Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt
"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Thu, 07 June 2012 07:53 UTC
Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621F621F869C for <sidr@ietfa.amsl.com>; Thu, 7 Jun 2012 00:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 106d6VM0LqYq for <sidr@ietfa.amsl.com>; Thu, 7 Jun 2012 00:53:15 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id D086721F869D for <sidr@ietf.org>; Thu, 7 Jun 2012 00:53:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=10665; q=dns/txt; s=iport; t=1339055595; x=1340265195; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=pqVNhnvr5pmpmndVwiAaXPtDjtDahHP5mjKSIJXxHzc=; b=bw1EE/h+NGWfEDpFvBpDwZh5aQU9y7DOjdxmAqzFvZcuXFmzK8RDInom 338Js6kT6Zv4K2zrUyWyvTnrIZRvLLPXwo8TPNVkig8I6O7ybkYY8y8BC 9YrBE54ERx7y68aGuHIQb44keode25grFNMiLGRud20hMOanMZGASRtAJ Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAM9c0E+tJV2a/2dsb2JhbABFtB2BB4IYAQEBBAEBAQ8BWwQHEAIBCBEDAQIoBycLFAkIAgQOBRkJh2kLmHmfcgSLHYUoYAOVHY4UgWaCYA
X-IronPort-AV: E=Sophos; i="4.75,728,1330905600"; d="scan'208,217"; a="90085308"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP; 07 Jun 2012 07:53:14 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q577rEae029079 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 7 Jun 2012 07:53:14 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.238]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0298.004; Thu, 7 Jun 2012 02:53:14 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Terry Manderson <terry.manderson@icann.org>
Thread-Topic: [sidr] draft-ymbk-rpki-grandparenting-00.txt
Thread-Index: AQHNRIKWmeMHLOI6skGjzaABNoC0Kw==
Date: Thu, 07 Jun 2012 07:53:13 +0000
Message-ID: <1DCEB45E-0AC6-4E34-B4F6-DA760E9ED58D@cisco.com>
References: <CBF67F2B.2677C%terry.manderson@icann.org>
In-Reply-To: <CBF67F2B.2677C%terry.manderson@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [144.254.17.50]
x-tm-as-product-ver: SMEX-10.2.0.1135-6.800.1017-18952.004
x-tm-as-result: No--39.593400-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_1DCEB45E0AC64E34B4F6DA760E9ED58Dciscocom_"
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 07:53:16 -0000
Terry, On Jun 7, 2012, at 7:54 AM, Terry Manderson wrote: Hi Randy, I'm presuming that there are cases that prompt you to write this draft as BCP. Are you able to elaborate on why (using the nomenclature from your example) "A" wouldn't re-issue the rpki certificate to "C" to be "10.42.0.0/23,10.42.4.0/22,10.42.8.0/21,10.42.16.0/20,10.42.32.0/19,10.42.64 .0/18,10.42.128.0/17" (ie the 10.42.0.0/16 resources minus "C's" /23) and a certificate to G of "10.42.2.0/23" since both "A" and "C" are in agreement that "G" retains that prefix? Or is this what you are trying to describe? So far the wording seems (to me) that some certificate state will eventuate that "A" issues a certificate for the 10.42.0.0/16 to "C" _AND_ creates a 10.42.2.0/23 resulting object (ROA etc) on "G's" behalf as a subordinate object of "A's" 10/8? I'm not sure that was the intent of the RPKI? Was it? I had the same reaction as you. I looked at the CP document and the Cert. Profile. The best reference to this use-case is the second paragraph of the Security Section on RFC 6487: " A resource certificate PKI cannot in and of itself resolve any forms of ambiguity relating to uniqueness of assertions of rights of use in the event that two or more valid certificates encompass the same resource. If the issuance of resource certificates is aligned to the status of resource allocations and assignments, then the information conveyed in a certificate is no better than the information in the allocation and assignment databases." My understanding of Randy's proposal is that both C and G will have for a period of time the "right of use" for the 10.42.2.0/23 address space. Your proposal on the first paragraph is an alternative but I would say that it will be much harder to "make before break". Roque Cheers Terry On 7/06/12 12:00 AM, "Randy Bush" <randy@psg.com<mailto:randy@psg.com>> wrote: this draft is relevant to the sidr wg work and i, as author, request it be made a work item. randy From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> To: randy@psg.com<mailto:randy@psg.com> Subject: New Version Notification for draft-ymbk-rpki-grandparenting-00.txt Message-ID: <20120606135903.5473.73476.idtracker@ietfa.amsl.com<mailto:20120606135903.5473.73476.idtracker@ietfa.amsl.com>> Date: Wed, 06 Jun 2012 06:59:03 -0700 A new version of I-D, draft-ymbk-rpki-grandparenting-00.txt has been succes= sfully submitted by Randy Bush and posted to the IETF repository. Filename: draft-ymbk-rpki-grandparenting Revision: 00 Title: Responsible Grandparenting in the RPKI Creation date: 2012-06-06 WG ID: Individual Submission Number of pages: 5 Abstract: There are circumstances in RPKI operations where a resource holder's parent may not be able to, or may not choose to, facilitate full and proper registration of the holder's data. As in real life, the holder may form a relationship to their grandparent who is willing to aid the grandchild. This document describes simple procedures for doing so. The IETF Secretariat _______________________________________________ sidr mailing list sidr@ietf.org<mailto:sidr@ietf.org> https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list sidr@ietf.org<mailto:sidr@ietf.org> https://www.ietf.org/mailman/listinfo/sidr
- [sidr] draft-ymbk-rpki-grandparenting-00.txt Randy Bush
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Byron Ellacott
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Terry Manderson
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Roque Gagliano (rogaglia)
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Terry Manderson
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Roque Gagliano (rogaglia)
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Randy Bush
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Randy Bush
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Terry Manderson
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Terry Manderson
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt George, Wes
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Murphy, Sandra
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Terry Manderson
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Andrei Robachevsky
- Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt Randy Bush