speaking as regular ol' member: wrt: ------ (But this is sort of my point, the RPKI system's verification of right of use breaks down if you start certifying multiple people as having a simultaneous right to use resources :-) ------
The CA certs assert the right to use resources. The ROAs assert authorization to originate routes. That's different. There can be multiple ROAs for the same address space, so people can be multi-homed. (This could maybe also be useful in AS migration cases.) I believe Doug Montgomery is right. By the algorithm for validating BGP routes, issuing one ROA does not "trump" other existing ROAs, and thereby make previously valid routes look invalid. --Sandy, speaking as regular ol' member ________________________________________ From: [email protected] [[email protected]] on behalf of Byron Ellacott [[email protected]] Sent: Friday, August 10, 2012 1:18 AM To: Montgomery, Douglas Cc: sidr wg Subject: Re: [sidr] WG acceptance call for draft-ymbk-rpki-grandparenting Hi Doug, On 10/08/2012, at 3:02 PM, Montgomery, Douglas wrote: > On 8/10/12 12:36 AM, "Byron Ellacott" <[email protected]> wrote: > >> If C has taken some action, LEA triggered or otherwise, that means the >> RPKI system no longer asserts that G's intent for packet delivery is >> true, then merely allowing G to issue an RPKI assertion does not prevent >> C from asserting whatever they like, too. If a LEA requires C to issue >> an AS0 ROA 10.42.2.0/23, then creating an ASn ROA for the same prefix, >> same maxLength will not ensure packets are delivered correctly. > > The way I understand > http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-08, if there is a > valid ROA that matches a route, and a valid AS0 ROA that also covers the > route, the route will be considered VALID. > > AS0 ROAs don't "trump" other valid ROAs. Substitute "ASm" for "AS0" in my example. I believe you're right about AS 0. I was taking the first sentence of the Security Considerations of draft-ietf-idr-as0 [1] too literally; AS0 ROAs are not entirely equivalent to BOAs, after all :-) (But this is sort of my point, the RPKI system's verification of right of use breaks down if you start certifying multiple people as having a simultaneous right to use resources :-) Byron [1] http://tools.ietf.org/html/draft-ietf-idr-as0 _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
