IRRD & exceptions to RPKI-filtering
Geoff Huston
gih902 at gmail.com
Tue Feb 13 12:03:40 UTC 2024
> On 12 Feb 2024, at 6:01 pm, Richard Laager <rlaager at wiktel.com> wrote:
>
> On 2024-02-12 15:18, Job Snijders via NANOG wrote:
>> On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
>>> I was making an observation that the presentation material was
>>> referring to "RPKI-Invalid" while their implementation was using
>>> "ROA-Invalid" There is a difference between these two terms, as I'm
>>> sure you're aware.
>
> I'm sure Job is aware, but I'm not. Anyone want to teach me the difference?
this is _my_ take:
If the crypto leads to a validation failure (expired certificates, signature mismatch in the
validation chain, number resource extension mismatch in the validation path, or similar
then the X.509 certificate cannot be validated against a trust anchor and the object
(a ROA in this case) is "RPKI-Invalid". RPKI validators discard such objects from
consideration as they cannot convey any useful information.
"ROA-Invalid" starts with a route object, not a ROA, and compares the route
against the locally assembled collection of RPKI-valid ROAs. If it can find a RPKI-valid
ROA that matches the route object then its "ROA-valid". If if can only find valid
RPKI objects that match the prefix part of e ROA, but not the origin AS, or its a
more specific prefix of a RPKI-valid ROA, then its "ROA-invalid". If no such match
is found, then the route is "ROA-unknown"
The distinction being made is:
"RPKI-invalid" refers to a crypto object and the ability of a local party (a "relying
party") to confirm its crypto-validity against a locally selected trust anchor (or set of
trust anchors).
"ROA-invalid" refers to a route object and a collection of RPKI-valid ROAs
that have been assembled by an observer and refers to the outcome
of the observer testing this route against this locally assembled collection of ROAs.
Geoff
More information about the NANOG
mailing list