On 12 Feb 2024, at 6:01 pm, Richard Laager <rlaager@wiktel.com> wrote:
On 2024-02-12 15:18, Job Snijders via NANOG wrote:
On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
I was making an observation that the presentation material was referring to "RPKI-Invalid" while their implementation was using "ROA-Invalid" There is a difference between these two terms, as I'm sure you're aware.
I'm sure Job is aware, but I'm not. Anyone want to teach me the difference?
this is _my_ take: If the crypto leads to a validation failure (expired certificates, signature mismatch in the validation chain, number resource extension mismatch in the validation path, or similar then the X.509 certificate cannot be validated against a trust anchor and the object (a ROA in this case) is "RPKI-Invalid". RPKI validators discard such objects from consideration as they cannot convey any useful information. "ROA-Invalid" starts with a route object, not a ROA, and compares the route against the locally assembled collection of RPKI-valid ROAs. If it can find a RPKI-valid ROA that matches the route object then its "ROA-valid". If if can only find valid RPKI objects that match the prefix part of e ROA, but not the origin AS, or its a more specific prefix of a RPKI-valid ROA, then its "ROA-invalid". If no such match is found, then the route is "ROA-unknown" The distinction being made is: "RPKI-invalid" refers to a crypto object and the ability of a local party (a "relying party") to confirm its crypto-validity against a locally selected trust anchor (or set of trust anchors). "ROA-invalid" refers to a route object and a collection of RPKI-valid ROAs that have been assembled by an observer and refers to the outcome of the observer testing this route against this locally assembled collection of ROAs. Geoff