On Wed, Feb 17, 2021 at 3:29 PM Randy Bush <ra...@psg.com> wrote: > > now that last call is over, it's time to make trouble by requesting to > add a hack. ggm, doc shepherd, has this idea about hierarchic signing > which would affect this doc by adding > > If an inetnum: A points to a geofeed file which is signed per > Section 4, then a geofeed file pointed to by inetnum: B which is > covered by A (i.e., B is for a more specific prefix of A) the > geofeed file pointed to by inetnum: B SHOULD also be signed. If not, > then the consumer should be suspicious of data within the geofeed > file pointed to by B. > > to 5. Operational Considerations > > would anyone care to comment, object, maybe even support?
I agree that this proposed addition seems to highlight and may address a potential security issue. But if a lookup process was interested in finding a geofeed for an IP address within B, would it have any reason or automated means to backtrack and lookup knowledge of the signed geofeed for A? Do inetnum lookups return all superprefix inetnums as well? (asking for a friend) _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
