IETF Logo Mail Archive

Re: [sidr] RPKI <-> allocation consistency

Robert Loomans <robertl@apnic.net> Wed, 12 September 2012 23:16 UTC

Return-Path: <robertl@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBF6621F8604 for <sidr@ietfa.amsl.com>; Wed, 12 Sep 2012 16:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Gwg0XJg7t1C for <sidr@ietfa.amsl.com>; Wed, 12 Sep 2012 16:16:10 -0700 (PDT)
Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id BD48B21F843A for <sidr@ietf.org>; Wed, 12 Sep 2012 16:16:08 -0700 (PDT)
Received: from [IPv6:2001:dc0:a000:4:691d:6d9d:7f24:e18b] (unknown [IPv6:2001:dc0:a000:4:691d:6d9d:7f24:e18b]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id 8B13EB68C5; Thu, 13 Sep 2012 09:16:07 +1000 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\))
From: Robert Loomans <robertl@apnic.net>
In-Reply-To: <5050C546.9070304@bbn.com>
Date: Thu, 13 Sep 2012 09:16:10 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <33A96E17-0CBF-4E17-A0D8-55FE3369142F@apnic.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F555CB@Hermes.columbia.ads.sparta.com> <D857A4BB-E484-45A4-A09F-FB8FAF2215AC@tcb.net> <C5B88834-3A10-41F7-A4F3-2B7C9B540197@verisign.com> <50389897.3040503@bbn.com> <97856400-9F70-4AEC-AF91-A0673A6D716D@verisign.com> <503C47A8.7030700@bbn.com> <303C576D-D1F8-4F62-8E0E-0D74A28B2771@verisign.com> <503D141F.1060404@bbn.com> <3A791D9E-4F16-4481-94AE-BD38A5389593@verisign.com> <CAL9jLaaew6HLdHK4=UrsUF2JKsRRV=sbXzCOFiDnLRKtVSK1tw@mail.gmail.com> <CAH1iCirWo+JYOpFjVhtxXYKGB86nLhcogC20bEy0-Ldkp7Oc8A@mail.gmail.com> <CAL9jLaY3JLBf7H5H2zWvxv2T=9ZsSQbOAxM+mTixefZkF8oVFw@mail.gmail.com> <CAH1iCiqScOwzcAWEuFfHKH4kP6gj45fKqs6rdPq97PsYO+uEMQ@mail.gmail.com> <50461289.1040907@bbn.com> <CAH1iCiqR3A2wdCo7Gs1RWmLZnJLUuO8=-WXj9QN-bfxBwnX02Q@mail.gmail.com> <50464081.4020305@bbn.com> <CAH1iCiqMS2N6TKLeZ6yEb0opQxNHmxBkyLZiXBZKYBhZSX1JOg@mail.gmail.com> <5050C546.9070304@bbn.com>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1486)
Cc: sidr@ietf.org
Subject: Re: [sidr] RPKI <-> allocation consistency
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2012 23:16:11 -0000

On 13/09/2012, at 03:24, Stephen Kent <kent@bbn.com> wrote:
> Brian,
> 
> Sorry I didn't reply sooner.
> 
> I found it very difficult to follow the details of your example, but I think there is a higher
> level consideration that makes moot a detailed analysis of optimization the you suggest.
> 
> In the early days of RPKI design I raised the same question that you did re allocation uniqueness,
> and suggested that we include RP checks for overlapping allocations in RP software. I was told (by operators) that the old INR holder and the new INR holder would each need to have certs (and ROas) that are valid, and that encompass the INRs being moved, and that persist for some time. That is a fundamental reason that the RPKI does not specify that the allocations are "unique." The term "unique" used to appear in the text of several of the docs, but was removed to accommodate INR transfers.
> 
> I think the primary concern is that one cannot be confident how quickly all RPs will acquire all RPKI data.
> Thus it seems prudent to allow for the old and new INR holders to have certs that contain the INRs being transferred, for these certs overlap in validity, and for both certs to be available via the repository system at the same time, for some overlap period. This enables old and new ROAs, which may point to the same ASN, to exist, avoiding the need for a flag day.

There are related scenarios regarding operational changes even without transfers.

Currently APNIC, for example, only provides a hosted environment for RPKI for our members. They have a web interface from which they can ask for ROAs to be created and published, and we run all of the machinery for them and publish the results in our repositories.

In the future we may allow our members to run their own RPKI installation, connecting to our RPKI service using the provisioning protocol.

I suspect they would prefer to be able to run their new RPKI installation and the hosted service simultaneously for some time, allowing relying parties to pick up the new objects, before switching off the hosted service.

Similarly, when someone wants to wholesale replace their RPKI infrastructure with a new implementation they may choose to run old and new side-by-side.

Rob


-- 
Robert Loomans                         email:       robertl@apnic.net
Senior Software Engineer, APNIC        sip:    robertl@voip.apnic.net
http://www.apnic.net/                  phone:         +61 7 3858 3100

v2.23.0 | Report a Bug | By Email