[sidr] RPKI <-> allocation consistency

["Murphy, Sandra" <Sandra.Murphy@sparta.com>]

speaking as regular ol' member

About allocation <-> RPKI consistency

The RPKI is a certification of resource holding.  Because the allocation databases continue to also record allocations, there's duplication of information between the RPKI and the allocation databases.

Having duplicate records of the same data always presents an issue of consistency.  We know we have this issue (have known it from the beginning), any resource certification outside the allocation system would, so we need to work on how to handle it.

Handling it is out-of-band.  Consistency will be a matter of process, to ensure that allocation actions are bound to issuance of consistent CA certificates (if and when one is issued) and vice versa.  Monitoring the two to spot inconsistencies will be another process.

Duplicates may be valid.  There may be reasons for multiple CA certificates being issued for exactly the same prefix space.  Transfer (or at least the only method of transfer discussed in the wg) would result in multiple CA certificates being issued for exactly the same prefix space, for make-before-break purposes.

We already have a potential for inconsistency.  As noted in the IAB statement on the RPKI, multiple trust anchors present a risk of conflicting certifications for the same address block.  We do not yet have a single root trust anchor.  No need for panic, the RIRs are aware and I trust they have process in mind to ensure consistency.   (This is a contentious issue - hopefully that's worded with sufficient care and balance.)  But that's another case where consistency is/will be ensured by process.

The sky's not falling, we're OK, we can do this, etc.

--Sandy, speaking as regular ol' member