On Fri, May 21, 2021 at 03:12:21PM -0700, Randy Bush wrote: > > If we're going with "[#RPKI Signature] address range MUST match [inetnum: > > followed to get here]", then there are probably a couple places that still > > talk about "covered by" that should catch up. > > don't find any > > what i did find is that i forgot to remove > > The address range of the signing certificate MUST cover all > - prefixes in the geofeed file it signs; and therefore must be > - covered by the range of the inetnum:. > + prefixes in the geofeed file it signs.
ok. It looks like the thing in the diff that stuck out at me is actually for the unsigned case, and "covered by" is (AFAICT) the right semantics for that situation. > > We may also need to look more closely at the bits after "# RPKI > > Signature". The example uses a CIDR range, but IIRC inetnum: ranges > > are not limited to CIDR blocks, which would mean we need a story for > > how to handle non-CIDR blocks. > > ranges are well-defined in rpki, inetnum:, etc. 8805 entries must be > cidr. > > that an inetnum: or rpki cert range must cover geofeed file prefixes > seems pretty clear. but i have tweaked wording a bit. i can push my > emacs buffer to id repo, but will wait a bit for other comments. I guess I dallied too long and this became the -15. Having slept it over, I think the "IP address range [of "# RPKI Signature:"/"# End Signature"] must match the inetnum: URL followed to get to the file" is a good choice and helps identify the intended semantics (though, of course, is not itself covered by the signature). I think we still need to update the example to show how to represent a non-CIDR range, though. (I think, from the previous discussion, we wanted the "RPKI Signature" line to have a starting address and the "End Signature" line to have an ending address, but could be misremembering.) Otherwise, looking at the diff from -12 to -15 (https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-finding-geofeeds-15&url1=draft-ietf-opsawg-finding-geofeeds-12), I see that we now say "The IETF standardized RPSL in [RFC2725] and [RFC4012]", but 2622 might actually be the right reference there, even if we do need 2725 later for "inetnum:" itself. The other changes look good. Thanks, Ben P.S. I am impressed by the (apparent) automation to re-generate the certificate (and example) at the time of building the document! _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
