IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

Geoff Huston <gih902@gmail.com> Tue, 20 May 2014 12:10 UTC

Return-Path: <gih902@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82A3E1A0346 for <sidr@ietfa.amsl.com>; Tue, 20 May 2014 05:10:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9j-NlBDUq9w7 for <sidr@ietfa.amsl.com>; Tue, 20 May 2014 05:10:06 -0700 (PDT)
Received: from mail-ee0-x234.google.com (mail-ee0-x234.google.com [IPv6:2a00:1450:4013:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 838241A033D for <sidr@ietf.org>; Tue, 20 May 2014 05:10:06 -0700 (PDT)
Received: by mail-ee0-f52.google.com with SMTP id e53so479592eek.25 for <sidr@ietf.org>; Tue, 20 May 2014 05:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=omEO389kNiLdNBXmsd85zevxpJvugS8DDP06MSkVsxU=; b=0LPulnoOwZgTK+BQAyWZrUjEenpPe//QNd8Rus2WIOGKyVEvsHArut49Ca2JafNwBY nOVYAxor1uYWBZnnR21G+HFjmtdPdUIK1UqJ+17In9VYWjZd6KI/zSjLNedHuAlFUB2P 6Fn489jetaOSno8UenYPZJOWSUUCGr8GFwiLd0Uu2Npixkd/J7211lAApsNpSoBfuItq oTXg5FaBxiqi6s3ojhdiKzfqu6ZAUb8CPXYVsf6049Si9uDZAheOborsnze1ZZdQokOv gAQKcSMdtLmz1+E+w7ZXvvmyJGzDkPqtYmgYPBrTw49wbp+NRfbue8RR4/9Lbn6bXigC aNJw==
X-Received: by 10.14.208.195 with SMTP id q43mr3536877eeo.42.1400587804837; Tue, 20 May 2014 05:10:04 -0700 (PDT)
Received: from ?IPv6:2001:67c:2e8:13:204e:9ac5:dbfc:780f? ([2001:67c:2e8:13:204e:9ac5:dbfc:780f]) by mx.google.com with ESMTPSA id w48sm3420067eel.9.2014.05.20.05.10.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 20 May 2014 05:10:03 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Geoff Huston <gih902@gmail.com>
In-Reply-To: <CAL9jLaY3-dy7vA2=bd3dNGM8cL0jqzSZZgwWtx84H_AxiotXCA@mail.gmail.com>
Date: Tue, 20 May 2014 22:10:03 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF3700A5-A766-49C1-B282-26E10B508929@gmail.com>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com> <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com> <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net> <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com> <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net> <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com> <FB4FB863-1AE0-41DB-97B1-FB022150D29E@ripe.net> <CAL9jLaY3-dy7vA2=bd3dNGM8cL0jqzSZZgwWtx84H_AxiotXCA@mail.gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Dat65sZ5Xx6y-Qd8XsS7tVLLFmQ
Cc: sidr wg list <sidr@ietf.org>, "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>, George Michaelson <ggm@apnic.net>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 May 2014 12:10:07 -0000

On 20 May 2014, at 4:38 am, Christopher Morrow <morrowc.lists@gmail.com> wrote:

> On Thu, Apr 17, 2014 at 11:35 AM, Tim Bruijnzeels <tim@ripe.net> wrote:
>> Certificate 1: {10.0.0.0/12, AS64501, AS64505, AS64509}  (TA certificate)
>> Certificate 2: {10.0.0.0/22, AS64501, AS64505, AS64511}
>> Certificate 3: {10.0.0.0/20, AS64501, AS64509}
> 
> It's unclear to me what would happen if you split this into a
> prefix/asn per cert and just carried more certs in your purse. Why
> would I not just add more certs to my purse? is there a particular
> reason to conglomerate these under the minimal number of certs? are we
> trying to minimize space in my purse? if so the purse is large, and
> the certs very small... I could 10x or 100x the number of certs here
> and be ok still.

For AS numbers thats an interesting approach, if you carry a single ASN per cert then yes, there would be a whole lot more certs around (-ve), but any discrepancy in AS registry records between parent and child would be limited to just those ASns where there are such discrepancies (+ve)

However I'm unsure how you could or would apply this principle to IPv4 addresses. And I'm even more unclear about IPv6. 

However, in principle, the validation algorithm proposed in this draft performs a validation function which is semantically equivalent to breaking down each certificate into a collection of certificates, each describing one element of the original number set, but this approach does not require one to define the minimal unit of addresses in IPv6, nor try to generate an enumeration of individual /128s (or even /64s!) in IPv6, which I guess is a Good Thing.

Geoff

v2.23.0 | Report a Bug | By Email