IETF Logo Mail Archive

Re: [sidr] about grandparenting

"Murphy, Sandra" <Sandra.Murphy@sparta.com> Tue, 14 August 2012 14:48 UTC

Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD13721F8535 for <sidr@ietfa.amsl.com>; Tue, 14 Aug 2012 07:48:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.54
X-Spam-Level:
X-Spam-Status: No, score=-102.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1NEvrbMSvhK for <sidr@ietfa.amsl.com>; Tue, 14 Aug 2012 07:48:00 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id D68EF21F84FB for <sidr@ietf.org>; Tue, 14 Aug 2012 07:47:59 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q7EElwVM021750; Tue, 14 Aug 2012 09:47:58 -0500
Received: from Hermes.columbia.ads.sparta.com ([157.185.80.107]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q7EElvhU012314; Tue, 14 Aug 2012 09:47:58 -0500
Received: from HERMES.columbia.ads.sparta.com ([fe80::e4a8:a383:2128:c0e5]) by Hermes.columbia.ads.sparta.com ([fe80::e4a8:a383:2128:c0e5%21]) with mapi id 14.01.0355.002; Tue, 14 Aug 2012 10:47:53 -0400
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: Andy Newton <andy@arin.net>
Thread-Topic: [sidr] about grandparenting
Thread-Index: AQHNeiY06gIEyPkyx0CA7hq/ggAKM5dZXRVV
Date: Tue, 14 Aug 2012 14:47:53 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F625F55FB2@Hermes.columbia.ads.sparta.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F5556C@Hermes.columbia.ads.sparta.com>, <B6BBB3C7-2271-4CA3-9143-DC1719B924BC@arin.net>
In-Reply-To: <B6BBB3C7-2271-4CA3-9143-DC1719B924BC@arin.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.185.63.137]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] about grandparenting
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 14:48:00 -0000

speaking as a regular ol' member:

On Tuesday, August 14, 2012 10:07 AM, Andy Newton [andy@arin.net] said

>I'm not speaking for anybody but me here, but I would think 
>that the notion of RIRs issuing "operational" ROAs would be 
>a BIG layer 9 issue.


Given all the caveats below.

If you believe RIRs should not issue ROAs, what would be your preferred method to deal with that: (a) relying party policy - reject ROAs signed by x,y,z keys, (b) cert policy - some words in the CP (c) operational - registries promise not to implement a feature in their code that would allow this (d) contractual - the registry agreement promises that they will not do this,  (e) technical - some bits in the RPKI objects, etc.


(Why did you speak of an "operational" ROA?  What would a non-operational ROA be?)


List of caveats:

I presume you aren't implying that you think the RIRs will be the only or the primary members of the RPKI hierarchy.

And of course you are not speaking of the IANA objects that are now published as an RFC.

And of course you are not speaking of RIRs that have decided to run a hosted service for their members, where code on the RIR system is actually doing the signing operations that create ROAs that their members have requested.

And of course you are not speaking of RIRs who hold address space for their own operational purposes, eg for registry servers and such.

In the spirit of the IANA objects, I can see a potential of an RIR signing a ROA for the /8 from which they are allocating (or v6 equivalent) to keep bogus superblock announcements from being accepted.

--Sandy, speaking as regular ol' member

v2.23.0 | Report a Bug | By Email