Carlos,
It is weird that we even need to state here that we the five RIRs are
not going to break things intentionally, but, yeah, LACNIC will not
break things intentionally either.
I don't think anyone requested that each RIR pledge to not try to break
the RPKI.
I did ask that RIRs describe what measures they take to detect possible
errors, prior
to issuing certs that might cause subordinate CAs to fail 3779
validation criteria. I thought
the replies from RIPE and APNIC were very encouraging.
Engineering for resiliency is as much a necessity as engineering for
security. If the damage caused by the failures of the solution itself
becomes worse than the damage caused by the problem, well, no one is
going to deploy the solution.
Terry has reminded us that, even if such accidents occur, the world does
not end, at
least wrt origin validation. Thus, for the current set of SIDR RFCs, the
damage that
would occur is not nearly so great as some have suggested; until the
error is fixed (which
one would presume would be fairly quickly), origin validation would
treat the affected
routes as no worse than they are treated today.
Terry's message from 7/25 suggested that we revisit details of BGPSEC to
see if we might
want to address the the concerns about errors in the RPKI in a more
accommodating fashion.
I think he has a good point. We are still working on BGPSEC and so we
have the leeway to
revisit details of this sort.
In the SIDR meeting last week Geoff cited a problem that relaxing the
3779 validation criteria
was supposed to address (though not explicitly mentioned in his I-D): an
operator who asserts
that it holds an ASN, at odds with the RIR that is supposed to be
authoritative for the assignment
of that ASN. This case is illustrative of the concern I tried to raise
in my comments to Tim, i.e.,
I worried that relaxing 3779 validation rules might encourage sloppiness
in managing the
RPKI, e.g., causing CAs to violate the CP by not maintaining the RPKI as
a representation
of their allocation databases. Geoff's example seems to suggest that my
concern is warranted.
Relaxing 3779 validation "fixes" the cited problem by making the
deviation from the allocation
hierarchy acceptable, at the expense of the CP.
Finally, the point I tried to make near the end of the session was that
if we are worrying
about errors by high-tier CAs that break certs (via 3779 validation),
then that worry also
should extend to errors that revoke certs. Relaxing 3779 validation
rules will not help
with that problem. The Suspenders proposal does address that, and a
broader range of behaviors by CAs.
So while Suspenders may not be the answer, I believe that the current
problem statement in
draft-ietf-sidr-rpki-validation-reconsidered is way too narrow, as it
fails to address the
wider set of errors (or compelled behavior) by (high tier) CAs in the RPKI.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
