> If we're going with "[#RPKI Signature] address range MUST match [inetnum: > followed to get here]", then there are probably a couple places that still > talk about "covered by" that should catch up.
don't find any what i did find is that i forgot to remove The address range of the signing certificate MUST cover all - prefixes in the geofeed file it signs; and therefore must be - covered by the range of the inetnum:. + prefixes in the geofeed file it signs. > We may also need to look more closely at the bits after "# RPKI > Signature". The example uses a CIDR range, but IIRC inetnum: ranges > are not limited to CIDR blocks, which would mean we need a story for > how to handle non-CIDR blocks. ranges are well-defined in rpki, inetnum:, etc. 8805 entries must be cidr. that an inetnum: or rpki cert range must cover geofeed file prefixes seems pretty clear. but i have tweaked wording a bit. i can push my emacs buffer to id repo, but will wait a bit for other comments. randy _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg