IETF Logo Mail Archive

Re: [sidr] Reboot: questions regarding WG acceptance of draft-ymbk-rpki-grandparenting-02

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 07 December 2012 17:32 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0212E21F8575 for <sidr@ietfa.amsl.com>; Fri, 7 Dec 2012 09:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[AWL=-0.833, BAYES_00=-2.599, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixQxr4nXSIhX for <sidr@ietfa.amsl.com>; Fri, 7 Dec 2012 09:32:05 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9BED421F8562 for <sidr@ietf.org>; Fri, 7 Dec 2012 09:32:04 -0800 (PST)
Received: by mail-ee0-f44.google.com with SMTP id b47so479429eek.31 for <sidr@ietf.org>; Fri, 07 Dec 2012 09:32:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IM3YsvAuOlYZal3gc8U94GSCWz527j0lO99207kYm5o=; b=NSO8jQ2Gd73jQZfKasT5B/ug/21IYezAiZEIpEKJQO5rkjey+I2B+30DSYP2EJNg/O GMu0U/OSBOBhdL5GnFkOd9TQLD7BqqJVIodVXGzD/cS8NqBaF6WpxyuBFG6SvHJ6cOSh /6Vj9gN03PT/1zSdXjYjZM1quqHkHs39ScJPgO0pfHwx/R8ZDJEmg3hbGjL6qJs2lIGS gSlxJR4Gizi6Cvh0c8dDo7V3PuoO+SthCEBX3AH+i+OyVasCSDIWGegW0uFSAVMzxXgE gSr4nro83vG1V/0zjn4nVCCfMPJmpGPQO120Qf14AiEPt1JQ0y1AA3gtJ0ni8fhJ4Ql0 pDbg==
MIME-Version: 1.0
Received: by 10.14.208.137 with SMTP id q9mr18835747eeo.28.1354901523694; Fri, 07 Dec 2012 09:32:03 -0800 (PST)
Received: by 10.223.173.199 with HTTP; Fri, 7 Dec 2012 09:32:03 -0800 (PST)
In-Reply-To: <50C21F2E.6000708@isode.com>
References: <50C21F2E.6000708@isode.com>
Date: Fri, 07 Dec 2012 12:32:03 -0500
Message-ID: <CAH1iCirPGUgJUu0M5Tb-OHzhYbVntk-R5-r_hm-7EMvYM7y0SQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: multipart/alternative; boundary="047d7b621d160684ae04d0469891"
Cc: sidr wg <sidr@ietf.org>
Subject: Re: [sidr] Reboot: questions regarding WG acceptance of draft-ymbk-rpki-grandparenting-02
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 17:32:06 -0000

Top-reply for convenience:
(This is strictly my opinion/observation and does not represent the
viewpoint of any organization per se)

1. Yes, there is a problem alluded to that might need to be solved.
2. C - no, this draft is not the place to solve the problem.

The root of the problem, is limitations imposed by the design of RFC 3779
for how resources are delegated.

The routing system uses "longest match wins".
The RPKI needs to accommodate the exclusivity of prefixes that are both
routed (as less-specific) and delegated-and-routed (as more-specific).

Specifically, when a resource has some portion of it "forked" (either by
the resource holder, or by any parent of the resource holder), the encoding
of the resource needs to have that "fork" encoded.

The "fork" needs to be "tied" to the resource, in such a way as to prevent
the same resource being available for certification by more than one party.

So, the place to do this is in RFC3779-bis, and inherit the changes
(possibly involving modifications) in the rest of the document suite of
SIDR.

Brian

P.S. Here is a worked example to illustrate this concept:

Suppose the initial state of affairs is as follows:
10.0.0.0/8 is delegated by IANA to RIR "A". RIR "A" does not route any
portion of this block, but only doles out portions of it.
10.1.0.0/16 is delegated by RIR "A" to LIR "A1". Again, not routed.
10.1.0.0/20 is delegated by LIR "A1" to ISP "B". ISP B routes this prefix.
10.1.15.0/24 is delegated by ISP "B" to customer "C". C routes this prefix,
which is more-specific and preferred over 10.1.0.0/20.

Now add to the above, that ISP "B" goes out of business.

The proposed way of directly assigning the 10.1.15.0/24 to "C" would be to
have the delegation done directly to "C" by RIR "A", or by LIR "A1".
(Or by IANA, only included for completeness, i.e. this would likely never
happen.)

And, in order to continue to assure the uniqueness of the assignment, the
corresponding delegations would need to explicitly call out the
NON-delegation of 10.1.15.0/24, attached to the delegation chain starting
wherever the fork occurred.

So, if the direct delegation is done by LIR "A1", the new delegations by A1
would be:
10.1.0.0/20 minus 10.1.15.0/24 (from LIR "A1" to ISP "B" (which is defunct,
presumably, but whose assets might be sold to another party))
10.1.15.0/24 (to "C" directly)

Or if the direct delegation is done by RIR "A", the delegations would be:
10.1.0.0/16 minus 10.1.15.0/24 (from RIR "A" to LIR "A1")
10.1.15.0/24 (from RIR "A" to end-user "C")
10.1.0.0/20 minus 10.1.15.0/24 (from LIR "A1" to ISP "B")

The "minus foo" would need to be attached to any delegation covering "foo",
throughout the delegation hierarchy, once such a "fork" occurs.
ROA validation would need to check this, but the logic is quite simple.

On Fri, Dec 7, 2012 at 11:54 AM, Alexey Melnikov
<alexey.melnikov@isode.com>wrote:

> Hi,
> Sorry for procrastinating on this for so long.
>
> Here are questions I would like to ask WG participants. At this point I
> would like to ask people to review the questions and let me know if you
> think they are contradictory. If they are clear, I will poll the WG early
> next week. Comments on the mailing list or sent directly to WG chairs <
> sidr-chairs@tools.ietf.org> are welcome.
>
> ----------------
>
> 1) Is the problem described/solved by draft-ymbk-rpki-**grandparenting-02
> actually a problem that the WG needs to address? (Answer: yes or no.
> Additional information is welcomed, but I don't want people to repeat the
> whole discussion.)
>
> 2) If you answered "yes" to the question #1, please also answer the
> following question:
>
> Is draft-ymbk-rpki-**grandparenting-02 a reasonable starting point to
> become a WG document? Please choose one of the following:
>
>
> a) Ready for Adoption (whether or not you have some specific issues with
> it. Also, this answer is unrelated to whether this should be a separate
> draft or a part of an existing draft).
>
> b) Needs more work BEFORE Adoption
>
> c) Should not be adopted. In particular this mean that you don't believe
> any amount of work on the proposed draft will address your issues. So any
> solution to this problem should be a new draft written from scratch.
>
> d) Abstain/don't care
>
>
> 3) If you answered "a" or "b" above, please also answer the following
> question:
>
> Does this need to be in a standalone draft, or can it be incorporated into
> another existing WG draft? When answering this question please only base
> your answer on technical reasons, in particular please leave the decision
> on who is going to edit the document (if it is standalone) to WG chairs.
>
>
> ______________________________**_________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/**listinfo/sidr<https://www.ietf.org/mailman/listinfo/sidr>
>

v2.23.0 | Report a Bug | By Email