On Dec 11, 2008, at 4:54 PM, Stephen Kent wrote:
If two RIRs claim to be authoritative for the same address block,
and if they both allocate that block to lower tier entities (e.g.,
ISPs), then certs and ROAs issued by those entities will validated
by RP software using the default TA set. Note, though that an
equivalent problem can arise of one RIR accidentally allocates the
same block to two ISPs. We can't reliably detect and automatically
reject this, because when address space transfers are in process,
they look the same (in terms of RPKI objects).
Yes, it would be preferable if we had a way to detect inter-RIR
conflicts when they represent errors. There is at least one
possible solution to this, even if both IANA and the RIRs are
represented as "default" or "nominal" trust anchors, but it would be
cleaner if IANA was the sole TA.
Steve
Steve,
I want to be sure I understand this. The double allocation conflict
can originate from anywhere in the tree, even from the root, right?
So this conflict is only tangential to the nature of the trust
anchor(s)?
-andy
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
