Re: [sidr] RPKI <-> allocation consistency
Stephen Kent <kent@bbn.com> Wed, 12 September 2012 17:24 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB9221F861E for <sidr@ietfa.amsl.com>; Wed, 12 Sep 2012 10:24:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.549
X-Spam-Level:
X-Spam-Status: No, score=-106.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MexLvBLFkKce for <sidr@ietfa.amsl.com>; Wed, 12 Sep 2012 10:24:37 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id CF82721F858F for <sidr@ietf.org>; Wed, 12 Sep 2012 10:24:37 -0700 (PDT)
Received: from dhcp89-089-153.bbn.com ([128.89.89.153]:50497) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1TBqfn-000DYK-3Y; Wed, 12 Sep 2012 13:24:23 -0400
Message-ID: <5050C546.9070304@bbn.com>
Date: Wed, 12 Sep 2012 13:24:22 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Brian Dickson <brian.peter.dickson@gmail.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F555CB@Hermes.columbia.ads.sparta.com> <D857A4BB-E484-45A4-A09F-FB8FAF2215AC@tcb.net> <C5B88834-3A10-41F7-A4F3-2B7C9B540197@verisign.com> <50389897.3040503@bbn.com> <97856400-9F70-4AEC-AF91-A0673A6D716D@verisign.com> <503C47A8.7030700@bbn.com> <303C576D-D1F8-4F62-8E0E-0D74A28B2771@verisign.com> <503D141F.1060404@bbn.com> <3A791D9E-4F16-4481-94AE-BD38A5389593@verisign.com> <CAL9jLaaew6HLdHK4=UrsUF2JKsRRV=sbXzCOFiDnLRKtVSK1tw@mail.gmail.com> <CAH1iCirWo+JYOpFjVhtxXYKGB86nLhcogC20bEy0-Ldkp7Oc8A@mail.gmail.com> <CAL9jLaY3JLBf7H5H2zWvxv2T=9ZsSQbOAxM+mTixefZkF8oVFw@mail.gmail.com> <CAH1iCiqScOwzcAWEuFfHKH4kP6gj45fKqs6rdPq97PsYO+uEMQ@mail.gmail.com> <50461289.1040907@bbn.com> <CAH1iCiqR3A2wdCo7Gs1RWmLZnJLUuO8=-WXj9QN-bfxBwnX02Q@mail.gmail.com> <50464081.4020305@bbn.com> <CAH1iCiqMS2N6TKLeZ6yEb0opQxNHmxBkyLZiXBZKYBhZSX1JOg@mail.gmail.com>
In-Reply-To: <CAH1iCiqMS2N6TKLeZ6yEb0opQxNHmxBkyLZiXBZKYBhZSX1JOg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: sidr@ietf.org
Subject: Re: [sidr] RPKI <-> allocation consistency
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Sep 2012 17:24:39 -0000
Brian, Sorry I didn't reply sooner. I found it very difficult to follow the details of your example, but I think there is a higher level consideration that makes moot a detailed analysis of optimization the you suggest. In the early days of RPKI design I raised the same question that you did re allocation uniqueness, and suggested that we include RP checks for overlapping allocations in RP software. I was told (by operators) that the old INR holder and the new INR holder would each need to have certs (and ROas) that are valid, and that encompass the INRs being moved, and that persist for some time. That is a fundamental reason that the RPKI does not specify that the allocations are "unique." The term "unique" used to appear in the text of several of the docs, but was removed to accommodate INR transfers. I think the primary concern is that one cannot be confident how quickly all RPs will acquire all RPKI data. Thus it seems prudent to allow for the old and new INR holders to have certs that contain the INRs being transferred, for these certs overlap in validity, and for both certs to be available via the repository system at the same time, for some overlap period. This enables old and new ROAs, which may point to the same ASN, to exist, avoiding the need for a flag day. Steve
- [sidr] RPKI <-> allocation consistency Murphy, Sandra
- Re: [sidr] RPKI <-> allocation consistency Danny McPherson
- Re: [sidr] RPKI <-> allocation consistency Eric Osterweil
- Re: [sidr] RPKI <-> allocation consistency Murphy, Sandra
- Re: [sidr] RPKI <-> allocation consistency Eric Osterweil
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Eric Osterweil
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Eric Osterweil
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Christopher Morrow
- Re: [sidr] RPKI <-> allocation consistency Andy Newton
- Re: [sidr] RPKI <-> allocation consistency Christopher Morrow
- Re: [sidr] RPKI <-> allocation consistency Eric Osterweil
- Re: [sidr] RPKI <-> allocation consistency Christopher Morrow
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Christopher Morrow
- Re: [sidr] RPKI <-> allocation consistency Arturo Servin
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Tim Bruijnzeels
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Christopher Morrow
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Robert Loomans
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Stephen Kent
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson
- Re: [sidr] RPKI <-> allocation consistency Brian Dickson