On 8/10/12 5:38 PM, "Murphy, Sandra" <[email protected]> wrote:
>speaking as regular ol' member: > >wrt: >------ >(But this is sort of my point, the RPKI system's verification of right of >use breaks down if you start certifying multiple people as having a >simultaneous right to use resources :-) >------ > >The CA certs assert the right to use resources. The ROAs assert >authorization to originate routes. That's different. > >There can be multiple ROAs for the same address space, so people can be >multi-homed. (This could maybe also be useful in AS migration cases.) > >I believe Doug Montgomery is right. By the algorithm for validating BGP >routes, issuing one ROA does not "trump" other existing ROAs, and thereby >make previously valid routes look invalid. Certainly that is the way the the origin validation algorithm works. But as I noted before, there is text in idr-as0 and RFC6491 that *might* lead one to believe AS0 ROAs have "special powers". Some additional text, maybe in prefix-validate, to explicitly note the multiple matching ROA situation might be useful. As for grandfathering ... We seem to struggle without a clear, and/or shared technical definition of "right to use". Personally, when an ISP is allocated a block to use for customer assignment, in my mind it has the "right to use that block" (in the common language sense). Even if sub-blocks are assigned to customers. The ISP might sign other types of objects with EE certs from the aggregate block CA. As Sandy notes, right to use is a different concept than route origination authorization. If we are careful to keep those concepts distinct in the conversation ... It will help. dougm > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
