[176624] in North American Network Operators' Group
Re: ARIN's RPKI Relying agreement
daemon@ATHENA.MIT.EDU (John Curran)
Sat Dec 6 13:26:23 2014
X-Original-To: nanog@nanog.org
From: John Curran <jcurran@arin.net>
To: Alex Band <alexb@ripe.net>
Date: Sat, 6 Dec 2014 18:26:05 +0000
In-Reply-To: <D37733D0-86E9-4F22-9502-515DC48566A8@ripe.net>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Dec 6, 2014, at 3:27 AM, Alex Band <alexb@ripe.net> wrote:
>=20
> If ARIN (or another other RIR) went offline or signed broken data, all si=
gned prefixes that previously has the RPKI status "Valid", would fall back =
to the state "Unknown", as if they were never signed in the first place. Th=
e state would NOT be "Invalid".=20
Alex -=20
Depends on the nature of the error... In cases of overclaiming,
the current validation algorithm could result in "Invalid". This
could happen, for example, if major ISP were to initiate transfer
of some number resources to their business unit in another region,
and then fail locally to swing to certs with the reduced resource=20
list in a timely manner... All of the remaining prefixes in the
existing cert would be deemed "invalid" and that could easily result
in some very significant disruption for those validating w/RPKI.
(i.e. as noted in <draft-ietf-sidr-rpki-validation-reconsidered-00>)
FYI,
/John
John Curran
President and CEO
ARIN
