IETF Logo Mail Archive

Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Tue, 28 April 2015 23:03 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B538B1A8AE6; Tue, 28 Apr 2015 16:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ef5sC-QHuBPo; Tue, 28 Apr 2015 16:03:54 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51E5B1A9030; Tue, 28 Apr 2015 16:03:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1153; q=dns/txt; s=iport; t=1430262234; x=1431471834; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=PZ0oduq9sF/ElHbNnBMn3RYqjBaEkqAb5RE4zGoglOQ=; b=mre+FT0J8sriD+gIUGpktWUZpSGVVsuwI1s9REufhxTSuJUtBd6GiQWm AXF647tavsNwqoFixxoUDETpa85YxbPwzz2YmgRW57AJdAfk9IuWLt1P2 hEwvtTXPKeg1LOdXxUhG6zodVhqBKE7dymkhh8cbmY0DjLVzvMzj0cpYH g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A6BQDNEEBV/4gNJK1cgwyBNMY3b4dXAoE9OhIBAQEBAQEBgQqEIQEBBHkQAgEGAg4tCzIlAgQBDYgwlXmxGAEBAQEBAQEBAQEBAQEBAQEBAQEBAReLOIUFB4QtAQSGR4seij+VbCNggQVTgTyBcQIeAgQcgQEBAQE
X-IronPort-AV: E=Sophos;i="5.11,666,1422921600"; d="scan'208";a="145374057"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-3.cisco.com with ESMTP; 28 Apr 2015 23:03:53 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t3SN3rVg021821 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 28 Apr 2015 23:03:53 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.111]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.03.0195.001; Tue, 28 Apr 2015 18:03:53 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Sandra Murphy <sandy@tislabs.com>, Iljitsch van Beijnum <iljitsch@muada.com>
Thread-Topic: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
Thread-Index: AQHQggeYX77EfpWBnE20t13GxYDGaw==
Date: Tue, 28 Apr 2015 23:03:52 +0000
Message-ID: <D165DC66.21798%rogaglia@cisco.com>
References: <4C184296-F426-40EF-9DB6-3AE87C42B516@tislabs.com> <91148102-DADB-42E8-96A0-E89120642894@tislabs.com> <ECDAD8F2-1C27-4494-887C-59280D7FF973@muada.com> <EF4348D391D0334996EE9681630C83F02D173BEB@xmb-rcd-x02.cisco.com> <B1EDF7B6-1E42-440E-BD3F-29723AD7E4A4@muada.com> <30008066-54A7-4545-B947-947669B8EB3E@tislabs.com>
In-Reply-To: <30008066-54A7-4545-B947-947669B8EB3E@tislabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.5.141003
x-originating-ip: [10.61.85.4]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <C7B785B4597ABB4D8954789F9675947F@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/wry8_J-tXtKn2yaMtR2ejtmx7BI>
Cc: "idr@ietf.org wg" <idr@ietf.org>, "ggm@apnic.net" <ggm@apnic.net>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] [Idr] Levels of BGPsec/RPKI validation, was: Re: wglc for draft-ietf-sidr-bgpsec-protocol-11
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2015 23:03:55 -0000

>I think Roque was saying that the first outcome would be the case, not
>the second:

You are correct and IMHO we do not need more documents.

The normative text is in RFC 6482 section 4:

-----------------------
4.  ROA Validation

   Before a relying party can use a ROA to validate a routing
   announcement, the relying party MUST first validate the ROA.  To
   validate a ROA, the relying party MUST perform all the validation
   checks specified in [RFC6488] as well as the following additional
   ROA-specific validation step.

   o  The IP address delegation extension [RFC3779] is present in the
      end-entity (EE) certificate (contained within the ROA), and each
      IP address prefix(es) in the ROA is contained within the set of IP
      addresses specified by the EE certificate's IP address delegation
      extension.


‹‹‹‹‹‹‹‹‹‹‹


Informational text is in RFC6907, section 7.2:

7.2.  ROA Expiry or Receipt of a CRL Revoking a ROA


Particularly, section 7.2.5 to 7.2.8 covers different expiration
circumstances.

‹‹‹‹‹‹‹‹‹‹‹


Regards,

Roque

v2.23.0 | Report a Bug | By Email