On 8/10/12 12:36 AM, "Byron Ellacott" <b...@apnic.net> wrote:
>Hi, > >On 10/08/2012, at 4:25 AM, Christopher Morrow wrote: > >> an interesting outgrowth of the grandparenting could be the ability to >> 'avoid' LEA actions at middle tiers of the address allocation >> heirarchy... that's something to consider, i'd say. > >I don't believe this is true. > >If C has taken some action, LEA triggered or otherwise, that means the >RPKI system no longer asserts that G's intent for packet delivery is >true, then merely allowing G to issue an RPKI assertion does not prevent >C from asserting whatever they like, too. If a LEA requires C to issue >an AS0 ROA 10.42.2.0/23, then creating an ASn ROA for the same prefix, >same maxLength will not ensure packets are delivered correctly. The way I understand http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-08, if there is a valid ROA that matches a route, and a valid AS0 ROA that also covers the route, the route will be considered VALID. AS0 ROAs don't "trump" other valid ROAs. > >Perhaps the underlying operational problem where A is not quite sure yet >of C's status could be better addressed by section 4.9.4 of the CPS - if >A has been convinced that G is the current holder of the resources, A >could register the change of holding, but include in their CPS that they >may provide a grace period for revocation on a case by case basis. > >(If A has not been convinced that G is the current holder of the >resources, then delivering packets to G for those resources would not be >a positive engineering outcome, it would be deliberately mis-directing >packets, which the RPKI is intended to prevent!) > > Byron, speaking only for myself > dougm -- Doug Montgomery Mgr. Internet & Scalable Systems Research / ITL / NIST _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
