IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Tue, 18 March 2014 20:09 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56A591A0296 for <sidr@ietfa.amsl.com>; Tue, 18 Mar 2014 13:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkpibludFHjv for <sidr@ietfa.amsl.com>; Tue, 18 Mar 2014 13:09:36 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id 4359C1A01A5 for <sidr@ietf.org>; Tue, 18 Mar 2014 13:09:36 -0700 (PDT)
Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB056.namprd09.prod.outlook.com (10.255.211.156) with Microsoft SMTP Server (TLS) id 15.0.898.11; Tue, 18 Mar 2014 20:09:27 +0000
Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.12]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.174]) with mapi id 15.00.0898.005; Tue, 18 Mar 2014 20:09:26 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Geoff Huston <gih@apnic.net>
Thread-Topic: Questions about draft-huston-rpki-validation-01
Thread-Index: Ac89eRhd+ibZbQZWQW6u2RB/Km153QAQRwSAABsPsLAA1ffwgAAtxyldAAFuk4AAGUQnAgAPXn8AAACzPPA=
Date: Tue, 18 Mar 2014 20:09:26 +0000
Message-ID: <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com>, <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com>, <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net> <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com> <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net>
In-Reply-To: <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.140.100]
x-forefront-prvs: 0154C61618
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(199002)(189002)(81816001)(33646001)(85306002)(90146001)(74706001)(56816005)(74876001)(2656002)(95416001)(87936001)(87266001)(74366001)(56776001)(76482001)(77982001)(79102001)(20776003)(97336001)(59766001)(63696002)(51856001)(97186001)(53806001)(54356001)(46102001)(83322001)(54316002)(81686001)(65816001)(66066001)(95666003)(80022001)(80976001)(92566001)(77096001)(93136001)(69226001)(81542001)(49866001)(81342001)(4396001)(47736001)(76576001)(76796001)(76786001)(50986001)(47976001)(74502001)(93516002)(47446002)(74662001)(86362001)(94946001)(94316002)(31966008)(83072002)(85852003)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB056; H:BLUPR09MB053.namprd09.prod.outlook.com; FPR:7DF6FAF4.AD92D710.41F30F5B.44E41149.201E6; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: nist.gov does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/cdfLnJK3NQANXnIwYeEOIq93bv0
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 20:09:38 -0000

>>
>> That is good. But what I meant was (in your I-D under discussion) does
>> the alternate validation algorithm for a ROA need slightly different
>> wording (as compared to that for certificates)?
>
>I think not.  RFC6482 did not define how the EE certificate is to be validated.
>It simply states that the IP addresses listed in the ROA must also be found in the
>resource extensions of the signing EE cert. This still holds.
>
>i.e. no change is required there.
>

I think you are saying that a ROA is "valid" for all prefixes listed in it, if the signing EE cert is 
"valid" for each of those prefixes (in accordance with the alternate validation method).
I.e., there is no such thing as 'the ROA is (partially) valid for some of the listed prefixes'.
Does not harm to include some statement this effect in your I-D.

We discussed the possibility of ROA over-claiming earlier. 
The above is not accommodative of that. And I think that is also OK for now.
We can revisit if robustness to ROA over-claiming is something 
that interests anyone else on this list.

Thanks.
Sriram

v2.23.0 | Report a Bug | By Email