< draft-ietf-sidr-usecases-00.txt   draft-ietf-sidr-usecases-01.txt >
Secure Inter-Domain Routing T. Manderson Secure Inter-Domain Routing T. Manderson
Internet-Draft ICANN Internet-Draft ICANN
Intended status: Informational K. Sriram Intended status: Informational K. Sriram
Expires: December 23, 2010 NIST Expires: June 25, 2011 US NIST
R. White R. White
Cisco Cisco
June 21, 2010 December 22, 2010
Use Cases and interpretation of RPKI objects for issuers and relying Use Cases and interpretation of RPKI objects for issuers and relying
parties parties
draft-ietf-sidr-usecases-00 draft-ietf-sidr-usecases-01
Abstract Abstract
This document provides use cases, directions, and interpretations for This document provides use cases, directions, and interpretations for
organizations and relying parties when creating or encountering RPKI organizations and relying parties when creating or encountering RPKI
object scenarios in the public RPKI in relation to the Internet object scenarios in the public RPKI in relation to the Internet
routing system. routing system.
Status of this Memo Status of this Memo
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 23, 2010. This Internet-Draft will expire on June 25, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Requirements Language . . . . . . . . . . . . . . . . . . 5 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 5
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. General interpretation of RPKI object semantics . . . . . 5 2.1. General interpretation of RPKI object semantics . . . . . 6
3. Origination Use Cases . . . . . . . . . . . . . . . . . . . . 6 3. Origination Use Cases . . . . . . . . . . . . . . . . . . . . 6
3.1. Single Announcement . . . . . . . . . . . . . . . . . . . 6 3.1. Single Announcement . . . . . . . . . . . . . . . . . . . 6
3.2. Aggregate with a More Specific . . . . . . . . . . . . . . 6 3.2. Aggregate with a More Specific . . . . . . . . . . . . . . 6
3.3. Aggregate with a More Specific from a Different ASN . . . 7 3.3. Aggregate with a More Specific from a Different ASN . . . 7
3.4. Sub-allocation to a Multi-homed Customer . . . . . . . . . 7 3.4. Sub-allocation to a Multi-homed Customer . . . . . . . . . 7
3.5. Restriction of a New Allocation . . . . . . . . . . . . . 8 3.5. Restriction of a New Allocation . . . . . . . . . . . . . 8
3.6. Restriction of New ASN . . . . . . . . . . . . . . . . . . 8 3.6. Restriction of New ASN . . . . . . . . . . . . . . . . . . 8
3.7. Restriction of a Part of an Allocation . . . . . . . . . . 8 3.7. Restriction of a Part of an Allocation . . . . . . . . . . 9
3.8. Restriction of Prefix Length . . . . . . . . . . . . . . . 9 3.8. Restriction of Prefix Length . . . . . . . . . . . . . . . 9
3.9. Restriction of Sub-allocation Prefix Length . . . . . . . 10 3.9. Restriction of Sub-allocation Prefix Length . . . . . . . 10
3.10. Aggregation and Origination by an Upstream . . . . . . . . 10 3.10. Aggregation and Origination by an Upstream . . . . . . . . 10
3.11. Rogue Aggregation and Origination by an Upstream . . . . . 11 3.11. Rogue Aggregation and Origination by an Upstream . . . . . 11
4. Adjacency Use Cases . . . . . . . . . . . . . . . . . . . . . 12 4. Adjacency Use Cases . . . . . . . . . . . . . . . . . . . . . 12
4.1. Multi-homed . . . . . . . . . . . . . . . . . . . . . . . 12 4.1. Multi-homed . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. Restricting Peers . . . . . . . . . . . . . . . . . . . . 12 4.2. Restricting Peers . . . . . . . . . . . . . . . . . . . . 13
5. Partial Deployment Use Cases . . . . . . . . . . . . . . . . . 13 5. Partial Deployment Use Cases . . . . . . . . . . . . . . . . . 13
5.1. Parent does not do RPKI . . . . . . . . . . . . . . . . . 13 5.1. Parent does not do RPKI . . . . . . . . . . . . . . . . . 13
5.2. Only Some Children Participate in RPKI . . . . . . . . . . 14 5.2. Only Some Children Participate in RPKI . . . . . . . . . . 14
5.3. Grandchild Does Not Particpate in RPKI . . . . . . . . . . 14 5.3. Grandchild Does Not Participate in RPKI . . . . . . . . . 14
6. Transfer Use Cases . . . . . . . . . . . . . . . . . . . . . . 15 6. Transfer Use Cases . . . . . . . . . . . . . . . . . . . . . . 15
6.1. Transfer of in-use prefix and autonomous system number . . 15 6.1. Transfer of in-use prefix and autonomous system number . . 15
6.2. Transfer of in-use prefix . . . . . . . . . . . . . . . . 15 6.2. Transfer of in-use prefix . . . . . . . . . . . . . . . . 15
6.3. Transfer of un-used prefix . . . . . . . . . . . . . . . . 15 6.3. Transfer of un-used prefix . . . . . . . . . . . . . . . . 15
7. Relying Party Use Cases . . . . . . . . . . . . . . . . . . . 16 7. Relying Party Use Cases . . . . . . . . . . . . . . . . . . . 16
7.1. ROA Expiry or receipt of a CRL covering a ROA . . . . . . 16 7.1. ROA Expiry or receipt of a CRL covering a ROA . . . . . . 16
7.1.1. ROA of Parent Prefix is Revoked . . . . . . . . . . . 16 7.1.1. ROA of Parent Prefix is Revoked . . . . . . . . . . . 16
7.1.2. ROA of Prefix Revoked . . . . . . . . . . . . . . . . 16 7.1.2. ROA of Prefix Revoked . . . . . . . . . . . . . . . . 16
7.1.3. ROA of Grandparent Prefix Revoked while that of 7.1.3. ROA of Grandparent Prefix Revoked while that of
Parent Prefix Prevails . . . . . . . . . . . . . . . . 16 Parent Prefix Prevails . . . . . . . . . . . . . . . . 16
7.1.4. ROA of Prefix Revoked while that of Parent Prefix 7.1.4. ROA of Prefix Revoked while that of Parent Prefix
Prevails . . . . . . . . . . . . . . . . . . . . . . . 17 Prevails . . . . . . . . . . . . . . . . . . . . . . . 17
7.1.5. Expiry of ROA of Parent Prefix . . . . . . . . . . . . 17 7.1.5. Expiry of ROA of Parent Prefix . . . . . . . . . . . . 17
7.1.6. Expiry of ROA of Prefix . . . . . . . . . . . . . . . 17 7.1.6. Expiry of ROA of Prefix . . . . . . . . . . . . . . . 17
7.1.7. Expiry of ROA of Grandparent Prefix while ROA of 7.1.7. Expiry of ROA of Grandparent Prefix while ROA of
Parent Prefix Prevails . . . . . . . . . . . . . . . . 17 Parent Prefix Prevails . . . . . . . . . . . . . . . . 17
7.1.8. Expiry of ROA of Prefix while ROA of Parent Prefix 7.1.8. Expiry of ROA of Prefix while ROA of Parent Prefix
Prevails . . . . . . . . . . . . . . . . . . . . . . . 18 Prevails . . . . . . . . . . . . . . . . . . . . . . . 18
7.2. Prefix, Origin Validation use cases . . . . . . . . . . . 18 7.2. Prefix, Origin Validation use cases . . . . . . . . . . . 18
7.2.1. Covering ROA Prefix, Maxlength Satisfied, and AS 7.2.1. Covering ROA Prefix, maxLength Satisfied, and AS
Match . . . . . . . . . . . . . . . . . . . . . . . . 18 Match . . . . . . . . . . . . . . . . . . . . . . . . 18
7.2.2. Covering ROA Prefix, Maxlength Exceeded, and AS 7.2.2. Covering ROA Prefix, maxLength Exceeded, and AS
Match . . . . . . . . . . . . . . . . . . . . . . . . 18 Match . . . . . . . . . . . . . . . . . . . . . . . . 18
7.2.3. Covering ROA Prefix, Maxlength Satisfied, and AS 7.2.3. Covering ROA Prefix, maxLength Satisfied, and AS
Mismatch: . . . . . . . . . . . . . . . . . . . . . . 19 Mismatch: . . . . . . . . . . . . . . . . . . . . . . 19
7.2.4. Covering ROA Prefix, Maxlength Exceeded, and AS 7.2.4. Covering ROA Prefix, maxLength Exceeded, and AS
Mismatch . . . . . . . . . . . . . . . . . . . . . . . 19 Mismatch . . . . . . . . . . . . . . . . . . . . . . . 19
7.2.5. Covering ROA Prefix Not Found . . . . . . . . . . . . 19 7.2.5. Covering ROA Prefix Not Found . . . . . . . . . . . . 19
7.2.6. Covering ROA Prefix Not Found but ROAs Exist for a 7.2.6. Covering ROA Prefix Not Found but ROAs Exist for a
Covering Set of More Specifics . . . . . . . . . . . . 19 Covering Set of More Specifics . . . . . . . . . . . . 20
7.2.7. Update has an AS Set as Origin and ROAs Exist for 7.2.7. AS_SET in Update and Covering ROA Prefix Not Found . . 20
a Covering Set of More Specifics . . . . . . . . . . . 20 7.2.8. Singleton AS in AS_SET (in the Update), Covering
7.2.8. Update has AS set, Aggregator AS Absent, and ROA Prefix, and AS Match . . . . . . . . . . . . . . . 20
Covering ROA Prefix Not Found . . . . . . . . . . . . 21 7.2.9. Singleton AS in AS_SET (in the Update), Covering
7.2.9. Update has AS set, Aggregator AS Absent, and
Covering ROA Prefix . . . . . . . . . . . . . . . . . 21
7.2.10. Update has AS set, Aggregator AS Present, and
Covering ROA Prefix Not Found . . . . . . . . . . . . 21
7.2.11. Update has AS set, Aggregator AS Present, Covering
ROA Prefix, and AS Mismatch . . . . . . . . . . . . . 21 ROA Prefix, and AS Mismatch . . . . . . . . . . . . . 21
7.2.12. Update has AS set, Aggregator AS Present, Covering 7.2.10. Multiple ASs in AS_SET (in the Update) and
ROA Prefix, and AS Match . . . . . . . . . . . . . . . 21 Covering ROA Prefix . . . . . . . . . . . . . . . . . 21
7.2.11. Update has an AS_SET as Origin and ROAs Exist for
a Covering Set of More Specifics . . . . . . . . . . . 21
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 22 10. Security Considerations . . . . . . . . . . . . . . . . . . . 22
11. Normative References . . . . . . . . . . . . . . . . . . . . . 22 11. Normative References . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
This document provides suggested use cases, directions, and This document provides suggested use cases, directions, and
interpretations for organizations and relying parties when creating interpretations for organizations and relying parties when creating
skipping to change at page 4, line 21 skipping to change at page 4, line 21
1.1. Terminology 1.1. Terminology
It is assumed that the reader is familiar with the terms and concepts It is assumed that the reader is familiar with the terms and concepts
described in "Internet X.509 Public Key Infrastructure Certificate described in "Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile" [RFC5280], "A Profile and Certificate Revocation List (CRL) Profile" [RFC5280], "A Profile
for X.509 PKIX Resource Certificates" [I-D.ietf-sidr-res-certs] for X.509 PKIX Resource Certificates" [I-D.ietf-sidr-res-certs]
"X.509 Extensions for IP Addresses and AS Identifiers" [RFC3779], "A "X.509 Extensions for IP Addresses and AS Identifiers" [RFC3779], "A
Profile for Route Origin Authorizations (ROAs)" Profile for Route Origin Authorizations (ROAs)"
[I-D.ietf-sidr-roa-format], "Validation of Route Origination in BGP [I-D.ietf-sidr-roa-format], "Validation of Route Origination in BGP
using the Resource Certificate PKI" [I-D.ietf-sidr-roa-validation], using the Resource Certificate PKI and ROAs"
[I-D.ietf-sidr-roa-validation], and BGP Prefix Origin Validation"
[I-D.pmohapat-sidr-pfx-validate].
1.2. Definitions 1.2. Definitions
The following definitions are in use in this document. The following definitions are in use in this document.
Autonomous System - A network under a single technical administration Autonomous System - A network under a single technical administration
that presents a consistent picture of what destinations are reachable that presents a consistent picture of what destinations are reachable
through it. through it.
Autonomous System Number (ASN) - An officially registered number Autonomous System Number (ASN) - An officially registered number
representing an autonomous system. representing an autonomous system.
Prefix - A network address and an integer that specifies the length Prefix - A network address and an integer that specifies the length
of a mask to be applied to the address to represent a set of of a mask to be applied to the address to represent a set of
numerically adjacent addresses. numerically adjacent addresses.
Route - A prefix and a sequence of one or more autonomous system Route - A prefix and a sequence of one or more autonomous system
numbers. numbers.
Origin AS - The Autonomous System, designated by an ASN, which Origin AS - The Autonomous System, designated by an ASN, which
originates a route. Seen as the "First" ASN in a route originates a route. Seen as the "First" ASN in a route.
Specific route - A route that has a longer prefix than an aggregate. Specific route - A route that has a longer prefix than an aggregate.
Aggregate route - A more general route in the presence of a specific Aggregate route - A more general route in the presence of a specific
route. route.
Covering Aggregate - A route that covers one or more specific routes. Covering Aggregate - A route that covers one or more specific routes.
Multi-homed - An Autonomous System that is connected, and announces Multi-homed Autonomous System - An Autonomous System that is
routes, to one or more Autonomous Systems connected, and announces routes, to two or more Autonomous Systems.
Multi-homed prefix or subnet - A prefix (i.e., subnet) that is
originated via two or more Autonomous Systems to which the subnet is
connected.
Resource - Internet (IP) addresses or Autonomous System Number. Resource - Internet (IP) addresses or Autonomous System Number.
Allocation - The set of resources provided to an entity or Allocation - The set of resources provided to an entity or
organization for its use. organization for its use.
Sub-allocation - The set of a resources subordinate to an allocation Sub-allocation - The set of a resources subordinate to an allocation
assigned to another entity or organization. assigned to another entity or organization.
Transit Provider - An Autonomous System that carries traffic that Transit Provider - An Autonomous System that carries traffic that
neither originates nor is the destination of that traffic. neither originates nor is the destination of that traffic.
Upstream - See "Transit Provider". Upstream - See "Transit Provider".
Child - A Sub-allocation that has resulted from an Allocation Child - A Sub-allocation that has resulted from an Allocation.
Parent - An allocation from which the subject prefix is a Child Parent - An allocation from which the subject prefix is a Child.
Grandchild - A Sub-allocation from or more previous Sub-allocations. Grandchild - A Sub-allocation from one or more previous Sub-
allocations.
Grandparent - The allocation from which the prefix is a Grandchild. Grandparent - The allocation from which the prefix is a Grandchild.
Update prefix - The prefix seen in a routing update Update prefix - The prefix seen in a routing update.
ROA prefix - The prefix described in a ROA ROA prefix - The prefix described in a ROA.
Covering Prefix - The ROA Prefix is an exact match or a less specific Covering Prefix - The ROA Prefix is an exact match or a less specific
when compared to the update prefix. when compared to the update prefix.
No relevant ROA - No ROA exists that has a covering prefix for the No relevant ROA - No ROA exists that has a covering prefix for the
update prefix. update prefix.
No other relevant ROA - No other ROA (besides any that is(are) No other relevant ROA - No other ROA (besides any that is(are)
already cited) that has a covering prefix for the update prefix already cited) that has a covering prefix for the update prefix.
1.3. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119. document are to be interpreted as described in RFC 2119.
2. Overview 2. Overview
2.1. General interpretation of RPKI object semantics 2.1. General interpretation of RPKI object semantics
skipping to change at page 6, line 19 skipping to change at page 6, line 27
stated. stated.
While many of the examples provided here illustrate organizations While many of the examples provided here illustrate organizations
using their own autonomous system numbers to originate routes, it using their own autonomous system numbers to originate routes, it
should be recognised that a prefix holder need not necessarily be the should be recognised that a prefix holder need not necessarily be the
holder of the autonomous system number used for the route holder of the autonomous system number used for the route
origination. origination.
3. Origination Use Cases 3. Origination Use Cases
This section deals with the various use cases where an orgnaistion This section deals with the various use cases where an organization
has Internet resources and will announce routes to the Internet. It has Internet resources and will announce routes to the Internet. It
is based on operational observations of the existing routing system. is based on operational observations of the existing routing system.
3.1. Single Announcement 3.1. Single Announcement
An organization (Org A with ASN 64496) has been allocated the prefix An organization (Org A with ASN 64496) has been allocated the prefix
192.168.2.0/24. It wishes to announce the /24 prefix from ASN 64496 192.168.2.0/24. It wishes to announce the /24 prefix from ASN 64496
such that relying parties interpret the route as intended. such that relying parties interpret the route as intended.
The desired announcement (and organization) would be: The desired announcement (and organization) would be:
skipping to change at page 8, line 29 skipping to change at page 8, line 37
| 10.1.0.0/16 | ANY AS | ANY | | 10.1.0.0/16 | ANY AS | ANY |
| 10.1.0.0/20 | ANY AS | ANY | | 10.1.0.0/20 | ANY AS | ANY |
| 10.1.17.0/24 | ANY AS | ANY | | 10.1.17.0/24 | ANY AS | ANY |
+---------------------------------------------+ +---------------------------------------------+
The issuing party would create the following RPKI objects: TBC The issuing party would create the following RPKI objects: TBC
3.6. Restriction of New ASN 3.6. Restriction of New ASN
An organization has recently been allocated an additional 4 byte ASN An organization has recently been allocated an additional 4 byte ASN
65551. Its network deployment is not yet ready to use this ASN and 65535. Its network deployment is not yet ready to use this ASN and
wishes to restrict all possible uses of ASN 65551 using RPKI. wishes to restrict all possible uses of ASN 65535 using RPKI.
The following announcements would be considered undesirable: The following announcements would be considered undesirable:
+---------------------------------------------+ +---------------------------------------------+
| Prefix | Origin AS |Organization | | Prefix | Origin AS |Organization |
+---------------------------------------------+ +---------------------------------------------+
| ANY | AS65551 | ANY | | ANY | AS65535 | ANY |
+---------------------------------------------+ +---------------------------------------------+
The issuing party would create the following RPKI objects: TBC The issuing party would create the following RPKI objects: TBC
3.7. Restriction of a Part of an Allocation 3.7. Restriction of a Part of an Allocation
An organization (Org A with ASN 64496) has been allocated the prefix An organization (Org A with ASN 64496) has been allocated the prefix
10.1.0.0/16. Its network topology permits the announcement of 10.1.0.0/16. Its network topology permits the announcement of
10.1.0.0/17 and the /16 aggregate. However it wishes to restrict any 10.1.0.0/17 and the /16 aggregate. However it wishes to restrict any
possible announcement of 10.1.128.0/17 or more specifics of that /17 possible announcement of 10.1.128.0/17 or more specifics of that /17
skipping to change at page 10, line 9 skipping to change at page 10, line 20
| ... | ANY AS | ANY | | ... | ANY AS | ANY |
| 10.1.128.0/24 | ANY AS | ANY | | 10.1.128.0/24 | ANY AS | ANY |
+---------------------------------------------+ +---------------------------------------------+
The issuing party would create the following RPKI objects: TBC The issuing party would create the following RPKI objects: TBC
3.9. Restriction of Sub-allocation Prefix Length 3.9. Restriction of Sub-allocation Prefix Length
An organization (Org A with ASN 64496) has been allocated the prefix An organization (Org A with ASN 64496) has been allocated the prefix
10.1.0.0/16, it sub-allocates several /20 prefixes to its multi-homed 10.1.0.0/16, it sub-allocates several /20 prefixes to its multi-homed
customers Org B with ASN 65551, and Org C with ASN 64499. It wishes customers Org B with ASN 65535, and Org C with ASN 64499. It wishes
to restrict those customers from advertising any corresponding routes to restrict those customers from advertising any corresponding routes
more specific than a /22. more specific than a /22.
The desired announcements would be: The desired announcements would be:
+---------------------------------------------+ +---------------------------------------------+
| Prefix | Origin AS |Organization | | Prefix | Origin AS |Organization |
+---------------------------------------------+ +---------------------------------------------+
| 10.1.0.0/16 | AS64496 | Org A | | 10.1.0.0/16 | AS64496 | Org A |
| 10.1.0.0/20 | AS65551 | Org B | | 10.1.0.0/20 | AS65535 | Org B |
| 10.1.128.0/20 | AS64499 | Org C | | 10.1.128.0/20 | AS64499 | Org C |
| 10.1.4.0/22 | AS65551 | Org B | 10.1.4.0/22 | AS65535 | Org B
+---------------------------------------------+ +---------------------------------------------+
The following example announcements (and organization) would be The following example announcements (and organization) would be
considered undesirable: considered undesirable:
+---------------------------------------------+ +---------------------------------------------+
| Prefix | Origin AS |Organization | | Prefix | Origin AS |Organization |
+---------------------------------------------+ +---------------------------------------------+
| 10.1.0.0/24 | AS65551 | Org B | | 10.1.0.0/24 | AS65535 | Org B |
| 10.1.128.0/24 | AS64499 | Org C | | 10.1.128.0/24 | AS64499 | Org C |
| ..... | ... | ... | | ..... | ... | ... |
| 10.1.0.0/23 | ANY AS | ANY | | 10.1.0.0/23 | ANY AS | ANY |
+---------------------------------------------+ +---------------------------------------------+
The issuing party would create the following RPKI objects: TBC The issuing party would create the following RPKI objects: TBC
3.10. Aggregation and Origination by an Upstream 3.10. Aggregation and Origination by an Upstream
Consider four organizations with the following resources which were Consider four organizations with the following resources, which were
acquired independently from the transit provider. acquired independently from any transit provider. .
+-------------------------------------------------+ +-------------------------------------------------+
| Organization | ASN | Prefix | | Organization | ASN | Prefix |
+-------------------------------------------------+ +-------------------------------------------------+
| Org A | AS64496 | 10.1.0.0/24 | | Org A | AS64496 | 10.1.0.0/24 |
| Org B | AS65551 | 10.1.3.0/24 | | Org B | AS65535 | 10.1.3.0/24 |
| Org C | AS64499 | 10.1.1.0/24 | | Org C | AS64499 | 10.1.1.0/24 |
| Org D | AS64512 | 10.1.2.0/24 | | Org D | AS64512 | 10.1.2.0/24 |
+-------------------------------------------------+ +-------------------------------------------------+
These organizations share a common upstream provider Transit A (ASN These organizations share a common upstream provider Transit A (ASN
64497) that originates an aggregate of these prefixes with the 64497) that originates an aggregate of these prefixes with the
permission of all four organizations. permission of all four organizations.
The desired announcements (and organization) would be: The desired announcements (and organization) would be:
+----------------------------------------------+ +----------------------------------------------+
| Prefix | Origin AS | Organization | | Prefix | Origin AS | Organization |
+----------------------------------------------+ +----------------------------------------------+
| 10.1.0.0/24 | AS64496 | Org A | | 10.1.0.0/24 | AS64496 | Org A |
| 10.1.3.0/24 | AS65551 | Org B | | 10.1.3.0/24 | AS65535 | Org B |
| 10.1.1.0/24 | AS64499 | Org C | | 10.1.1.0/24 | AS64499 | Org C |
| 10.1.2.0/24 | AS64512 | Org D | | 10.1.2.0/24 | AS64512 | Org D |
| 10.1.0.0/22 | AS64497 | Transit A | | 10.1.0.0/22 | AS64497 | Transit A |
+----------------------------------------------+ +----------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
3.11. Rogue Aggregation and Origination by an Upstream 3.11. Rogue Aggregation and Origination by an Upstream
Consider four organizations with the following resources which were Consider four organizations with the following resources which were
acquired independently from any transit provider. acquired independently from any transit provider.
+-------------------------------------------------+ +-------------------------------------------------+
| Organization | ASN | Prefix | | Organization | ASN | Prefix |
+-------------------------------------------------+ +-------------------------------------------------+
| Org A | AS64496 | 10.1.0.0/24 | | Org A | AS64496 | 10.1.0.0/24 |
| Org B | AS65551 | 10.1.3.0/24 | | Org B | AS65535 | 10.1.3.0/24 |
| Org C | AS64499 | 10.1.1.0/24 | | Org C | AS64499 | 10.1.1.0/24 |
| Org D | AS64512 | 10.1.2.0/24 | | Org D | AS64512 | 10.1.2.0/24 |
+-------------------------------------------------+ +-------------------------------------------------+
These organizations share a common upstream provider Transit A (ASN These organizations share a common upstream provider Transit A (ASN
64497) that originates an aggregate of these prefixes where possible. 64497) that originates an aggregate of these prefixes where possible.
In this situation organization B (ASN 65551, 10.1.3.0/24) does not In this situation organization B (ASN 65535, 10.1.3.0/24) does not
wish for its prefix to be aggregated by the upstream wish for its prefix to be aggregated by the upstream
The desired announcements (and organization) would be: The desired announcements (and organization) would be:
+----------------------------------------------+ +----------------------------------------------+
| Prefix | Origin AS | Organization | | Prefix | Origin AS | Organization |
+----------------------------------------------+ +----------------------------------------------+
| 10.1.0.0/24 | AS64496 | Org A | | 10.1.0.0/24 | AS64496 | Org A |
| 10.1.3.0/24 | AS65551 | Org B | | 10.1.3.0/24 | AS65535 | Org B |
| 10.1.1.0/24 | AS64499 | Org C | | 10.1.1.0/24 | AS64499 | Org C |
| 10.1.2.0/24 | AS64512 | Org D | | 10.1.2.0/24 | AS64512 | Org D |
| 10.1.0.0/23 | AS64497 | Transit A | | 10.1.0.0/23 | AS64497 | Transit A |
+----------------------------------------------+ +----------------------------------------------+
The following announcement would be undesirable: The following announcement would be undesirable:
+----------------------------------------------+ +----------------------------------------------+
| Prefix | Origin AS | Organization | | Prefix | Origin AS | Organization |
+----------------------------------------------+ +----------------------------------------------+
| 10.1.0.0/22 | AS64497 | Transit A | | 10.1.0.0/22 | AS64497 | Transit A |
+----------------------------------------------+ +----------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
4. Adjacency Use Cases 4. Adjacency Use Cases
Issues regarding validation of adjacency, or path validation, are Issues regarding validation of adjacency, or path validation, are
currently out of scope of the SIDR-WG charter. The use cases is this currently out of scope of the SIDR-WG charter. The use cases in this
section are listed here as a reminder that the work goes beyond section are listed here as a reminder that the work goes beyond
origination and at the stage when origination has been addressed by origination and at the stage when origination has been addressed by
the WG, a re-charter to encompass adjacency will allow consideration the WG, a re-charter to encompass adjacency will allow consideration
of these use cases. of these use cases.
4.1. Multi-homed 4.1. Multi-homed
An organization (Org A with ASN 64496) has been allocated the prefix An organization (Org A with ASN 64496) has been allocated the prefix
10.1.0.0/16. Its upstreams transit providers are Transit A with ASN 10.1.0.0/16. Its upstream transit providers are Transit A with ASN
65551 and Transit B ASN 64499. The organization announces the /16 65535 and Transit B with ASN 64499. The organization announces the
aggregate. It permits that ASN 65551 and ASN 64499 may further pass /16 aggregate. It permits that ASN 65535 and ASN 64499 may further
on the aggregate route to their peers or upstreams. pass on the aggregate route to their peers or upstreams.
The following announcements and paths would be desired: The following announcements and paths would be desired:
+---------------------------------------------------------+ +---------------------------------------------------------+
| Prefix | Origin AS | Path | | Prefix | Origin AS | Path |
+---------------------------------------------------------+ +---------------------------------------------------------+
| 10.1.0.0/16 | AS64496 | AS64499 AS64496 | | 10.1.0.0/16 | AS64496 | AS64499 AS64496 |
| 10.1.0.0/16 | AS64496 | AS65551 AS64496 | | 10.1.0.0/16 | AS64496 | AS65535 AS64496 |
+---------------------------------------------------------+ +---------------------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
4.2. Restricting Peers 4.2. Restricting Peers
An organization (Org A with ASN 64496) has been allocated the prefix An organization (Org A with ASN 64496) has been allocated the prefix
10.1.0.0/16. Its two upstreams are Transit X with ASN 65551 and 10.1.0.0/16. Its two upstreams are Transit X with ASN 65535 and
Transit Y with ASN 64499. The organization (ASN 64496) peers with a Transit Y with ASN 64499. The organization (ASN 64496) peers with a
third AS, Peer Z with ASN 64511. Org A announces the more specific third AS, Peer Z with ASN 64511. Org A announces the more specific
10.1.0.0/24 and the /16 aggregate. It wishes that only ASNs 65551 10.1.0.0/24 and the /16 aggregate. It wishes that only ASNs 65535
and 64499 may announce the aggregate and more specifics to their and 64499 may announce the aggregate and more specifics to their
upstreams. ASN 64511, the peer, may not further announce (pass on, upstreams. ASN 64511, the peer, may not further announce (pass on,
or leak) any routes for 10.1.0.0/16 and 10.1.0.0/24. or leak) any routes for 10.1.0.0/16 and 10.1.0.0/24.
The following announcements and paths would be desired: The following announcements and paths would be desired:
+---------------------------------------------------------+ +---------------------------------------------------------+
| Prefix | Origin AS | Path | | Prefix | Origin AS | Path |
+---------------------------------------------------------+ +---------------------------------------------------------+
| 10.1.0.0/16 | AS64496 | AS64499 AS64496 | | 10.1.0.0/16 | AS64496 | AS64499 AS64496 |
| 10.1.0.0/24 | AS64496 | AS64499 AS64496 | | 10.1.0.0/24 | AS64496 | AS64499 AS64496 |
| 10.1.0.0/16 | AS64496 | AS65551 AS64496 | | 10.1.0.0/16 | AS64496 | AS65535 AS64496 |
| 10.1.0.0/24 | AS64496 | AS65551 AS64496 | | 10.1.0.0/24 | AS64496 | AS65535 AS64496 |
| 10.1.0.0/16 | AS64496 | Any_AS AS64499 AS64496 | | 10.1.0.0/16 | AS64496 | Any_AS AS64499 AS64496 |
| 10.1.0.0/24 | AS64496 | Any_AS AS64499 AS64496 | | 10.1.0.0/24 | AS64496 | Any_AS AS64499 AS64496 |
| 10.1.0.0/16 | AS64496 | Any_AS AS65551 AS64496 | | 10.1.0.0/16 | AS64496 | Any_AS AS65535 AS64496 |
| 10.1.0.0/24 | AS64496 | Any_AS AS65551 AS64496 | | 10.1.0.0/24 | AS64496 | Any_AS AS65535 AS64496 |
| 10.1.0.0/16 | AS64496 | AS64511 AS64496 | | 10.1.0.0/16 | AS64496 | AS64511 AS64496 |
| 10.1.0.0/24 | AS64496 | AS64511 AS64496 | | 10.1.0.0/24 | AS64496 | AS64511 AS64496 |
+---------------------------------------------------------+ +---------------------------------------------------------+
The following announcements and paths would be considered The following announcements and paths would be considered
undesirable: undesirable:
+---------------------------------------------------------+ +---------------------------------------------------------+
| Prefix | Origin AS | Path | | Prefix | Origin AS | Path |
+---------------------------------------------------------+ +---------------------------------------------------------+
skipping to change at page 13, line 40 skipping to change at page 13, line 50
| 10.1.0.0/24 | AS64496 | Any_AS AS64511 AS64496 | | 10.1.0.0/24 | AS64496 | Any_AS AS64511 AS64496 |
+---------------------------------------------------------+ +---------------------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
5. Partial Deployment Use Cases 5. Partial Deployment Use Cases
5.1. Parent does not do RPKI 5.1. Parent does not do RPKI
An organization (Org A with ASN 64511) is multi-homed has been An organization (Org A with ASN 64511) is multi-homed has been
assigned the prefix 10.1.0.0/20 from its upstream (Transit A with ASN assigned the prefix 10.1.0.0/20 from its upstream (Transit X with ASN
64496) Org A wishes to announce the prefix 10.1.0.0/20 from ASN 64511 64496). Org A wishes to announce the prefix 10.1.0.0/20 from ASN
to its other upstream(s). Org A also wishes to create RPKI 64511 to its other upstream(s). Org A also wishes to create RPKI
statements about the resource, however Transit A (ASN 64496) which statements about the resource, however Transit X (ASN 64496) which
announces the aggregate 10.1.0.0/16 has not yet adopted RPKI. announces the aggregate 10.1.0.0/16 has not yet adopted RPKI.
The desired announcements (and organization with RPKI adoption) would The desired announcements (and organization with RPKI adoption) would
be: be:
+----------------------------------------------------+ +----------------------------------------------------+
| Prefix | Origin AS |Organization | RPKI | | Prefix | Origin AS |Organization | RPKI |
+----------------------------------------------------+ +----------------------------------------------------+
| 10.1.0.0/20 | AS64511 | Org A | Yes | | 10.1.0.0/20 | AS64511 | Org A | Yes |
| 10.1.0.0/16 | AS64496 | Transit A | No | | 10.1.0.0/16 | AS64496 | Transit X | No |
+----------------------------------------------------+ +----------------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
5.2. Only Some Children Participate in RPKI 5.2. Only Some Children Participate in RPKI
An organization (Org A with ASN 64496) has been allocated the prefix An organization (Org A with ASN 64496) has been allocated the prefix
10.1.0.0/16 and participates in RPKI, it wishes to announce the more 10.1.0.0/16 and participates in RPKI, it wishes to announce the more
specific prefix 10.1.0.0/20 from ASN 64496. It has further delegated specific prefix 10.1.0.0/20 from ASN 64496. It has further delegated
10.1.16.0/20 and 10.1.32.0/20 to customers Org B with ASN 64511 and 10.1.16.0/20 and 10.1.32.0/20 to customers Org B with ASN 64511 and
and Org C with ASN 65551 (respectively) who are multi-homed. Org B and Org C with ASN 65535 (respectively) who are multi-homed. Org B
(ASN 64511) does not participate in RPKI. Org C (ASN 65551) (ASN 64511) does not participate in RPKI. Org C (ASN 65535)
participates in RPKI. participates in RPKI.
The desired announcements (and organization with RPKI adoption) would The desired announcements (and organization with RPKI adoption) would
be: be:
+----------------------------------------------------+ +----------------------------------------------------+
| Prefix | Origin AS |Organization | RPKI | | Prefix | Origin AS |Organization | RPKI |
+----------------------------------------------------+ +----------------------------------------------------+
| 10.1.0.0/16 | AS64496 | Org A | Yes | | 10.1.0.0/16 | AS64496 | Org A | Yes |
| 10.1.0.0/20 | AS64496 | Org A | Yes | | 10.1.0.0/20 | AS64496 | Org A | Yes |
| 10.1.16.0/20 | AS64511 | Org B | No | | 10.1.16.0/20 | AS64511 | Org B | No |
| 10.1.32.0/20 | AS65551 | Org C | YES | | 10.1.32.0/20 | AS65535 | Org C | YES |
+----------------------------------------------------+ +----------------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
5.3. Grandchild Does Not Particpate in RPKI 5.3. Grandchild Does Not Participate in RPKI
Consider the previous example with an extension by where Org B, who Consider the previous example with an extension by where Org B, who
does not participate in RPKI, further allocates 10.1.17.0/24 to Org X does not participate in RPKI, further allocates 10.1.17.0/24 to Org X
with ASN 64512. Org X does not participate in RPKI with ASN 64512. Org X does not participate in RPKI.
The desired announcements (and organization with RPKI adoption) would The desired announcements (and organization with RPKI adoption) would
be: be:
+----------------------------------------------------+ +----------------------------------------------------+
| Prefix | Origin AS |Organization | RPKI | | Prefix | Origin AS |Organization | RPKI |
+----------------------------------------------------+ +----------------------------------------------------+
| 10.1.0.0/16 | AS64496 | Org A | Yes | | 10.1.0.0/16 | AS64496 | Org A | Yes |
| 10.1.0.0/20 | AS64496 | Org A | Yes | | 10.1.0.0/20 | AS64496 | Org A | Yes |
| 10.1.16.0/20 | AS64511 | Org B | No | | 10.1.16.0/20 | AS64511 | Org B | No |
| 10.1.32.0/20 | AS65551 | Org C | YES | | 10.1.32.0/20 | AS65535 | Org C | YES |
| 10.1.17.0/24 | AS64512 | Org X | No | | 10.1.17.0/24 | AS64512 | Org X | No |
+----------------------------------------------------+ +----------------------------------------------------+
The issuing parties would create the following RPKI objects: TBC The issuing parties would create the following RPKI objects: TBC
6. Transfer Use Cases 6. Transfer Use Cases
6.1. Transfer of in-use prefix and autonomous system number 6.1. Transfer of in-use prefix and autonomous system number
Organization A holds the resource 10.1.0.0/20 and is currently in use Organization A holds the resource 10.1.0.0/20 and it is currently in
and originated from AS64496 with valid RPKI objects in place. use and originated from AS64496 with valid RPKI objects in place.
Organization B has acquired both the prefix and ASN and desires an Organization B has acquired both the prefix and ASN and desires an
RPKI transfer on a particular date and time without adversely RPKI transfer on a particular date and time without adversely
affecting the operational use of the resource. affecting the operational use of the resource.
The following RPKI objects would be created/revoked: TBC The following RPKI objects would be created/revoked: TBC
6.2. Transfer of in-use prefix 6.2. Transfer of in-use prefix
Organization A holds the resource 10.1.0.0/8 and it is currently in Organization A holds the resource 10.1.0.0/8 and it is currently in
use and originated from AS64496 with valid RPKI objects in place. use and originated from AS64496 with valid RPKI objects in place.
Organization B has acquired the address and desires an RPKI transfer Organization B has acquired the address and desires an RPKI transfer
on a particular date and time. This prefix will be originated by on a particular date and time. This prefix will be originated by
AS65551 as a result of this transfer. AS65535 as a result of this transfer.
The following RPKI objects would be created/revoked: TBC The following RPKI objects would be created/revoked: TBC
6.3. Transfer of un-used prefix 6.3. Transfer of un-used prefix
Organization A holds the resource 10.1.0.0/8 and AS65551 (with RPKI Organization A holds the resource 10.1.0.0/8 and AS65535 (with RPKI
objects). Organization B has acquired an unused portion objects). Organization B has acquired an unused portion
(10.1.4.0/24) of the prefix and desires an RPKI transfer on a (10.1.4.0/24) of the prefix and desires an RPKI transfer on a
particular date and time. Organsiation B will originate a route particular date and time. Organization B will originate a route
10.1.4.0/24 from AS64496 10.1.4.0/24 from AS64496
The following RPKI objects would be created/revoked: TBC The following RPKI objects would be created/revoked: TBC
7. Relying Party Use Cases 7. Relying Party Use Cases
7.1. ROA Expiry or receipt of a CRL covering a ROA 7.1. ROA Expiry or receipt of a CRL covering a ROA
In the cases which follow, the terms "expired ROA" or "revoked ROA" In the cases which follow, the terms "expired ROA" or "revoked ROA"
are shorthand, and describe the appropriate revocation or expiry of are shorthand, and describe the appropriate expiry or revocation of
EE or Resource Certificates that causes a relying party to consider the EE or Resource Certificates that causes a relying party to
the corresponding ROA to be viewed as expired or revoked. consider the corresponding ROA to be viewed as expired or revoked.
7.1.1. ROA of Parent Prefix is Revoked 7.1.1. ROA of Parent Prefix is Revoked
A certificate revocation list (CRL) is received which reveals that A certificate revocation list (CRL) is received which reveals that
the ROA containing the prefix 10.1.0.0/16; maxLength 24 with ASN64496 the ROA containing the prefix 10.1.0.0/16; maxLength 24 with ASN64496
is revoked. Further, a prefix route exists in the Internet routing is revoked. Further, a prefix route exists in the Internet routing
system for 10.1.4.0/24 originated from ASN64496. system for 10.1.4.0/24 originated from ASN64496.
The Relying Party interpretation would be: TBC The Relying Party interpretation would be: TBC
skipping to change at page 16, line 51 skipping to change at page 16, line 51
A CRL is received which reveals that the ROA containing the prefix A CRL is received which reveals that the ROA containing the prefix
10.1.0.0/16; maxLength 24 with ASN64496 is revoked. Further, a 10.1.0.0/16; maxLength 24 with ASN64496 is revoked. Further, a
prefix route exists in the Internet routing system for 10.1.4.0/24 prefix route exists in the Internet routing system for 10.1.4.0/24
originated from ASN64496. Additionally, the current ROA list has a originated from ASN64496. Additionally, the current ROA list has a
valid ROA containing the prefix 10.1.0.0/20; maxLength 24 with valid ROA containing the prefix 10.1.0.0/20; maxLength 24 with
ASN64496. ASN64496.
The Relying Party interpretation would be: TBC The Relying Party interpretation would be: TBC
(Clarification: ROA for less specific grandparent prefix 10.1.0.0/16 (Clarification: ROA for less specific grandparent prefix 10.1.0.0/16
was withdrawn) was revoked or withdrawn)
The Relying Party interpretation would be: TBC The Relying Party interpretation would be: TBC
7.1.4. ROA of Prefix Revoked while that of Parent Prefix Prevails 7.1.4. ROA of Prefix Revoked while that of Parent Prefix Prevails
A CRL is received which reveals that the ROA containing the prefix A CRL is received which reveals that the ROA containing the prefix
10.1.4.0/24; maxLength 24 with ASN64496 is revoked. Further, a 10.1.4.0/24; maxLength 24 with ASN64496 is revoked. Further, a
prefix route exists in the Internet routing system for 10.1.4.0/24 prefix route exists in the Internet routing system for 10.1.4.0/24
originated from ASN64496. Additionally, the current ROA list has a originated from ASN64496. Additionally, the current ROA list has a
valid ROA containing the prefix 10.1.0.0/20; maxLength 24 with valid ROA containing the prefix 10.1.0.0/20; maxLength 24 with
ASN64496. ASN64496.
The Relying Party interpretation would be: TBC The Relying Party interpretation would be: TBC
(Clarification: Perhaps the revocation of ROA for prefix 10.1.4.0/24 (Clarification: Perhaps the revocation of ROA for prefix 10.1.4.0/24
was initiated just to eliminate redundancy) was initiated just to eliminate redundancy.)
7.1.5. Expiry of ROA of Parent Prefix 7.1.5. Expiry of ROA of Parent Prefix
A scan of the ROA list reveals that the ROA containing the prefix A scan of the ROA list reveals that the ROA containing the prefix
10.1.0.0/16; maxLength 24 with ASN64496 has expired. Further, a 10.1.0.0/16; maxLength 24 with ASN64496 has expired. Further, a
prefix route exists in the Internet routing system for 10.1.4.0/24 prefix route exists in the Internet routing system for 10.1.4.0/24
originated from ASN64496. originated from ASN64496.
The Relying Party interpretation would be: TBC The Relying Party interpretation would be: TBC
skipping to change at page 18, line 28 skipping to change at page 18, line 28
7.2. Prefix, Origin Validation use cases 7.2. Prefix, Origin Validation use cases
These use cases try to systematically enumerate the situations a These use cases try to systematically enumerate the situations a
relying party may encounter while receiving a BGP update and making relying party may encounter while receiving a BGP update and making
use of ROA information to interpret the validity of the prefix-origin use of ROA information to interpret the validity of the prefix-origin
information in the update. We enumerate the situations or scenarios information in the update. We enumerate the situations or scenarios
but do not make a final recommendation on any RPKI interpretation. but do not make a final recommendation on any RPKI interpretation.
For work on development of prefix-origin validation algorithms, see For work on development of prefix-origin validation algorithms, see
[I-D.ietf-sidr-roa-validation] and [I-D.pmohapat-sidr-pfx-validate]. [I-D.ietf-sidr-roa-validation] and [I-D.pmohapat-sidr-pfx-validate].
Also see [I-D.ietf-idr-deprecate-as-sets] for work-in-progress in the
IDR WG to deprecate AS_SETs in BGP updates (especially in the context
of RPKI-based validation).
7.2.1. Covering ROA Prefix, Maxlength Satisfied, and AS Match 7.2.1. Covering ROA Prefix, maxLength Satisfied, and AS Match
ROA: {10.1.0.0/16, maxlength = 20, AS64496} ROA: {10.1.0.0/16, maxLength = 20, AS64496}
Update has {10.1.0.0/17, Origin = AS64496} Update has {10.1.0.0/17, Origin = AS64496}
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: This is a straight forward prefix-origin validation use Comment: This is a straight forward prefix-origin validation use
case; it follows from the primary intention of creation of ROA by a case; it follows from the primary intention of creation of ROA by a
resource owner. resource owner.
7.2.2. Covering ROA Prefix, Maxlength Exceeded, and AS Match 7.2.2. Covering ROA Prefix, maxLength Exceeded, and AS Match
ROA: {10.1.0.0/16, maxlength = 20, AS64496} ROA: {10.1.0.0/16, maxLength = 20, AS64496}
Update has {10.1.0.0/22, Origin = AS64496} Update has {10.1.0.0/22, Origin = AS64496}
No other relevant ROA No other relevant ROA
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case the maxLength specified in the ROA is exceeded
Comment: In this case the maxlength specified in the ROA is exceeded
by the update prefix. by the update prefix.
7.2.3. Covering ROA Prefix, Maxlength Satisfied, and AS Mismatch: 7.2.3. Covering ROA Prefix, maxLength Satisfied, and AS Mismatch:
ROA: {10.1.0.0/16, maxlength = 24, AS64496} ROA: {10.1.0.0/16, maxLength = 24, AS64496}
Update has {10.1.88.0/24, Origin = AS65551} Update has {10.1.88.0/24, Origin = AS65535}
No other relevant ROA No other relevant ROA
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case an AS other than the one specified in the ROA Comment: In this case an AS other than the one specified in the ROA
is originating an update. This may be a prefix or subprefix hijack is originating an update. This may be a prefix or subprefix hijack
situation. situation.
7.2.4. Covering ROA Prefix, Maxlength Exceeded, and AS Mismatch 7.2.4. Covering ROA Prefix, maxLength Exceeded, and AS Mismatch
ROA: {10.1.0.0/16, maxlength = 22, AS64496} ROA: {10.1.0.0/16, maxLength = 22, AS64496}
Update has {10.1.88.0/24, Origin = AS65551} Update has {10.1.88.0/24, Origin = AS65535}
No other relevant ROA No other relevant ROA
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case the maxlength specified in the ROA is exceeded Comment: In this case the maxLength specified in the ROA is exceeded
by the update prefix, and also an AS other than the one specified in by the update prefix, and also an AS other than the one specified in
the ROA is originating the update. This may be a subprefix hijack the ROA is originating the update. This may be a subprefix hijack
situation. situation.
7.2.5. Covering ROA Prefix Not Found 7.2.5. Covering ROA Prefix Not Found
Update has {240.1.1.0/24, Origin = AS65551} Update has {240.1.1.0/24, Origin = AS65535}
No relevant ROA No relevant ROA
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case there is no relevant ROA that has a covering Comment: In this case there is no relevant ROA that has a covering
prefix for the update prefix. It could be a case of prefix or prefix for the update prefix. It could be a case of prefix or
subprefix hijack situation, but this announcement does not contradict subprefix hijack situation, but this announcement does not contradict
any existing ROA. During partial deployment, there would be some any existing ROA. During partial deployment, there would be some
legitimate prefix-origin announcements for which ROAs may not have legitimate prefix-origin announcements for which ROAs may not have
been issued yet. been issued yet.
7.2.6. Covering ROA Prefix Not Found but ROAs Exist for a Covering Set 7.2.6. Covering ROA Prefix Not Found but ROAs Exist for a Covering Set
of More Specifics of More Specifics
ROA: {10.1.0.0/18, maxlength = 20, AS64496} ROA: {10.1.0.0/18, maxLength = 20, AS64496}
ROA: {10.1.64.0/18, maxlength = 20, AS64496}
ROA: {10.1.128.0/18, maxlength = 20, AS64496} ROA: {10.1.64.0/18, maxLength = 20, AS64496}
ROA: {10.1.192.0/18, maxlength = 20, AS64496} ROA: {10.1.128.0/18, maxLength = 20, AS64496}
ROA: {10.1.192.0/18, maxLength = 20, AS64496}
Update has {10.1.0.0/16, Origin = AS64496} Update has {10.1.0.0/16, Origin = AS64496}
No relevant ROA No relevant ROA
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case the update prefix is an aggregate, and it turns Comment: In this case the update prefix is an aggregate, and it turns
out that there exit ROAs for more specifics which, if combined, can out that there exit ROAs for more specifics which, if combined, can
help support validation of the announced prefix-origin pair. But it help support validation of the announced prefix-origin pair. But it
is very hard in general to breakup an announced prefix into is very hard in general to breakup an announced prefix into
constituent more specifics and check for ROA coverage for those more constituent more specifics and check for ROA coverage for those more
specifics. specifics.
7.2.7. Update has an AS Set as Origin and ROAs Exist for a Covering Set 7.2.7. AS_SET in Update and Covering ROA Prefix Not Found
of More Specifics
ROA: {10.1.0.0/18, maxlength = 20, AS64496}
ROA: {10.1.64.0/18, maxlength = 20, AS64497}
ROA: {10.1.128.0/18, maxlength = 20, AS64498}
ROA: {10.1.192.0/18, maxlength = 20, AS64499}
Update has {10.1.0.0/16, Origin = [AS64496, AS64497, AS64498, Update has {10.1.0.0/16, Origin = [AS64496, AS64497, AS64498,
AS64497]} AS64497]}
No relevant ROA No relevant ROA
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: An extremely small percentage (~0.1%) of eBGP updates are Comment: An extremely small percentage (~0.1%) of eBGP updates are
seen to have AS set in them as origin; this is known as proxy seen to have an AS_SET in them as origin; this is known as proxy
aggregation. In this case the aggregate of the prefixes in the ROAs aggregation. In this case, update with the AS_SET does not conflict
is a covering prefix for the update prefix. The ASs in each of the with any ROA.
contributing ROAs together form a set that matches the AS set in the
update. But it is very hard in general to breakup an announced
prefix into constituent more specifics and check for ROA coverage for
those more specifics.
7.2.8. Update has AS set, Aggregator AS Absent, and Covering ROA Prefix 7.2.8. Singleton AS in AS_SET (in the Update), Covering ROA Prefix, and
Not Found AS Match
Update has {10.1.0.0/24, Origin = [AS64496]} (Note: AS_SET with
singleton AS appears in origin AS position.)
ROA: {10.1.0.0/22, maxLength = 24, AS64496}
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In the spirit of [I-D.ietf-idr-deprecate-as-sets], possibly
any update with an AS_SET in it should not be considered valid (by
ROA-based validation). But does a scenario as described in the
example here need be treated differently?
Comment: Normally an update that has an AS set should contain an 7.2.9. Singleton AS in AS_SET (in the Update), Covering ROA Prefix, and
Aggregator attribute, but sometimes anomalously the aggregator AS AS Mismatch
attribute may be missing. Normally one may expect to find a ROA
which has a covering prefix and matches the Aggregator AS in the
update. But in this case, Aggregator AS is absent and also no
covering ROA prefix is found.
7.2.9. Update has AS set, Aggregator AS Absent, and Covering ROA Prefix Update has {10.1.0.0/24, Origin = [AS64496]}
(Note: AS_SET with singleton AS appears in origin AS position.)
ROA: {10.1.0.0/22, maxLength = 24, AS65535} No other relevant ROA.
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case, a covering ROA prefix is found but Aggregator Comment: In this case, update with the AS_SET does conflict with a
AS is absent. This would appear to be a prefix or subprefix hijack ROA and there is no other relevant ROA.
situation.
7.2.10. Update has AS set, Aggregator AS Present, and Covering ROA 7.2.10. Multiple ASs in AS_SET (in the Update) and Covering ROA Prefix
Prefix Not Found
Update has {10.1.0.0/22, Origin = [AS64496, AS64497, AS64498,
AS64497]}
ROA: {10.1.0.0/22, maxLength = 24, AS65535} No other relevant ROA.
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case, Aggregator AS is present but a covering ROA Comment: In this case, update with the AS_SET conflicts with a ROA
prefix is not found. and there is no other relevant ROA.
7.2.11. Update has AS set, Aggregator AS Present, Covering ROA Prefix, 7.2.11. Update has an AS_SET as Origin and ROAs Exist for a Covering
and AS Mismatch Set of More Specifics
Recommended RPKI prefix-origin validation interpretation: TBC ROA: {10.1.0.0/18, maxLength = 20, AS64496} ROA: {10.1.64.0/18,
maxLength = 20, AS64497} ROA: {10.1.128.0/18, maxLength = 20,
AS64498} ROA: {10.1.192.0/18, maxLength = 20, AS64499}
Comment: In this case, Aggregator AS is present and a covering ROA Update has {10.1.0.0/16, Origin = [AS64496, AS64497, AS64498,
prefix is found, but the AS in the ROA does not match the Aggregator AS64497]}
AS. This would appear to be a prefix or subprefix hijack situation.
7.2.12. Update has AS set, Aggregator AS Present, Covering ROA Prefix, No (directly) relevant ROA
and AS Match
Recommended RPKI prefix-origin validation interpretation: TBC Recommended RPKI prefix-origin validation interpretation: TBC
Comment: In this case, Aggregator AS is present, a covering ROA Comment: In this case the aggregate of the prefixes in the ROAs is a
prefix is found, and also the AS in the ROA matches the Aggregator covering prefix for the update prefix. The ASs in each of the
AS. contributing ROAs together form a set that matches the AS_SET in the
update. But it is very hard in general to breakup an announced
prefix into constituent more specifics and check for ROA coverage for
those more specifics. In any case, it may be noted once again that
in the spirit of [I-D.ietf-idr-deprecate-as-sets], possibly any
update with an AS_SET in it should not be considered valid (by ROA-
based validation).
8. Acknowledgements 8. Acknowledgements
The authors are indebted to both Sandy Murphy and Sam Weiler for The authors are indebted to both Sandy Murphy and Sam Weiler for
their guidance. Further, the authors would like to thank Curtis their guidance. Further, the authors would like to thank Curtis
Villamizar, Steve Kent, and Danny McPherson for their technical Villamizar, Steve Kent, and Danny McPherson for their technical
insight and review. insight and review.
9. IANA Considerations 9. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
10. Security Considerations 10. Security Considerations
This memo requires no security considerations This memo requires no security considerations
11. Normative References 11. Normative References
[I-D.ietf-idr-deprecate-as-sets]
Kumari, W., "Deprecation of BGP AS_SET, AS_CONFED_SET.",
draft-ietf-idr-deprecate-as-sets-00 (work in progress),
November 2010.
[I-D.ietf-sidr-arch] [I-D.ietf-sidr-arch]
Lepinski, M. and S. Kent, "An Infrastructure to Support Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", draft-ietf-sidr-arch-09 (work in Secure Internet Routing", draft-ietf-sidr-arch-11 (work in
progress), October 2009. progress), September 2010.
[I-D.ietf-sidr-res-certs] [I-D.ietf-sidr-res-certs]
Huston, G., Michaelson, G., and R. Loomans, "A Profile for Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", X.509 PKIX Resource Certificates",
draft-ietf-sidr-res-certs-18 (work in progress), May 2010. draft-ietf-sidr-res-certs-21 (work in progress),
December 2010.
[I-D.ietf-sidr-roa-format] [I-D.ietf-sidr-roa-format]
Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Lepinski, M., Kent, S., and D. Kong, "A Profile for Route
Origin Authorizations (ROAs)", Origin Authorizations (ROAs)",
draft-ietf-sidr-roa-format-06 (work in progress), draft-ietf-sidr-roa-format-09 (work in progress),
October 2009. November 2010.
[I-D.ietf-sidr-roa-validation] [I-D.ietf-sidr-roa-validation]
Huston, G. and G. Michaelson, "Validation of Route Huston, G. and G. Michaelson, "Validation of Route
Origination using the Resource Certificate PKI and ROAs", Origination using the Resource Certificate PKI and ROAs",
draft-ietf-sidr-roa-validation-06 (work in progress), draft-ietf-sidr-roa-validation-10 (work in progress),
May 2010. November 2010.
[I-D.pmohapat-sidr-pfx-validate] [I-D.pmohapat-sidr-pfx-validate]
Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
Austein, "BGP Prefix Origin Validation", Austein, "BGP Prefix Origin Validation",
draft-pmohapat-sidr-pfx-validate-07 (work in progress), draft-pmohapat-sidr-pfx-validate-07 (work in progress),
April 2010. April 2010.
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004. Addresses and AS Identifiers", RFC 3779, June 2004.
skipping to change at page 23, line 34 skipping to change at page 24, line 4
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
Authors' Addresses Authors' Addresses
Terry Manderson Terry Manderson
ICANN ICANN
Email: terry.manderson@icann.org Email: terry.manderson@icann.org
Kotikalapudi Sriram Kotikalapudi Sriram
NIST US NIST
Email: ksriram@nist.gov Email: ksriram@nist.gov
Russ White Russ White
Cisco Cisco
Email: russ@cisco.com Email: russ@cisco.com
 End of changes. 95 change blocks. 
154 lines changed or deleted 172 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/