Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt

Sandra Murphy <> Tue, 19 July 2016 16:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1854A12D0AD for <>; Tue, 19 Jul 2016 09:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J386qqgUtYm1 for <>; Tue, 19 Jul 2016 09:33:00 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1755512B04F for <>; Tue, 19 Jul 2016 09:33:00 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 83FDC28B003B; Tue, 19 Jul 2016 12:32:59 -0400 (EDT)
Received: from [] (localhost.localdomain []) by (Postfix) with ESMTP id C10AE1F8055; Tue, 19 Jul 2016 12:32:58 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_F8D5961F-E6A1-478B-93A8-87A154064F04"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail
From: Sandra Murphy <>
In-Reply-To: <>
Date: Tue, 19 Jul 2016 12:32:43 -0400
Message-Id: <>
References: <> <> <>
To: Stephen Kent <>
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
Cc:, Sandra Murphy <>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jul 2016 16:33:02 -0000

Speaking as regular ol’ member:

> On Jul 15, 2016, at 1:28 PM, Stephen Kent <> wrote:
> Tim,
> I reviewed the -06 version and am attaching a pdf of the MS Word file with suggested edits. I can send you the word file itself if you wish.
> I have provided text to my co-author, Sean, to include in the bgpsec-pki-profile doc to address your concern. I suggested the following text at the beginning of section 3 :
>    The validation procedure used for BGPsec Router Certificates is
>    identical to the validation procedure described in Section 7 of
>    [RFC6487]
> (and any RFC that updates this procedure)
> , but using the
>    constraints applied come from this specification.

I can’t parse “but using the constraints applied come from this specification”.  Can you clarify?

> Sean added an implementation considerations section which I suggest will say:
>    Operators MAY choose to issue separate BGPsec Router Certificates for
>    different ASNs. Doing so may prevent a BGPsec Router Certificate from
>    becoming invalid if one of the ASNs is removed from any superior CA certificate
>    along the path to a trust anchor.

I quibble about this wording.  why do you say “may”?  Is it because if the ASN in one of the separate router certificates is one of the ASNs that is removed, then it still becomes invalid?

I think you mean:

This document permits the operator to include a list of ASNs in a BGPsec Router Certificate.
In that case, the router certificate would become invalid if any one of the ASNs is removed
from any superior CA certificate along the path to a trust anchor.  Operators MAY choose
to avoid this possibility by issuing a separate BGPsec Router Certificate for each distinct
ASN, so that the router certificates for ASNs that are retained in the superior CA certificate
would remain valid.

I’m not sure you meant a normative “MAY choose” ("there are reasons, <listed here,> to make this choice”) or “could possibly choose”

> I hope these changes avoid the need to say anything about router certs in your doc.
> I'm not sure there is a need to change the ROA spec. If we agree that all prefixes in the ROA MUST be contained in the EE cert for that ROA, then the current text in the ROA spec does not need to change.


The ROA RFC says validation of the ROA must satisfy:

   o  The IP address delegation extension [RFC3779] is present in the
      end-entity (EE) certificate (contained within the ROA), and each
      IP address prefix(es) in the ROA is contained within the set of IP
      addresses specified by the EE certificate's IP address delegation

If the EE certificate and the ROA mention a /18, and a /19 is removed from a “superior CA certificate”, then there is/are only a /19 of the EE certificate that is/are VRP.  And every prefix in the ROA is still contained in the EE cert, so this validation step is satisfied.  What does this ROA now authorized?  How would it be applied in BGP route validation?

—Sandy, speaking as regular ol’ member

> Steve
> <draft-ietf-sidr-rpki-validation-reconsidered-06.pdf>_______________________________________________
> sidr mailing list