> If we're going with "[#RPKI Signature] address range MUST match [inetnum:
> followed to get here]", then there are probably a couple places that still
> talk about "covered by" that should catch up.
don't find any
what i did find is that i forgot to remove
The address range of the signing certificate MUST cover all
- prefixes in the geofeed file it signs; and therefore must be
- covered by the range of the inetnum:.
+ prefixes in the geofeed file it signs.
> We may also need to look more closely at the bits after "# RPKI
> Signature". The example uses a CIDR range, but IIRC inetnum: ranges
> are not limited to CIDR blocks, which would mean we need a story for
> how to handle non-CIDR blocks.
ranges are well-defined in rpki, inetnum:, etc. 8805 entries must be
cidr.
that an inetnum: or rpki cert range must cover geofeed file prefixes
seems pretty clear. but i have tweaked wording a bit. i can push my
emacs buffer to id repo, but will wait a bit for other comments.
randy
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
