Hi Ben, When you get a chance, please can you check whether -15 is sufficient to clear your discuss. I think that is the last step to progressing this doc.
https://datatracker.ietf.org/doc/draft-ietf-opsawg-finding-geofeeds/ Regards, Rob > -----Original Message----- > From: iesg <[email protected]> On Behalf Of Randy Bush > Sent: 21 May 2021 23:12 > To: Benjamin Kaduk <[email protected]> > Cc: Benjamin Kaduk via Datatracker <[email protected]>; draft-ietf-opsawg- > [email protected]; [email protected]; The IESG > <[email protected]>; [email protected]; [email protected] > Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-opsawg-finding- > geofeeds-12: (with DISCUSS and COMMENT) > > > If we're going with "[#RPKI Signature] address range MUST match > [inetnum: > > followed to get here]", then there are probably a couple places that > still > > talk about "covered by" that should catch up. > > don't find any > > what i did find is that i forgot to remove > > The address range of the signing certificate MUST cover all > - prefixes in the geofeed file it signs; and therefore must be > - covered by the range of the inetnum:. > + prefixes in the geofeed file it signs. > > > We may also need to look more closely at the bits after "# RPKI > > Signature". The example uses a CIDR range, but IIRC inetnum: ranges > > are not limited to CIDR blocks, which would mean we need a story for > > how to handle non-CIDR blocks. > > ranges are well-defined in rpki, inetnum:, etc. 8805 entries must be > cidr. > > that an inetnum: or rpki cert range must cover geofeed file prefixes > seems pretty clear. but i have tweaked wording a bit. i can push my > emacs buffer to id repo, but will wait a bit for other comments. > > randy _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
