At 3:02 PM -0800 12/12/08, David Conrad wrote:
On Dec 12, 2008, at 1:53 PM, Stephen Kent wrote:
At 2:37 PM -0500 12/12/08, Andrew Newton wrote:
The double allocation conflict can originate from anywhere in the
tree, even from the root, right? So this conflict is only
tangential to the nature of the trust anchor(s)?
Yes, that's right.
Sorry, I'm a bit confused, but perhaps that's because I
misunderstood the original issue. My reading of the issue in
question is:
Assume you as an RP have accepted TAs 1 through 6 to certify blocks
of address space they allocate and (say) TA 2 decides to certify the
same block as TA 3. This seems fundamentally different to me than
'further down the tree', i.e., either ISP X doubly allocating a
block to two customers or ISP X and ISP Y receiving the same
allocation. In both of the 'further down the tree' cases, there is
a parent that can 'adjudicate' the conflict either via the chain of
trust defined by the RPKI or via contractual relationships. In the
case of multiple TAs certifying the same block, no such parent
exists and the RP gets a choice: either accept the fact that a block
has been allocated to multiple entities and deal with it (somehow),
figure out which of the assertions to believe from which TA, or stop
believing one of the TAs. None of these seem particularly appealing.
If I didn't misunderstand the issue, this seems like a potentially
serious problem, particularly if the TAs have difficulty
working/playing well together (perish the thought) and/or turn out
to be competitors in the fullness of time.
Did I misunderstand?
Regards,
-drc
David,
You are correct that in the case of a duplicate allocation by any
entity farther down the tree, there is a single entity (the CA in
question) that can resolve the conflict. However, from the
perspective of relying party software, the problem is the same, i.e.,
the conflicting assertions (certs and ROAs) both validate. I thought
that was the focus of the question.
As you note, if two RIRs issue conflicting certs, and both are TAs,
then the out-of-band resolution of the conflict requires cooperation
across organizational boundaries. If the community agrees that
records maintained by IANA re allocation of address blocks to RIRs
are the preferred way to avoid/resolve such conflicts, then certs
issued by IANA to the RIRs, reflecting such allocations, would
provide a solution (at least from the RP software perspective). Note
that such certs could be issued by IANA even if each RIR is a
"default" TA, and used by RP software as an independent check on the
consistency of the RPKI TA certs issued by RIRs to themselves.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
