[c-nsp] RPKI validation weirdness

Lukas Tribus lists at ltri.eu
Fri May 8 06:02:28 EDT 2020


Hello Robert,

On Fri, 8 May 2020 at 11:42, Robert Raszuk <robert at raszuk.net> wrote:
> See when you sign a block then sell this block without removing your RPKI
> signature, then the block gets cutted into chunks and sold further - and no
> one in this process of transaction chain cares about RPKI - this entire
> story of using this for validation becomes pretty weak. And this is no
> longer NOT-FOUND. You get false INVALIDs which some may apply to suppress
> or drop.

Well it's the IRR's job to get this right, and update RPKI data and/or
remove obsolete delegations. Just like with reverse-DNS objects.

It's not like when you are buying a new block, you can't use reverse
DNS on those new IPs. And RPKI needs to be updated just the same, by
the IRR.

I'd assume some IRR's are better than others when it comes to handling
those things.


Lukas


More information about the cisco-nsp mailing list