Hi Robert,
On 8/10/09 2:47 AM, "Robert Kisteleki" <rob...@ripe.net> wrote: [..] >> >> so two organisations, at some point in time, will have the ability to >> issue valid and conflicting statements. > > They have that ability today, it is being used and it's useful. Would you > want to take that ability away from them, should they want to use RPKI? > There are differences to what actions result from "statements" today, versus what actions will occur in RPKI given the WG stance (which I don't agree with) on ROA interpretation. If you have two certificates that overlap in validity time, say for 10/8, the following can occur: The first certificate holder issues only a ROA for 10/8 maxLength 8 @AS1 and originates 10/8 from AS1 The second certificate holder issues only a ROA for 10/8 maxLength 24 @AS3 and originates 10.1.1/24 from AS3 (ie some migration strategy) Depending on which certificate the Relying Party believes, they might reject (based on current WG interpretation of a ROA) the other valid announcements at their router. (at least that is how I'm reading it - please correct me if askew) If you approach this as a 'not found' interpretation - as originally written - this becomes near moot. > > Suppose you're ISP1, and want to sell some part of your clients to ISP2 > (this happens: mergers, splits, you name it). In other words, you want to > transfer a live, routed and used chunk of space to another party. How would > you execute this while ROAs are in place? If you think about it you'll > realize that there have to be multiple ROAs which overlap in terms of > validity time, otherwise you introduce exact timing, which sounds pretty > difficult to execute with 30K+ participants. > Transferring networks (ie changing the AS origination of a prefix) and transferring ownership doesn't need to be done at the same time. If it is I suspect you probably won't be keeping the network alive. The exact timing that you speak of is coordinated in advance through notBefore and notAfter times of the two resource certificates. I would think that in your example, assuming that only ownership is being transferred, and not origination, ISP1 and ISP2 would make their ROAs match (or be non existent) for the ownership settlement time as to not upset routing. Terry _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
