hannes,
you raised two issues:
o versioning, protocol upgrade, ... i will open that can of worms up
in another message
o what do do when the router receives a duplicate ipvx prefix. the
relevant text from 5.5 says
In the RPKI, nothing prevents a signing certificate from issuing two
identical ROAs, and nothing prohibits the existence of two identical
route: or route6: objects in the IRR. In this case there would be no
semantic difference between the objects, merely a process redundancy.
In the RPKI, there is also an actual need for what might appear to a
router as identical IPvX PDUs. This can occur when an upstream
certificate is being reissued or there is an address ownership
transfer up the validation chain. The ROA would be identical in the
router sense, i.e. have the same {prefix, len, max-len, asn}, but a
different validation path in the RPKI. This is important to the
RPKI, but not to the router.
The cache server is responsible for assuring that it has told the
router client to have one and only one IPvX PDU for a unique {prefix,
len, max-len, asn} at any one point in time. Should the router
client receive an IPvX PDU with a {prefix, len, max-len, asn}
identical to one it already has active, it SHOULD raise a Duplicate
Announcement Received error.
i.e. in the rpki world, duplicates make sense and are allowed. on the
router, they do not make sense. hence the cache is formally responsible
for that boundary, and must not send dupes to the router.
this was meant to clearly state that, if the router receives a
duplicate, then either
o the cache is broken because it must not send dupes, or
o the router's data for that cache are incorrect, and it is not
really a dupe.
in either case, something is very broken. in this protocol, unlike bgp,
when things are very broken, drop the session. unlime bgp, the router
has other sessions with similar data, other caches available to it, ...
perhaps the next version should be even more explicit
The cache server MUST ensure that it has told the router client to
have one and only one IPvX PDU for a unique {prefix, len, max-len,
asn} at any one point in time. Should the router client receive an
IPvX PDU with a {prefix, len, max-len, asn} identical to one it
already has active, it SHOULD raise a Duplicate Announcement Received
error.
randy
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
