[sidr] Question on draft-ietf-sidr-origin-ops-12
Danny McPherson <danny@tcb.net> Sat, 12 November 2011 17:21 UTC
Return-Path: <danny@tcb.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C964521F8540 for <sidr@ietfa.amsl.com>; Sat, 12 Nov 2011 09:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.561
X-Spam-Level:
X-Spam-Status: No, score=-102.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5ZKCXwIk3it for <sidr@ietfa.amsl.com>; Sat, 12 Nov 2011 09:21:02 -0800 (PST)
Received: from uu.ops-netman.net (morrowc-1-pt.tunnel.tserv13.ash1.ipv6.he.net [IPv6:2001:470:7:36e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 3071521F8532 for <sidr@ietf.org>; Sat, 12 Nov 2011 09:21:02 -0800 (PST)
Received: from mailserver.ops-netman.net (mailserver.ops-netman.net [208.76.12.119]) by uu.ops-netman.net (Postfix) with ESMTP id D2E311900A1 for <sidr@ietf.org>; Sat, 12 Nov 2011 17:21:01 +0000 (UTC)
Received: from [172.16.7.31] (unknown [122.147.35.3]) (Authenticated sender: danny@OPS-NETMAN.NET) by mailserver.ops-netman.net (Postfix) with ESMTPSA id 0197D320164 for <sidr@ietf.org>; Sat, 12 Nov 2011 17:21:00 +0000 (UTC)
From: Danny McPherson <danny@tcb.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 12 Nov 2011 12:20:58 -0500
Message-Id: <4F9F092F-2EF2-4B93-BD30-7BA8C6746B5C@tcb.net>
To: sidr wg list <sidr@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [sidr] Question on draft-ietf-sidr-origin-ops-12
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Nov 2011 17:21:02 -0000
Substantial comment similar to that made on pfx-validate: We need to resolve the behavior for routes originated from the local AS to find their way into a Valid state, as by current definition they can only be "Not Found" or even "Invalid", even if ROAs exist in the mapping table for the local AS. The WG needs to agree on the proper accommodation and address it expressly in the text before this document is published. Nits below: --- S.3 - Can you explain how it's "more likely to be noticed"? "One advantage of minimal ROA length is that the forged origin attack does not work for sub-prefixes that are not covered by overly long max length. E.g. if, instead of 10.0.0.0/16-24, one issues 10.0.0.0/16 and 10.0.42.0/24, a forged origin attack can not succeed against 10.0.66.0/24. They must attack the whole /16, which is more likely to be noticed." - s/While an operator using RPKI data/An operator using RPKI data/ --- S.5 - s/NotFound/Not Found/[g] throughout per the pfx-validate terminology. ---
- [sidr] Question on draft-ietf-sidr-origin-ops-12 Danny McPherson