At Thu, 17 Jul 2008 06:58:34 +1000, Geoff Huston wrote: > > > Perhaps, but the definition would likely be hard to get right and > > harder to implement. The only real definition I can think of would > > involve computing the union of the set of prefixes expressed by each > > prefix-maxLength pair, then attempting to compute some kind of minimal > > expression of that set. This also begs the question of whether it's > > an error to specify a redundant set of prefix-maxLength pairs. > > Well the middle of that paragraph is an algorithm, to be sure, but is it > the same as the specification of a "canonical form"?
Almost certainly not, since the whole point of the maxLength parameter in the ASN.1 is to avoid having to specify the full expansion of the set of prefixes in the ROA. > To put it in a slightly different way, what I wondering was is there a > means of specifying this "minimal expression" you refer to? Aye, that is the question. I've tried to specify an algorithm for this twice already, and failed both times. I have a third approach in mind as I type this, dunno yet whether it'll work, and I haven't even gotten to the point of trying to optimize this. I'm not saying this can't be done, but it's significantly harder than figuring out whether a ROA covers a particular prefix or figuring out what RFC 3779 resources a certificate must contain to cover a ROA. > My question was motivated by working through some interface issues in > terms of tools to manage ROAs, and the concepts of comparison operators > and equivalence came up. I was wondering how to compare the address part > of ROAs for equivalence and from this I was lead to the question of > canonical representations, since at some point you either have to fully > expand (this could be potentially yicky - 10.0.0.0/8-24 would be a relatively > large set I guess) or fully compress the ROA into some "canonical form" in > order to undertake the comparison operation. As Jeff and the other Robs have been discussing, there's some question of whether one actually needs an equivalence operation; more precisely, whether one needs an efficient equivalence operation. Absent somebody being very clever, either the ROA producer or the ROA consumer will have to perform the icky expansion, whether to generate the canonical form or to do the comparision. If equivalence tests are an operation that we expect consumers to need to do frequently, it makes sense for the producer to do the work of generating a canonical form. But it's far from clear to me that ROA equivalence per se is an important operation for the consumer. If most consumer don't care, perhaps we should leave the work to the few consumers that do care. _______________________________________________ Sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
