At 12:57 PM +1000 7/11/07, Robert Loomans wrote:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms010509040306000501070000"
In section 3 "ROA Validation":
4. Verify that the EE certificate has an IP Address Delegation
extension [RFC3779] and that the IP address prefix(es) in that
extension exactly matches the IP address prefix(es) in the ROA.
I assume this does not require that the encoding match.
If it did, it would conflict with RFC3779 which requires the minimal
encoding.
eg, A ROA could have two prefixes, say 11.0.0.0/8 and 12.0.0.0/8,
encoded as two IPAddress fields, whereas RFC3779 would dictate that they
would be encoded as a range 11.0.0.0-12.255.255.255.
Rob
Rob,
You are correct; the term "exactly" is a bit misleading here. The
3779 encoding is different because it is mandated to be minimal. We
should add text to clarify that point, and maybe we should include
your example to illustrate what one must do to effect the comparison.
There is also a divergence from 3779 because 3779 accommodates
ranges, whereas ROAs accommodate only prefixes, since BGP deals with
prefixes but not ranges.
Steve
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
