[c-nsp] RPKI validation weirdness
Robert Raszuk
robert at raszuk.net
Fri May 8 06:10:06 EDT 2020
Lukas,
True. But I am actually not sure why RPKI state could not just expire by
itself say every 12 months unless renewed by the owner ? Just like DNS name
fee :)
Thx,
R.
On Fri, May 8, 2020 at 12:02 PM Lukas Tribus <lists at ltri.eu> wrote:
> Hello Robert,
>
> On Fri, 8 May 2020 at 11:42, Robert Raszuk <robert at raszuk.net> wrote:
> > See when you sign a block then sell this block without removing your RPKI
> > signature, then the block gets cutted into chunks and sold further - and
> no
> > one in this process of transaction chain cares about RPKI - this entire
> > story of using this for validation becomes pretty weak. And this is no
> > longer NOT-FOUND. You get false INVALIDs which some may apply to suppress
> > or drop.
>
> Well it's the IRR's job to get this right, and update RPKI data and/or
> remove obsolete delegations. Just like with reverse-DNS objects.
>
> It's not like when you are buying a new block, you can't use reverse
> DNS on those new IPs. And RPKI needs to be updated just the same, by
> the IRR.
>
> I'd assume some IRR's are better than others when it comes to handling
> those things.
>
>
> Lukas
>
More information about the cisco-nsp
mailing list