Re: [Sidrops] Distributing RPKI Validated Cache in JSON over HTTPS

George Michaelson <> Mon, 25 May 2020 00:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E11163A0E2C for <>; Sun, 24 May 2020 17:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Uh3gcdNLSWt2 for <>; Sun, 24 May 2020 17:18:22 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 766EA3A0E28 for <>; Sun, 24 May 2020 17:18:21 -0700 (PDT)
Received: by with SMTP id q129so7998695iod.6 for <>; Sun, 24 May 2020 17:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I1SKsTlLd2QWY8jBPm0zFjwU4ReEICy5aQtPY5K5LwQ=; b=cGZVVbH84c4Py/kvgpxMFjeNdVRx9fzY5K0mFeOvO9KtgvK7hBsI6Z39tNv+TZSknQ JeeZTyv8SSF7q6i4iQdHiPOKWiQ1+Qf0EMmbf4bxKbSUOcOlOUONmBn7IgXsjJDFvGN+ u7W3LQTrhvks7lvm0PbWS9kSXmoFz3NO5r74INZiy4DXEtlmD2aTGJW5x6DcmaE53NCW 1XURkktTQgftYVbuISZVjyTjIefdaaTytUeKb+3IBSkm35m5FxgzGXtW1GGrzlal8LAT DeZBp1On0krM38G+1DBAm8cwTxhKMYdK1YPyprqV978ePAjXB+7zPLPd9DGI9rxYUw2o yTRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I1SKsTlLd2QWY8jBPm0zFjwU4ReEICy5aQtPY5K5LwQ=; b=jjs/1YbI34rHk19jILCPOW8Angq/0gf1kM/2vdeqT6V5GXyw3Jj45o5rdlspw4M7F1 p9XjHaDTbtttYkTC+Y0Z7Ktb9V9QRSTDBy6XyCdkyGKy/o/M6yowWwiKNwZWEUo7xg+1 QD4NdKM226Xsu1CtFSXjqhnhOOA3MGNI+Z06j8wEu1/AoLEBQM8v7+HDi64JpRd6Bxtn zdQwhWKhCB0akS7s1rs89nKjeCddF2Z8Eu10Iqb9UbTxNuJ9G20Yu8bYvWaYvZf+luHp WETO4g3Xyl8O94TTV/0DMVsah/nLi33vCL4/Q/HQ2WYkI9k23txiNTsMn/kRRIq+LhBC HHvQ==
X-Gm-Message-State: AOAM533kB1a+SZu++oJtZMSWd+A22euPIMCdl+b1uym56SJGZukKiTdQ fi5iToJt1E7lKVocjnPEMIFW5+DjS0N4iLOPUJvdAgAT
X-Google-Smtp-Source: ABdhPJy67/eFsIVM9Cl3NwMSGX08ftiaN70cp2I/ZciRU/jV8enep+mQLENXS9zwDZ6wh0Chmz/1e8lEtv9KsOUbRbU=
X-Received: by 2002:a5e:dd07:: with SMTP id t7mr3447566iop.21.1590365900170; Sun, 24 May 2020 17:18:20 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: George Michaelson <>
Date: Mon, 25 May 2020 10:18:08 +1000
Message-ID: <>
To: Di Ma <>
Cc: SIDR Operations WG <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Sidrops] Distributing RPKI Validated Cache in JSON over HTTPS
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 May 2020 00:18:26 -0000

I think its useful to document use of secured transport to fetch data.

The problem I retain in this, is the lack of strong cryptographic
validity checks on the semantic intent of the assertions themselves.

The beauty of RPKI was always the ability to demonstrate the binding
of authority (delegated) to say what was to be done with some

SLURM doesn't honour that behaviour. Inside your own IGP, its a
representation of your 'must-haves' including other peoples things,
but between IGPs, transferred over the external boundary, I worry a
LOT about "what it means"

And that goes for 'SLURM for AS0 from the RIR too' btw.


On Wed, May 20, 2020 at 3:32 PM Di Ma <> wrote:
> Hi, folks
> I briefed a method for RPKI inter-cache synchronization called Distributing RPKI Validated Cache in JSON over HTTPS and our implementation with RPSTIR2 in IETF 106 Singapore meeting.
> After that we were drafting a document that tries to specify the standardized way to do so, as I promised :-)
> We realized that the document should focus on the necessary minimum information for data exchange not the detailed interaction and signaling which I believe can leave to different private implementations.
> This document is therefore intended to define a method for transferring RPKI validated cache by making use of SLURM.
> Looking forwards to your comments.
> Di
> _______________________________________________
> Sidrops mailing list