nanog mailing list archives
Re: IRRD & exceptions to RPKI-filtering
From: Geoff Huston <gih902 () gmail com>
Date: Tue, 13 Feb 2024 07:03:40 -0500
On 12 Feb 2024, at 6:01 pm, Richard Laager <rlaager () wiktel com> wrote: On 2024-02-12 15:18, Job Snijders via NANOG wrote:On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:I was making an observation that the presentation material was referring to "RPKI-Invalid" while their implementation was using "ROA-Invalid" There is a difference between these two terms, as I'm sure you're aware.I'm sure Job is aware, but I'm not. Anyone want to teach me the difference?
this is _my_ take: If the crypto leads to a validation failure (expired certificates, signature mismatch in the validation chain, number resource extension mismatch in the validation path, or similar then the X.509 certificate cannot be validated against a trust anchor and the object (a ROA in this case) is "RPKI-Invalid". RPKI validators discard such objects from consideration as they cannot convey any useful information. "ROA-Invalid" starts with a route object, not a ROA, and compares the route against the locally assembled collection of RPKI-valid ROAs. If it can find a RPKI-valid ROA that matches the route object then its "ROA-valid". If if can only find valid RPKI objects that match the prefix part of e ROA, but not the origin AS, or its a more specific prefix of a RPKI-valid ROA, then its "ROA-invalid". If no such match is found, then the route is "ROA-unknown" The distinction being made is: "RPKI-invalid" refers to a crypto object and the ability of a local party (a "relying party") to confirm its crypto-validity against a locally selected trust anchor (or set of trust anchors). "ROA-invalid" refers to a route object and a collection of RPKI-valid ROAs that have been assembled by an observer and refers to the outcome of the observer testing this route against this locally assembled collection of ROAs. Geoff
Current thread:
- IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Geoff Huston (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Richard Laager (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Richard Laager (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Geoff Huston (Feb 13)
- Re: IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Geoff Huston (Feb 12)