I went through your -01 draft and the SIDR presentation slides from last week
once again,
and have the following questions:
(1) An update with prefix-origin pair {5.0.0.0/24, AS64511} is received.
There is a ROA: {5.0.0.0/22, maxLength = 24; AS64511} in the RPKI.
However, it is signed using a certificate that is “valid” only for resource
{5.0.0.0/24}.
In this case, is it the intent of your alternate validation model to ascertain
that
the above ROA is partially valid, and accordingly prefix-origin pair
{5.0.0.0/24, AS64511} is “Valid”?
(2) Let us say, there is a ROA: {1.0.0.0/24, 2.0.0.0/22, 3.0.0.0/20; AS64500}
in the RPKI.
But this ROA is signed using a certificate that is “valid” only for resources
{1.0.0.0/24, 3.0.0.0/20}
that is a subset of the prefixes listed in the ROA.
In this case, is it the intent of your alternate validation model to ascertain
that
the above ROA is partially valid, and accordingly prefix-origin pairs
{1.0.0.0/24, AS64500} and {3.0.0.0/20, AS64500} are “Valid”?
(3) On slide #18, do you need to require “Certificates 1 through n-1 are also
“valid”
according to this same criterion”? You are not validating them at this point.
You are only validating Certificate ‘n’ for *a given INR*.
Is it not enough to require that “the resources in the INR extension of
Certificate x must subsume the given INR” for each x (individually); x=1, 2, 3,
…, n?
Thanks.
Sriram
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
