Hi Doug, On 10/08/2012, at 3:02 PM, Montgomery, Douglas wrote:
> On 8/10/12 12:36 AM, "Byron Ellacott" <[email protected]> wrote: > >> If C has taken some action, LEA triggered or otherwise, that means the >> RPKI system no longer asserts that G's intent for packet delivery is >> true, then merely allowing G to issue an RPKI assertion does not prevent >> C from asserting whatever they like, too. If a LEA requires C to issue >> an AS0 ROA 10.42.2.0/23, then creating an ASn ROA for the same prefix, >> same maxLength will not ensure packets are delivered correctly. > > The way I understand > http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-08, if there is a > valid ROA that matches a route, and a valid AS0 ROA that also covers the > route, the route will be considered VALID. > > AS0 ROAs don't "trump" other valid ROAs. Substitute "ASm" for "AS0" in my example. I believe you're right about AS 0. I was taking the first sentence of the Security Considerations of draft-ietf-idr-as0 [1] too literally; AS0 ROAs are not entirely equivalent to BOAs, after all :-) (But this is sort of my point, the RPKI system's verification of right of use breaks down if you start certifying multiple people as having a simultaneous right to use resources :-) Byron [1] http://tools.ietf.org/html/draft-ietf-idr-as0
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
