Re: [sidr] adverse actions -01 posted

Stephen Kent <> Wed, 27 July 2016 17:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E2CC412D0FD for <>; Wed, 27 Jul 2016 10:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4Huu5VAVLGnX for <>; Wed, 27 Jul 2016 10:38:57 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F064612D0E6 for <>; Wed, 27 Jul 2016 10:38:56 -0700 (PDT)
Received: from ([]:51258 helo=COMSEC.fios-router.home) by with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1bSSnG-000MSN-Hc; Wed, 27 Jul 2016 13:38:54 -0400
From: Stephen Kent <>
To: Randy Bush <>
References: <> <> <> <>
Message-ID: <>
Date: Wed, 27 Jul 2016 13:38:54 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------C3891FEAD8E18829E0111099"
Archived-At: <>
Cc: sidr <>
Subject: Re: [sidr] adverse actions -01 posted
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2016 17:39:00 -0000


I read your comments carefully, and I'm puzzled by several of them.

Your said, for example:
> and what tim, and others, are trying to say is that exactly those
> meanings are inappropriate.  we do not really know intent, contracts,
> and business/social context.
the introduction says:

    Thus this document examines the implications of adverse actions with
    respect to
    INRs irrespective of the cause of the actions.

That text was trying to indicate that , for example, nothing to do with 
whether an action is adverse. But, I have revised the intro to make this 
> i picked the first example of an 'adverse action' in your document and
> explained how it can be normal operations (and it is said you have fixed
> it, tyvm).  i had hopes you would induce.
Your comments persuaded me to revise the text in question and to note 
that not all examples of competing ROAs or certs represent adverse 
actions. That, IMHO, was an appropriate and adequate change. You didn't 
say that you found the term "adverse" to be a problem.

> tim made a fair suggeston of a lighter word.
Tim offered no suggestion for a different term, which is not helpful. 
Moreover, his tone communicated bias and defensiveness, which is also 
not helpful.

Nonetheless, I have revised the introduction to address the cited 
concerns, but I have not adopted a new term, because:
     - it's reasonable, if one understands the definition
     - nobody has offered any alternative, much less a better 
alternative, that encompasses the full range of actions that may be he 
result of errors, attacks, etc.



In the context of this document, any change to the Resource Public

Key Infrastructure (RPKI) [RFC6480] that modifies the set of Internet 
Numeric Resources (INRs) associated with an INR holder, and that is 
contrary to the holder's wishes, is termed "adverse". An action that 
results inan adverse charge (as defined above), may be the result of an 
attack on a CA [RFC7132], an error by a CA, or an error by or an attack 
on a repository operator. *Note that the CA that allocated the affected 
INRs may be acting in accordance with established policy, and thus the 
change may be legally justified, even though viewed as adverse by the 
INR holder. This document examines the implications of adverse actions 
with respect to INRs irrespective of the cause of the actions.*

Additionally, when a ROA or router certificate is created that

"competes" with an existing ROA or router certificate (respectively), 
the creation of the new ROA or router certificate may be adverse.(A 
newer ROA competes with an older ROA if the newer ROA points to a 
different ASN, contains the same or a more specific prefix, and is 
issued by a different CA.A newer router certificate competes with an 
older router certificate if the newer one contains the same ASN a 
different public key, and is issued by a different CA.)Note that 
transferring resources, or changing of upstream providers may yield 
competing ROAs and/or router certificates, under some circumstances. 
Thus not all instances of competition are adverse actions.

As noted above, adverse changes to RPKI data may arise due to several 
types of causes. A CA may make a mistake in managing the RPKI objects it 
signs, or it may be subject to an attack. If an attack allows an 
adversary to use the private key of that CA to sign RPKI objects, then 
the effect is analogous to the CA making mistakes. There is also the 
possibility that a CA or repository operator may be subject to legal 
measures that compel them to make adverse changes to RPKI data.In many 
cases, such actions may be hard to distinguish from mistakes or attacks, 
other than with respect to the time required to remedy the adverse 
action.(Presumably the CA will take remedial action when a mistake or an 
attack is detected, so the effects are similar in these cases. If a CA 
has been legally compelled to effect an adverse change, remediation will 
likely not be swift.)

This document analyzes the various types of actions by a CA (or

independent repository operator) that can adversely affect the INRs

associated with that CA, as well as the INRs of subordinate CAs.The

analysis is based on examination of the data items in the RPKI

repository, as controlled by a CA (or independent repository operator) 
and fetched by Relying Parties (RPs).The analysis is done from the 
perspective of an affected INR holder.