Folks,
Here's a better description of Case 3. (Thanks go to David Mandelberg
for catching the problems with the previous version.)
Case 3:
Organization A is authorized to control the routing of traffic from
a set of organizations (within A's administrative control) to the
rest of the Internet. A wants to re-route traffic from these
organizations that is destined for a set of systems outside of A's
administrative control to a set of systems under its control, or to
have that traffic dropped. A accomplishes this by controlling the
UPDATES (for the routes to the addresses for those systems) that are
sent to those organizations. If these organizations use the RPKI, A
needs a way to ensure the information they obtain from the RPKI
supports A’s traffic management goals.
For example, Alice runs the network operations for a large
consortium C that operates AS Y. Her management requests that
traffic from C's members that is destined for a competitor's server
at address Q in AS X, be re-directed to one of C's servers in AS Y.
To do this,Alice assigns address Q to a server in AS Y and has AS Y
originate routes for address Q. Alice has to ensure that the RPKI
has the appropriate certificates, ROAs, etc. for these approved
routes, as well as for the rest of the Internet.
Karen
On 3/10/15 1:38 AM, Karen Seo wrote:
Randyet al.,
In hopes of restarting work on this draft, here is proposed text for
section 4. This is an attempt to integrate the original text with the
comments to the list submitted back in Feb 2014. My apologies if I've
mis-understood the original draft text or the comments. Does this
correctly and clearly describe the use cases?
4. Use Cases
Case 1:
Organization C finds that its CA certificate has been revoked (or
modified to remove resources) by the RIR (or ISP) that issued it.
Or, if C has outsourced its CA operations, C finds that one of its
children's certificates has been revoked (or modified to remove
resources).C disagrees with this action and would like relying
parties to be able to ignore, at their discretion, the certificate
revocation (or modification). The revocation or modification could be:
* unintentional, i.e., due to an error by RIR (or ISP) staff
* malicious, i.e., done with the intent to cause problems,
which could be aimed at C or some other entity.
* mandated by a law enforcement agency in the jurisdiction
where the RIR (or ISP) operates
For example, Carol, a RIPE resource holder (LIR, PI holder, ...),
is a victim of the "Dutch Court Attack." Someone has convinced a
Dutch court to forcethe RIPE/NCC to remove or modify some or all
of Carol's certificates, ROAs, etc. or the resources they
represent. However, the operational community wants to retain the
ability to route to Carol's network(s).
Case 2:
Organization B makes use of private address space (RFC 1918) or
address space allocated to another party but not globally
announced by that party or by B. B wants its routers to be able to
use RPKI data for both internal routing to these addresses and for
global routing.
Case 3:
Organization A is authorized to control the routing of traffic
from a set of organizations (within A's administrative control) to
the rest of the Internet. A wants traffic from these organizations
that is destined for a set of prefixes outside of A's
administrative control to be routed to other addresses, or to be
dropped. A accomplishes this by controlling the UPDATEs sent to
those organizations. Because these organizations use the RPKI, A
needs a way to coordinate their use of the RPKI in support of A’s
traffic management goals.
For example, Alice runs the network operations for a large
consortium X. Her management requests that traffic (from X's
members) that is destined for a competitor's site, be re-directed
to a site approved by X. To do this,Alice has to ensure that the
RPKI has the appropriate certificates, ROAs, etc. for those
approved addresses as well as for the rest of the Internet.
Thank you,
Karen
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
