Re: [Sidrops] 6486bis: Failed Fetches

Jay Borkenhagen <> Wed, 02 September 2020 18:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 97F823A0CC0 for <>; Wed, 2 Sep 2020 11:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BOTvDRhy_qtA for <>; Wed, 2 Sep 2020 11:33:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9C27C3A0CBE for <>; Wed, 2 Sep 2020 11:33:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 268202C607 for <>; Wed, 2 Sep 2020 18:33:59 +0000 (UTC)
Received: by (Postfix, from userid 1000) id EFAF25640A3A; Wed, 2 Sep 2020 14:33:58 -0400 (EDT)
X-Mailer: emacs 25.2.2 (via feedmail 11-beta-1 I); VM 8.2.0b under 25.2.2 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Wed, 02 Sep 2020 14:33:53 -0400
From: Jay Borkenhagen <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Reply-To: Jay Borkenhagen <>
X-GPG-Fingerprint: DDDB 542E D988 94D0 82D3 D198 7DED 6648 2308 D3C0
Archived-At: <>
Subject: Re: [Sidrops] 6486bis: Failed Fetches
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Sep 2020 18:34:01 -0000


Stephen Kent writes:
 > The crux of the issue is whether it is preferable to reject all objects 
 > at a pub point if an error is detected (until the error is rectified), 
 > and thus potentially treat many more routes as having an unknown 
 > verification status, or to accept bits and pieces of data from a pub 
 > point with the potential that some routes will be treated as valid, even 
 > if they are invalid. To me, that is a value judgement to be made by 
 > network operators, not by developers of RP software. [...]

No, there is a bit more to it than that.

I want my network's routers and those of all other networks to be fed
with VRPs that represent all the verified and legitimate published
origin-ASN intentions of verified, legitimate IP number resource

Clearly the challenge there is in determining "verified" and
"legitimate."  In creating the rules (to be documented in
standards-track RFCs) for those determinations, I would like the input
of all SIDROPS participants to be valued, including the input of the
RPKI designers, the CA- and RP-implementers, the RIRs, and the network

To my point: if RP-implementers feel that the "bits and pieces of
data" (to use your words) should be considered to best make those
determinations, such input should be welcomed; conversely, if
RP-implementers feel that strict publication rules and accompanying
strict handling of retrieved records together create the best way to
make those determinations, we all should listen to what they have to

 > Experience with X.509 cert extensions suggests that the approach I noted 
 > is preferable. Saying that older RPs can ignore objects they don't 
 > understand introduces ambiguity in RP behavior, which is precisely the 
 > concern that motivated the effort to generate 6486bis.

Ambiguity is bad in any technical endeavor where precision is needed.
And we're here discussing this now because there was ambiguity in
rfc6486 (not assigning blame -- I missed it, too).  But I don't see
how it follows that if/when ASPA (for example) is standardized, that
older RPs should be required to throw away all records retrieved from
PPs whose MFTs now cite ASPA records.


						Jay B.