On Dec 12, 2008, at 1:53 PM, Stephen Kent wrote:
At 2:37 PM -0500 12/12/08, Andrew Newton wrote:
The double allocation conflict can originate from anywhere in the
tree, even from the root, right? So this conflict is only
tangential to the nature of the trust anchor(s)?
Yes, that's right.
Sorry, I'm a bit confused, but perhaps that's because I misunderstood
the original issue. My reading of the issue in question is:
Assume you as an RP have accepted TAs 1 through 6 to certify blocks of
address space they allocate and (say) TA 2 decides to certify the same
block as TA 3. This seems fundamentally different to me than 'further
down the tree', i.e., either ISP X doubly allocating a block to two
customers or ISP X and ISP Y receiving the same allocation. In both
of the 'further down the tree' cases, there is a parent that can
'adjudicate' the conflict either via the chain of trust defined by the
RPKI or via contractual relationships. In the case of multiple TAs
certifying the same block, no such parent exists and the RP gets a
choice: either accept the fact that a block has been allocated to
multiple entities and deal with it (somehow), figure out which of the
assertions to believe from which TA, or stop believing one of the
TAs. None of these seem particularly appealing.
If I didn't misunderstand the issue, this seems like a potentially
serious problem, particularly if the TAs have difficulty working/
playing well together (perish the thought) and/or turn out to be
competitors in the fullness of time.
Did I misunderstand?
Regards,
-drc
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
