IETF Logo Mail Archive

Re: [sidr] RPKI <-> allocation consistency

Danny McPherson <danny@tcb.net> Thu, 23 August 2012 02:41 UTC

Return-Path: <danny@tcb.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E23621F8510 for <sidr@ietfa.amsl.com>; Wed, 22 Aug 2012 19:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avtJQlZIiUUJ for <sidr@ietfa.amsl.com>; Wed, 22 Aug 2012 19:41:32 -0700 (PDT)
Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4D221F850D for <sidr@ietf.org>; Wed, 22 Aug 2012 19:41:32 -0700 (PDT)
Received: by dog.tcb.net (Postfix, from userid 0) id 0F68C2680C7; Wed, 22 Aug 2012 20:41:32 -0600 (MDT)
Received: from new-host-10.home (pool-173-72-146-12.clppva.fios.verizon.net [173.72.146.12]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; Wed, 22 Aug 2012 20:41:31 -0600 (MDT) (envelope-from danny@tcb.net)
X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=173.72.146.12; client-port=62716; syn-fingerprint=65535:48:1:64:M1460,N,W3,N,N,T,S MacOS 10.4.8; data-bytes=0
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F625F555CB@Hermes.columbia.ads.sparta.com>
Date: Wed, 22 Aug 2012 22:41:16 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D857A4BB-E484-45A4-A09F-FB8FAF2215AC@tcb.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F555CB@Hermes.columbia.ads.sparta.com>
To: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
X-Mailer: Apple Mail (2.1278)
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] RPKI <-> allocation consistency
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Aug 2012 02:41:33 -0000

Admittedly, I'm not certain what triggered this, but clearly, your email to me suggests that others have expressed concern of consistency and collisions, a concern expressed by the IAB as well.  As such, I have a question below.

On Aug 10, 2012, at 4:45 PM, Murphy, Sandra wrote:

> speaking as regular ol' member
> 
> About allocation <-> RPKI consistency
> 
> The RPKI is a certification of resource holding.  Because the allocation databases continue to also record allocations, there's duplication of information between the RPKI and the allocation databases.
> 
> Having duplicate records of the same data always presents an issue of consistency.  We know we have this issue (have known it from the beginning), any resource certification outside the allocation system would, so we need to work on how to handle it.
> 
> Handling it is out-of-band.  Consistency will be a matter of process, to ensure that allocation actions are bound to issuance of consistent CA certificates (if and when one is issued) and vice versa.  Monitoring the two to spot inconsistencies will be another process.
> 
> Duplicates may be valid.  There may be reasons for multiple CA certificates being issued for exactly the same prefix space.  Transfer (or at least the only method of transfer discussed in the wg) would result in multiple CA certificates being issued for exactly the same prefix space, for make-before-break purposes.
> 
> We already have a potential for inconsistency.  As noted in the IAB statement on the RPKI, multiple trust anchors present a risk of conflicting certifications for the same address block.  We do not yet have a single root trust anchor.  No need for panic, the RIRs are aware and I trust they have process in mind to ensure consistency.   (This is a contentious issue - hopefully that's worded with sufficient care and balance.)  But that's another case where consistency is/will be ensured by process.


Sandy (or others in the know), can you shed any light on the process you have in mind to ensure consistency?  Particularly from the perspective of a prospective RP?  Pointers to process (e.g., RIR processes in the works) are fine.

Thanks, 

-danny

v2.23.0 | Report a Bug | By Email