Re: IRRD & exceptions to RPKI-filtering

[Geoff Huston <gih902 () gmail com>]

> On 12 Feb 2024, at 6:01 pm, Richard Laager <rlaager () wiktel com> wrote:
>
> On 2024-02-12 15:18, Job Snijders via NANOG wrote:
> > On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
> > > I was making an observation that the presentation material was
> > > referring to "RPKI-Invalid" while their implementation was using
> > > "ROA-Invalid" There is a difference between these two terms, as I'm
> > > sure you're aware.
>
> I'm sure Job is aware, but I'm not. Anyone want to teach me the difference?

this is _my_ take:

If the crypto leads to a validation failure (expired certificates, signature mismatch in the 
validation chain, number resource extension mismatch in the validation path, or similar
then the X.509 certificate cannot be validated against a trust anchor and the object
(a ROA in this case) is "RPKI-Invalid". RPKI validators discard such objects from
consideration as they cannot convey any useful information.

"ROA-Invalid" starts with a route object, not a ROA, and compares the route
against the locally assembled collection of RPKI-valid ROAs. If it can find a RPKI-valid 
ROA that matches the route object then its "ROA-valid". If if can only find valid
RPKI objects that match the prefix part of e ROA, but not the origin AS, or its a
more specific prefix of a RPKI-valid ROA, then its "ROA-invalid". If no such match
is found, then the route is "ROA-unknown"

The distinction being made is:

"RPKI-invalid" refers to a crypto object and the ability of a local party (a "relying 
party") to confirm its crypto-validity against a locally selected trust anchor (or set of
trust anchors).

"ROA-invalid" refers to a route object and a collection of RPKI-valid ROAs
that have been assembled by an observer and refers to the outcome
of the observer testing this route against this locally assembled collection of ROAs.

Geoff