IETF Logo Mail Archive

[sidr] Questions about draft-huston-rpki-validation-01

"Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov> Tue, 11 March 2014 22:27 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A181A087A for <sidr@ietfa.amsl.com>; Tue, 11 Mar 2014 15:27:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nLgqnfPtyWh for <sidr@ietfa.amsl.com>; Tue, 11 Mar 2014 15:27:46 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id 3DE4A1A085E for <sidr@ietf.org>; Tue, 11 Mar 2014 15:27:46 -0700 (PDT)
Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB022.namprd09.prod.outlook.com (10.255.211.142) with Microsoft SMTP Server (TLS) id 15.0.893.10; Tue, 11 Mar 2014 22:27:38 +0000
Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.70]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.70]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 22:27:37 +0000
From: "Sriram, Kotikalapudi" <kotikalapudi.sriram@nist.gov>
To: Geoff Huston <gih@apnic.net>
Thread-Topic: Questions about draft-huston-rpki-validation-01
Thread-Index: Ac89eRhd+ibZbQZWQW6u2RB/Km153Q==
Date: Tue, 11 Mar 2014 22:27:36 +0000
Message-ID: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.6.140.100]
x-forefront-prvs: 0147E151B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(199002)(189002)(77096001)(54316002)(56776001)(74316001)(74706001)(76176001)(81342001)(94946001)(74366001)(56816005)(47736001)(87936001)(90146001)(76576001)(76796001)(76786001)(2656002)(33646001)(81542001)(74876001)(95416001)(94316002)(69226001)(87266001)(86362001)(63696002)(54356001)(47976001)(93516002)(95666003)(59766001)(4396001)(53806001)(97186001)(92566001)(97336001)(85852003)(83072002)(47446002)(74502001)(31966008)(74662001)(50986001)(81686001)(80976001)(77982001)(85306002)(46102001)(49866001)(80022001)(66066001)(83322001)(65816001)(79102001)(81816001)(51856001)(76482001)(93136001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB022; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:BFA8C715.AE92D712.4AF3BFA7.74E3D148.201EF; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: nist.gov does not designate permitted sender hosts)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/x3Q4DCd2c5l6xwmIg3jpk3vSk6Y
Cc: George Michaelson <ggm@apnic.net>, sidr wg list <sidr@ietf.org>
Subject: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 22:27:50 -0000

I went through your -01 draft and the SIDR presentation slides from last week once again, 
and have the following questions: 

(1) An update with prefix-origin pair {5.0.0.0/24, AS64511} is received. 
There is a ROA: {5.0.0.0/22, maxLength = 24; AS64511} in the RPKI. 
However, it is signed using a certificate that is “valid” only for resource {5.0.0.0/24}.  
In this case, is it the intent of your alternate validation model to ascertain that 
the above ROA is partially valid, and accordingly prefix-origin pair {5.0.0.0/24, AS64511} is “Valid”?

(2) Let us say, there is a ROA: {1.0.0.0/24, 2.0.0.0/22, 3.0.0.0/20; AS64500} in the RPKI. 
But this ROA is signed using a certificate that is “valid” only for resources {1.0.0.0/24, 3.0.0.0/20}
that is a subset of the prefixes listed in the ROA.  
In this case, is it the intent of your alternate validation model to ascertain that 
the above ROA is partially valid, and accordingly prefix-origin pairs 
{1.0.0.0/24, AS64500} and {3.0.0.0/20, AS64500} are “Valid”? 

(3) On slide #18, do you need to require “Certificates 1 through n-1 are also “valid” 
according to this same criterion”?  You are not validating them at this point. 
You are only validating Certificate ‘n’ for *a given INR*. 
Is it not enough to require that “the resources in the INR extension of 
Certificate x must subsume the given INR” for each x (individually); x=1, 2, 3, …, n? 

Thanks.
Sriram
 

v2.23.0 | Report a Bug | By Email