IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Tue, 18 March 2014 12:22 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C53F21A0123 for <sidr@ietfa.amsl.com>; Tue, 18 Mar 2014 05:22:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcO3ngpqLCjM for <sidr@ietfa.amsl.com>; Tue, 18 Mar 2014 05:22:38 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 37FBF1A0333 for <sidr@ietf.org>; Tue, 18 Mar 2014 05:22:37 -0700 (PDT)
Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB056.namprd09.prod.outlook.com (10.255.211.156) with Microsoft SMTP Server (TLS) id 15.0.898.11; Tue, 18 Mar 2014 12:22:28 +0000
Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.12]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.174]) with mapi id 15.00.0898.005; Tue, 18 Mar 2014 12:22:28 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Geoff Huston <gih@apnic.net>
Thread-Topic: Questions about draft-huston-rpki-validation-01
Thread-Index: Ac89eRhd+ibZbQZWQW6u2RB/Km153QAQRwSAABsPsLAA1ffwgAAtxyldAAFuk4AAGUQnAg==
Date: Tue, 18 Mar 2014 12:22:27 +0000
Message-ID: <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>, <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com>, <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net>
In-Reply-To: <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [132.163.254.208]
x-forefront-prvs: 0154C61618
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(189002)(199002)(92566001)(93136001)(77096001)(69226001)(80976001)(80022001)(65816001)(66066001)(95666003)(74662001)(86362001)(47446002)(93516002)(74502001)(83072002)(85852003)(94946001)(94316002)(31966008)(47736001)(47976001)(49866001)(81342001)(81542001)(4396001)(76576001)(76796001)(76786001)(50986001)(87936001)(2656002)(95416001)(74366001)(74316001)(56776001)(87266001)(81816001)(33646001)(90146001)(74876001)(56816005)(85306002)(76482001)(54316002)(83322001)(81686001)(59766001)(63696002)(77982001)(97336001)(79102001)(20776003)(51856001)(46102001)(54356001)(53806001)(97186001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB056; H:BLUPR09MB053.namprd09.prod.outlook.com; FPR:6CC8FAB5.AD98D620.7FF763BB.6E0FE99.201C1; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: nist.gov does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/8p2PdZ2xFq8WI1PFGnyPvCtVa7Q
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 12:22:41 -0000

Geoff,

>> Do you need somewhat different wording for the case of ROA validation?
>> (Is a ROA also technically a "certificate"?)
>> When you say "resource contained in the resource extension",
>> is that well defined for a ROA as well?

>RFC6482 need not be altered at all.
>Section 4 of RFC64582 states:
>      The IP address delegation extension [RFC3779 is present in the
>      end-entity (EE) certificate (contained within the ROA), and each
>      IP address prefix(es) in the ROA is contained within the set of IP
>      addresses specified by the EE certificate's IP address delegation
 >     extension.

>which still holds in this slightly altered certificated validation framework.

That is good. But what I meant was (in your I-D under discussion) does 
the alternate validation algorithm for a ROA need slightly different wording 
(as compared to that for certificates)? 
Such as:
A ROA is "valid" for a given IP address prefix specified in the ROA, 
if the given IP address prefix is subsumed in the resource extension field 
of the end-entity (EE) certificate (contained within the ROA),
and also subsumed in the resource extension field of all other certificates 
that are contained in a certification path, where the 
construction of this certification path is defined in Section 6 of RFC5280.

Sriram

v2.23.0 | Report a Bug | By Email