The problem with a grandparent is that it cannot certify a grandchild
unless it has specific information about it, normally it would come from the
son/daughter.
I think the idea of the grandparent has good will, but I am not sure
that we are following the right path.
Regards,
as
On 10 Aug 2012, at 17:45, Murphy, Sandra wrote:
> speaking as regular ol' member
>
> This is a discussion of grandparenting, NOT a discussion of adoption of the
> grandparenting draft.
>
> There have been suggestions of several different actions a grandparent might
> do. Most of the comments so far focus on issuance of CA certificates to a
> grandchild. But there are other actions a grandparent might take.
>
> For example. One action already mentioned would be issuing ROAs for the
> grandchild, by the grandparent. That doesn't disturb the consistency with
> the allocation system. We have long discussed that providers might issue
> ROAs for RPKI-unprepared children. The RPKI structure allows for multiple
> ROAs for the same prefix (for multihoming) and for multiple ROAS for more
> specifics inside the same space signed by the same entity (eg for TE
> advertisements).
>
> For example. The grandparent could also host a CA service for the child.
> That's allowed and is currently practiced. Under that hosted CA service, the
> grandparent could issue a cert for the grandchild. The process controlling
> this would be a matter for the agreement about the hosting service.
>
> For example. The grandparent could issue a CA cert for the grandchild and
> reclaim that address space from the child by issuing new CA certs for the
> child that omit the reclaimed space. (For: it keeps allocation and RPKI
> consistent. Against: it fractures allocations and can produce routing table
> bloat.) I think I saw this in one message on the thread. How, when, where,
> why, with what proof or limitations - all that is out-of-band process and can
> vary per situation.
>
> For example. The grandparent could issue a ROA that it itself was allowed to
> originate the grandchild's address space, and forward traffic to the child
> with the expectation that the child will forward traffic to the grandchild.
> (This only works in cases where there is continued connectivity from child to
> grandchild.) There's no CA cert action there, so it doesn't disturb the
> consistency with the allocation system.
>
> I presume there are lots of others.
>
> Do we want to try to record the many possibilities? A complete list (ulp!)?
> Reasons for and against certain critical ones?
>
> --Sandy, speaking only as regular ol' member
>
>
> _______________________________________________
> sidr mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
