nanog mailing list archives

Re: IRRD & exceptions to RPKI-filtering

From: Richard Laager <rlaager () wiktel com>
Date: Mon, 12 Feb 2024 18:25:25 -0600

On 2024-02-12 18:12, Job Snijders wrote:

On Mon, Feb 12, 2024 at 05:01:35PM -0600, Richard Laager wrote:

On 2024-02-12 15:18, Job Snijders via NANOG wrote:

On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:

I was making an observation that the presentation material was
referring to "RPKI-Invalid" while their implementation was using
"ROA-Invalid" There is a difference between these two terms, as I'm
sure you're aware.


I'm sure Job is aware, but I'm not. Anyone want to teach me the
difference?


... more good explanation snipped ...

A ROA can be invalid (for example, because its X.509 EE certificate
expired); a BGP route can be invalid (because no valid RPKI ROA attest
that the route could originate from the ASN at hand), and an IRR object
can be invalid (because no Valid ROA attest the route object's "origin:"
could originate the prefix at hand).


Thanks!

This makes perfect sense now that you say it. I just wasn't seeing itimmediately before. I figured best to ask and learn something. :)


--
Richard

Current thread:

IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
- Re: IRRD & exceptions to RPKI-filtering Geoff Huston (Feb 12)
  - Re: IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
    - Re: IRRD & exceptions to RPKI-filtering Richard Laager (Feb 12)
    - Re: IRRD & exceptions to RPKI-filtering Job Snijders via NANOG (Feb 12)
    - Re: IRRD & exceptions to RPKI-filtering Richard Laager (Feb 12)
    - Re: IRRD & exceptions to RPKI-filtering Geoff Huston (Feb 13)