IETF Logo Mail Archive

Re: [sidr] WG acceptance call for draft-ymbk-rpki-grandparenting

"Montgomery, Douglas" <dougm@nist.gov> Fri, 10 August 2012 05:46 UTC

Return-Path: <dougm@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5229611E80E8 for <sidr@ietfa.amsl.com>; Thu, 9 Aug 2012 22:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.424
X-Spam-Level:
X-Spam-Status: No, score=-6.424 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ss5g4xNbr7nq for <sidr@ietfa.amsl.com>; Thu, 9 Aug 2012 22:46:22 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 87C2B11E80E5 for <sidr@ietf.org>; Thu, 9 Aug 2012 22:46:22 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.355.2; Fri, 10 Aug 2012 01:46:13 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Fri, 10 Aug 2012 01:46:21 -0400
From: "Montgomery, Douglas" <dougm@nist.gov>
To: Byron Ellacott <bje@apnic.net>
Date: Fri, 10 Aug 2012 01:46:06 -0400
Thread-Topic: [sidr] WG acceptance call for draft-ymbk-rpki-grandparenting
Thread-Index: Ac12u0Oj+JJlKOIhQKqRILhjK0D7yw==
Message-ID: <CC4A12BF.C3EC4%dougm@nist.gov>
In-Reply-To: <A32F5174-A4C6-4A7B-A8F4-66575C7082EF@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.2.120421
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: sidr wg <sidr@ietf.org>
Subject: Re: [sidr] WG acceptance call for draft-ymbk-rpki-grandparenting
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 05:46:23 -0000

Hi Byron,


On 8/10/12 1:18 AM, "Byron Ellacott" <bje@apnic.net> wrote:

>Hi Doug,
>
>On 10/08/2012, at 3:02 PM, Montgomery, Douglas wrote:
>
>> On 8/10/12 12:36 AM, "Byron Ellacott" <bje@apnic.net> wrote:
>> 
>>> If C has taken some action, LEA triggered or otherwise, that means the
>>> RPKI system no longer asserts that G's intent for packet delivery is
>>> true, then merely allowing G to issue an RPKI assertion does not
>>>prevent
>>> C from asserting whatever they like, too.  If a LEA requires C to issue
>>> an AS0 ROA 10.42.2.0/23, then creating an ASn ROA for the same prefix,
>>> same maxLength will not ensure packets are delivered correctly.
>> 
>> The way I understand
>> http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-08, if there is
>>a
>> valid ROA that matches a route, and a valid AS0 ROA that also covers the
>> route, the route will be considered VALID.
>> 
>> AS0 ROAs don't "trump" other valid ROAs.
>
>Substitute "ASm" for "AS0" in my example.

It doesn't change the logic.    The validation algorithm basically
searches for a match first, only if one is not found is the issue of other
non-matching ROAs considered.  That being, if no match is found and their
exists at least one covering ROA, then the route is INVALID.

You can not change a VALID route to any other state by creating additional
valid ROAs.  You have to delete (revoke, etc) the valid matching ROAs to
achieve that. Creating a (covering) ROA can change an UNKNOW to an
INVALID.   


>
>I believe you're right about AS 0.  I was taking the first sentence of
>the Security Considerations of draft-ietf-idr-as0 [1] too literally; AS0
>ROAs are not entirely equivalent to BOAs, after all :-)
>
>(But this is sort of my point, the RPKI system's verification of right of
>use breaks down if you start certifying multiple people as having a
>simultaneous right to use resources :-)

The issues above can occur even when there is only a single issuer of such
ROAs.

While draft-ietf-idr-as0 and RFC6491 deal with what the semantics that a
single given AS0 ROA conveys, neither draft (maybe rightly so) goes into
the level of detail to note there might exist other valid ROAs that
contradict the semantics of a AS0 ROA.

I would agree on a weaker statement, that we should discuss and come to
some understanding about issues of consistency associated with overlapping
attestations from multiple levels of the resource hierarchy and/or a
single holder.  The current syntax of our objects and validation
algorithms allow considerable flexibility here.  If, and where policies
should curtail some of this flexibility is what we are discussing.


>
>  Byron
>
>[1] http://tools.ietf.org/html/draft-ietf-idr-as0
>

--
Doug Montgomery ­ Mgr. Internet & Scalable Systems Research / ITL / NIST








>

v2.23.0 | Report a Bug | By Email