Logo

Routing Security SIG - Shared screen with speaker view
Paul Wilson
15:56
Hi everyone. Great to see you all here!
张宇HIT
25:28
1 question: can or will rpkiviz show historical data?
Geoff Huston
35:00
Its not a legal document - its a statement of intent to justify relying party trust
Ties de Kock
44:14
CPS template RFC: https://datatracker.ietf.org/doc/html/rfc7382
Geoff Huston
47:15
To quote RFC6487: 4.8.9. Certificate PoliciesThis extension MUST be present and MUST be marked critical. It MUSTinclude exactly one policy, as specified in the RPKI CP [RFC6484]
Geoff Huston
48:07
i.e. EVERY CA in the RPKI needs to reference a CP in their issued certificates
Aftab Siddiqui
48:09
“MUST” but who enforces the MUST
Paul Wilson
48:11
Congratulations Taiji.
Di Ma
48:26
Congratulations Taiji.
Geoff Huston
48:46
a validation should reject as INVALID any CA certificate that is missing a MUST attribute in a certificate
Geoff Huston
48:55
so the validator enforces the MUST in this case
Ties de Kock
50:45
> i.e. EVERY CA in the RPKI needs to reference a CP in their issued certificates
Ties de Kock
51:28
I think that refers to indicating (with that CP OID) that it is an RPKI certificate?
Geoff Huston
01:00:31
You are correct Ties, and I don’t think I was as clear as I could be. Yes, every issued certificate has a Policy OID that says its a RPKI certificate, and this OID is a reference to RFC6484, which itself states that every CA should issue a Certification Practice Statement (section 2.2 of RFC6484)
Ties de Kock
01:01:37
👍
Di Ma
01:04:30
Granted, it is up to RP to conform to this RFC standards technically. I doubt it would be catastrophe that an RP would reject the whole CA just because of absence of CPS in practice
Rafdian Rasyid
01:05:38
If I'm not mistaken, the ROA status for a particular prefix would be:- Valid- Invalid- UnknownQuestion:For status "unknown" what would be the impact for the end users?Will he/she who is using that prefix still can access the Internet?
Di Ma
01:05:39
maybe APNIC community could set a policy to make it mandatory
Ties de Kock
01:07:00
@Di Ma: Routinator 0.9 and the latest RIPE validator check for the existence of that policy OID. A resource certificate MUST have this CP OID to be a resource certificate.
Geoff Huston
01:07:03
@rafdian - yes, a prefix that is not described in any valid ROA (i.e. unknown) is treated '
Ties de Kock
01:07:23
But checking if there is a CPS and if that provides enough controls for you to trust the certificates: That is a people-process, not a software-process.
Geoff Huston
01:08:37
… is treated ‘normally’ and NOT dropped. SOME operators might put a higher local pref on a route with a valid ROA in preference to an unknown, but frankly if this means that the operator prefers aggregates over more specifics in such cases then this might be unwise!
Rafdian Rasyid
01:08:55
thanks @Geoff
Di Ma
01:09:00
@Ties so I suggest we might as well set a policy to make it MUST
Di Ma
01:09:18
RFC for RP and Policy for people
Geoff Huston
01:20:12
60 minutes is not “everybody”, unfortunately
Geoff Huston
01:20:25
I have a slide pack that talked about this - I’ll post a URL
Aftab Siddiqui
01:20:33
What is the max? Geoff
Geoff Huston
01:21:07
https://www.potaroo.net/presentations/2020-09-25-rpki-hknog.pdf
Geoff Huston
01:21:14
75% are within 2 hours
Geoff Huston
01:21:42
The other 25% are between 2 hours and 24 hours!
Geoff Huston
01:22:13
i.e. ROAS take a significant amount to time to be promulgated _everywhere_
NANDINI SHARMA
01:44:26
Thankyou for such an informative session :)