Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Thu, 07 June 2012 07:53 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621F621F869C for <sidr@ietfa.amsl.com>; Thu, 7 Jun 2012 00:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 106d6VM0LqYq for <sidr@ietfa.amsl.com>; Thu, 7 Jun 2012 00:53:15 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id D086721F869D for <sidr@ietf.org>; Thu, 7 Jun 2012 00:53:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=10665; q=dns/txt; s=iport; t=1339055595; x=1340265195; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=pqVNhnvr5pmpmndVwiAaXPtDjtDahHP5mjKSIJXxHzc=; b=bw1EE/h+NGWfEDpFvBpDwZh5aQU9y7DOjdxmAqzFvZcuXFmzK8RDInom 338Js6kT6Zv4K2zrUyWyvTnrIZRvLLPXwo8TPNVkig8I6O7ybkYY8y8BC 9YrBE54ERx7y68aGuHIQb44keode25grFNMiLGRud20hMOanMZGASRtAJ Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAM9c0E+tJV2a/2dsb2JhbABFtB2BB4IYAQEBBAEBAQ8BWwQHEAIBCBEDAQIoBycLFAkIAgQOBRkJh2kLmHmfcgSLHYUoYAOVHY4UgWaCYA
X-IronPort-AV: E=Sophos; i="4.75,728,1330905600"; d="scan'208,217"; a="90085308"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP; 07 Jun 2012 07:53:14 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q577rEae029079 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 7 Jun 2012 07:53:14 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.238]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0298.004; Thu, 7 Jun 2012 02:53:14 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Terry Manderson <terry.manderson@icann.org>
Thread-Topic: [sidr] draft-ymbk-rpki-grandparenting-00.txt
Thread-Index: AQHNRIKWmeMHLOI6skGjzaABNoC0Kw==
Date: Thu, 7 Jun 2012 07:53:13 +0000
Message-ID: <1DCEB45E-0AC6-4E34-B4F6-DA760E9ED58D@cisco.com>
References: <CBF67F2B.2677C%terry.manderson@icann.org>
In-Reply-To: <CBF67F2B.2677C%terry.manderson@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [144.254.17.50]
x-tm-as-product-ver: SMEX-10.2.0.1135-6.800.1017-18952.004
x-tm-as-result: No--39.593400-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_1DCEB45E0AC64E34B4F6DA760E9ED58Dciscocom_"
MIME-Version: 1.0
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] draft-ymbk-rpki-grandparenting-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 07:53:16 -0000

Terry,

On Jun 7, 2012, at 7:54 AM, Terry Manderson wrote:

Hi Randy,

I'm presuming that there are cases that prompt you to write this draft as
BCP. Are you able to elaborate on why (using the nomenclature from your
example)  "A" wouldn't re-issue the rpki certificate to "C" to be
"10.42.0.0/23,10.42.4.0/22,10.42.8.0/21,10.42.16.0/20,10.42.32.0/19,10.42.64
.0/18,10.42.128.0/17" (ie the 10.42.0.0/16 resources minus "C's" /23) and a
certificate to G of "10.42.2.0/23" since both "A" and "C" are in agreement
that "G" retains that prefix?

Or is this what you are trying to describe?

So far the wording seems (to me) that some certificate state will eventuate
that "A" issues a certificate for the 10.42.0.0/16 to "C" _AND_ creates a
10.42.2.0/23 resulting object (ROA etc) on "G's" behalf as a subordinate
object of "A's" 10/8?

I'm not sure that was the intent of the RPKI? Was it?

I had the same reaction as you. I looked at the CP document and the Cert. Profile. The best reference to this use-case is the second paragraph of the Security Section on RFC 6487:

"   A resource certificate PKI cannot in and of itself resolve any forms
   of ambiguity relating to uniqueness of assertions of rights of use in
   the event that two or more valid certificates encompass the same
   resource.  If the issuance of resource certificates is aligned to the
   status of resource allocations and assignments, then the information
   conveyed in a certificate is no better than the information in the
   allocation and assignment databases."

My understanding of Randy's proposal is that both C and G will have for a period of time the "right of use" for the 10.42.2.0/23 address space. Your proposal on the first paragraph is an alternative but I would say that it will be much harder to "make before break".

Roque



Cheers
Terry

On 7/06/12 12:00 AM, "Randy Bush" <randy@psg.com<mailto:randy@psg.com>> wrote:

this draft is relevant to the sidr wg work and i, as author, request it
be made a work item.

randy


From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
To: randy@psg.com<mailto:randy@psg.com>
Subject: New Version Notification for draft-ymbk-rpki-grandparenting-00.txt
Message-ID: <20120606135903.5473.73476.idtracker@ietfa.amsl.com<mailto:20120606135903.5473.73476.idtracker@ietfa.amsl.com>>
Date: Wed, 06 Jun 2012 06:59:03 -0700

A new version of I-D, draft-ymbk-rpki-grandparenting-00.txt has been succes=
sfully submitted by Randy Bush and posted to the IETF repository.

Filename:        draft-ymbk-rpki-grandparenting
Revision:        00
Title:           Responsible Grandparenting in the RPKI
Creation date:   2012-06-06
WG ID:           Individual Submission
Number of pages: 5

Abstract:
  There are circumstances in RPKI operations where a resource holder&#39;s
  parent may not be able to, or may not choose to, facilitate full and
  proper registration of the holder&#39;s data.  As in real life, the
  holder may form a relationship to their grandparent who is willing to
  aid the grandchild.  This document describes simple procedures for
  doing so.


The IETF Secretariat
_______________________________________________
sidr mailing list
sidr@ietf.org<mailto:sidr@ietf.org>
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
sidr@ietf.org<mailto:sidr@ietf.org>
https://www.ietf.org/mailman/listinfo/sidr