Re: [Sidrops] trying to limit RP processing variability

[Claudio Jeker <cjeker@diehard.n-r-g.com>]

On Thu, Apr 16, 2020 at 10:54:34AM -0400, Stephen Kent wrote:
> Claudio,
> > ...
> > > In all cases. Since it is ignored, it doesn’t really matter whether it
> > > is good or bad or ugly.
> > > 
> > > I suppose I would go with "SHOULD be ignored" here.
> > Which CRL are we talking about? The ones listed in the manifest or the one
> > referenced by the manifest certificate?
> > I agree that the CRL for manifests is ignored mainly because of the chicken
> > and egg situation (the manifest holds the CRL fileAndHash which is uses by
> > the manifest itself).
> 
> See my earlier comment that I believe there really is not a chicken and egg
> problem here re CRLs. I don't see any indication in 6486 that the CRLDP in
> an EE cert for a manifest is different from that of the EE certs appearing
> in ROAs.

My point was that the CRL referenced by the MFT is part of the MFT
FileAndHash list and is therefor not yet verified and loaded. So either
one must verify the EE cert of the MFT without checking the CRL or one
must load a not yet verified CRL file to be able to do proper full EE cert
verification. This is the chicken and egg situation I was referring to.
 
> > For CRL listed in manifests I think the situation is different. If a CRL,
> > ROA or CERT in a manifest is missing then the manifest must be considered
> > invalid and everything under it ignored. This is so that missing ROA would
> > not suddenly result in RPKI invalid routes because only part of a set was
> > processed.
> 
> Could you elaborate on this last comment?

I think Job Snijders showed this very well with his examples where removal
of one roa file would result in the insertion of an AS 0 VRP covering a
large part of Germany's IP space unless all of the manifest data is
ignored.

-- 
:wq Claudio