IETF Logo Mail Archive

Re: [sidr] RPKI <-> allocation consistency

Stephen Kent <kent@bbn.com> Wed, 12 September 2012 17:24 UTC

Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB9221F861E for <sidr@ietfa.amsl.com>; Wed, 12 Sep 2012 10:24:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.549
X-Spam-Level:
X-Spam-Status: No, score=-106.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MexLvBLFkKce for <sidr@ietfa.amsl.com>; Wed, 12 Sep 2012 10:24:37 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id CF82721F858F for <sidr@ietf.org>; Wed, 12 Sep 2012 10:24:37 -0700 (PDT)
Received: from dhcp89-089-153.bbn.com ([128.89.89.153]:50497) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1TBqfn-000DYK-3Y; Wed, 12 Sep 2012 13:24:23 -0400
Message-ID: <5050C546.9070304@bbn.com>
Date: Wed, 12 Sep 2012 13:24:22 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Brian Dickson <brian.peter.dickson@gmail.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F555CB@Hermes.columbia.ads.sparta.com> <D857A4BB-E484-45A4-A09F-FB8FAF2215AC@tcb.net> <C5B88834-3A10-41F7-A4F3-2B7C9B540197@verisign.com> <50389897.3040503@bbn.com> <97856400-9F70-4AEC-AF91-A0673A6D716D@verisign.com> <503C47A8.7030700@bbn.com> <303C576D-D1F8-4F62-8E0E-0D74A28B2771@verisign.com> <503D141F.1060404@bbn.com> <3A791D9E-4F16-4481-94AE-BD38A5389593@verisign.com> <CAL9jLaaew6HLdHK4=UrsUF2JKsRRV=sbXzCOFiDnLRKtVSK1tw@mail.gmail.com> <CAH1iCirWo+JYOpFjVhtxXYKGB86nLhcogC20bEy0-Ldkp7Oc8A@mail.gmail.com> <CAL9jLaY3JLBf7H5H2zWvxv2T=9ZsSQbOAxM+mTixefZkF8oVFw@mail.gmail.com> <CAH1iCiqScOwzcAWEuFfHKH4kP6gj45fKqs6rdPq97PsYO+uEMQ@mail.gmail.com> <50461289.1040907@bbn.com> <CAH1iCiqR3A2wdCo7Gs1RWmLZnJLUuO8=-WXj9QN-bfxBwnX02Q@mail.gmail.com> <50464081.4020305@bbn.com> <CAH1iCiqMS2N6TKLeZ6yEb0opQxNHmxBkyLZiXBZKYBhZSX1JOg@mail.gmail.com>
In-Reply-To: <CAH1iCiqMS2N6TKLeZ6yEb0opQxNHmxBkyLZiXBZKYBhZSX1JOg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: sidr@ietf.org
Subject: Re: [sidr] RPKI <-> allocation consistency
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2012 17:24:39 -0000

Brian,

Sorry I didn't reply sooner.

I found it very difficult to follow the details of your example, but I 
think there is a higher
level consideration that makes moot a detailed analysis of optimization 
the you suggest.

In the early days of RPKI design I raised the same question that you did 
re allocation uniqueness,
and suggested that we include RP checks for overlapping allocations in 
RP software. I was told (by operators) that the old INR holder and the 
new INR holder would each need to have certs (and ROas) that are valid, 
and that encompass the INRs being moved, and that persist for some time. 
That is a fundamental reason that the RPKI does not specify that the 
allocations are "unique." The term "unique" used to appear in the text 
of several of the docs, but was removed to accommodate INR transfers.

I think the primary concern is that one cannot be confident how quickly 
all RPs will acquire all RPKI data.
Thus it seems prudent to allow for the old and new INR holders to have 
certs that contain the INRs being transferred, for these certs overlap 
in validity, and for both certs to be available via the repository 
system at the same time, for some overlap period. This enables old and 
new ROAs, which may point to the same ASN, to exist, avoiding the need 
for a flag day.

Steve

v2.23.0 | Report a Bug | By Email