speaking as regular ol' member On Aug 8, 2014, at 11:39 AM, Andy Newton <[email protected]> wrote:
> > On Aug 6, 2014, at 11:44 AM, Stephen Kent <[email protected]> wrote: > > > The question was about why, in this effort, we are using 3779 validation > rules, and the answer appears to be because a past, failed effort used them. > Is there really no technical justification? > \ and previously On Aug 5, 2014, at 1:49 PM, Carlos M. Martinez <[email protected]> wrote: > Hello, > > I think what we need to discuss is which certificate validation rules > apply to our problem domain, basically securing origin and/or securing path. > > Current specs refer that RFC 3779 validation rules should be applied to > SIDR's problem domain. I couldnĀ“t find any justification for this, other > than 'RFC 3779 was already there by the time SIDR started'. The RPKI was intended to certify the rightful holder of a prefix. So it was designed to follow the current prefix allocation system. In the current prefix allocation system, you can only allocate prefixes that you hold. So the RPKI validation rules were designed to ensure that you can only certify allocations from what you are certified to hold. RFC3779 was also intended to follow the current prefix allocation system. No surprise, its validation rules ensure that you can only certify allocations from what you hold. That made RFC3779 useful for the purposes of providing a RPKI certification of prefix allocation. Reuse of existing technology that provides the features you want is generally considered wisdom. This prefix allocation system is encapsulated in the RPSL authorization model that is used in some RIRs. In those systems, you can only create an inetnum if you hold the rights to a parent inetnum. That's the authorization model people have been using in some regions for decades. I have always found the fact that the RPKI authorization model was a good match to the IRR authorization model in long use to be reassuring. It meant the RPKI followed what people had already long accepted, and it meant that operators should find the semantics familiar. --Sandy, speaking as regular ol' member
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
