> On 12 Feb 2024, at 6:01 pm, Richard Laager <rlaa...@wiktel.com> wrote:
>
> On 2024-02-12 15:18, Job Snijders via NANOG wrote:
>> On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
>>> I was making an observation that the presentation material was
>>> referring to "RPKI-Invalid" while their implementation was using
>>> "ROA-Invalid" There is a difference between these two terms, as I'm
>>> sure you're aware.
>
> I'm sure Job is aware, but I'm not. Anyone want to teach me the difference?
this is _my_ take:
If the crypto leads to a validation failure (expired certificates, signature
mismatch in the
validation chain, number resource extension mismatch in the validation path, or
similar
then the X.509 certificate cannot be validated against a trust anchor and the
object
(a ROA in this case) is "RPKI-Invalid". RPKI validators discard such objects
from
consideration as they cannot convey any useful information.
"ROA-Invalid" starts with a route object, not a ROA, and compares the route
against the locally assembled collection of RPKI-valid ROAs. If it can find a
RPKI-valid
ROA that matches the route object then its "ROA-valid". If if can only find
valid
RPKI objects that match the prefix part of e ROA, but not the origin AS, or its
a
more specific prefix of a RPKI-valid ROA, then its "ROA-invalid". If no such
match
is found, then the route is "ROA-unknown"
The distinction being made is:
"RPKI-invalid" refers to a crypto object and the ability of a local party (a
"relying
party") to confirm its crypto-validity against a locally selected trust anchor
(or set of
trust anchors).
"ROA-invalid" refers to a route object and a collection of RPKI-valid ROAs
that have been assembled by an observer and refers to the outcome
of the observer testing this route against this locally assembled collection of
ROAs.
Geoff
