At 9:15 PM -0400 9/20/10, Sean Turner wrote:
Andrew Chi wrote:
On 9/16/2010 10:04 AM, Tim Bruijnzeels wrote:
So, we can not legally issue a new resource certificate that says: "no
resources". As far as I can tell this is perfectly legal to do under
rfc3779: just don't include any "IPAddressFamily"; use a "SEQUENCE OF"
with length 0.
True. Currently, draft-ietf-sidr-res-certs-18 leaves the loophole
that even if an IP Resources extension is present, it can have
length 0.
If we decide to disallow certs with no resources, we should
eliminate this loophole by rewording the appropriate sentences in
4.9.10 and 4.9.11 to something like: "All Resource Certificates
MUST include a non-empty IP Resources extension, a non-empty AS
Resource extension, or both."
This made me go and look at what draft-ietf-sidr-roa-format says
about how many need to be present. What it says is that "one or
more IP address prefixes that will be advertised". Should we make
the ASN.1 match this? That is:
OLD:
ipAddrBlocks SEQUENCE OF ROAIPAddressFamily }
NEW:
ipAddrBlocks SEQUENCE (SIZE(1..MAX)) OF ROAIPAddressFamily }
and
OLD:
addresses SEQUENCE OF ROAIPAddress }
NEW:
addresses SEQUENCE (SIZE(1..MAX)) OF ROAIPAddress }
Good catch. Yes, let's change the ROA ASN.1 to match the text.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
