Re: [sidr] WG acceptance call for draft-ymbk-rpki-grandparenting

["Montgomery, Douglas" <dougm@nist.gov>]

On 8/10/12 12:36 AM, "Byron Ellacott" <bje@apnic.net> wrote:

>Hi,
>
>On 10/08/2012, at 4:25 AM, Christopher Morrow wrote:
>
>> an interesting outgrowth of the grandparenting could be the ability to
>> 'avoid' LEA actions at middle tiers of the address allocation
>> heirarchy... that's something to consider, i'd say.
>
>I don't believe this is true.
>
>If C has taken some action, LEA triggered or otherwise, that means the
>RPKI system no longer asserts that G's intent for packet delivery is
>true, then merely allowing G to issue an RPKI assertion does not prevent
>C from asserting whatever they like, too.  If a LEA requires C to issue
>an AS0 ROA 10.42.2.0/23, then creating an ASn ROA for the same prefix,
>same maxLength will not ensure packets are delivered correctly.

The way I understand
http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-08, if there is a
valid ROA that matches a route, and a valid AS0 ROA that also covers the
route, the route will be considered VALID.

AS0 ROAs don't "trump" other valid ROAs.

>
>Perhaps the underlying operational problem where A is not quite sure yet
>of C's status could be better addressed by section 4.9.4 of the CPS - if
>A has been convinced that G is the current holder of the resources, A
>could register the change of holding, but include in their CPS that they
>may provide a grace period for revocation on a case by case basis.
>
>(If A has not been convinced that G is the current holder of the
>resources, then delivering packets to G for those resources would not be
>a positive engineering outcome, it would be deliberately mis-directing
>packets, which the RPKI is intended to prevent!)
>
>  Byron, speaking only for myself
>

dougm
-- 
Doug Montgomery ­ Mgr. Internet & Scalable Systems Research / ITL / NIST