Do we want to try to record the many possibilities? A complete list (ulp!)? Reasons for and against certain critical ones? > > --Sandy, speaking only as regular ol' member > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr
- [sidr] about grandparenting Murphy, Sandra
- Re: [sidr] about grandparenting Arturo Servin
- Re: [sidr] about grandparenting Andy Newton
- Re: [sidr] about grandparenting Murphy, Sandra
- Re: [sidr] about grandparenting Andy Newton