Re: [Sidrops] what to do when the CRL is hosed?

Jay Borkenhagen <> Thu, 02 April 2020 20:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 641233A194C for <>; Thu, 2 Apr 2020 13:48:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BAW1wtpr07v9 for <>; Thu, 2 Apr 2020 13:48:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1FC573A194D for <>; Thu, 2 Apr 2020 13:48:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 46C592D7FE for <>; Thu, 2 Apr 2020 20:48:24 +0000 (UTC)
Received: by (Postfix, from userid 1000) id 1B374A407C8; Thu, 2 Apr 2020 16:48:24 -0400 (EDT)
X-Mailer: emacs 24.3.1 (via feedmail 11-beta-1 I); VM 8.2.0b under 24.3.1 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Thu, 02 Apr 2020 16:48:03 -0400
From: Jay Borkenhagen <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
Reply-To: Jay Borkenhagen <>
X-GPG-Fingerprint: DDDB 542E D988 94D0 82D3 D198 7DED 6648 2308 D3C0
Archived-At: <>
Subject: Re: [Sidrops] what to do when the CRL is hosed?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Apr 2020 20:48:27 -0000


Re-visiting an older message in preparation for the upcoming SIDROPS
virtual interim meeting.

On 23-March-2020, Stephen Kent writes:
 > I agree that more uniform processing is desirable, but in the routing 
 > system the notion of local policy seems to be ingrained, so ...

When I first saw this, I thought Steve was just making a pithy comment
about local policy and network operators.  But a friend thinks Steve
had not meant it as a joke at all, so let me take Steve's comment at
face value and respond:

As a network operator, yes, I expect to have the flexibility of
configuring my network using local policy.  But in the context of the
RPKI, we need to reach a point where all RFC-compliant RPs will
generate identical sets of VRPs when presented with the same input.
There will be reasons why I may prefer to operate one RP over another,
but the VRPs that a particular RP generates should never be one of

No network operators want to specify any 'local policy' on their RP
instances to control under which conditions an RPKI object would be
accepted.  Some network operators in this WG have voiced strong
opinions about how such acceptance should be decided, but that's not
because they want the ability to exert local policy there.  Such
opinions are all toward the goal we share of all implementations
reliably creating a correct/consistent VRP set.

I encourage feedback from other network operators on this one simple
point.  Hopefully we all see this 'local policy' matter the same way,
and the WG can turn its attention to consistent handling of the corner

						Jay B.