[RPKI] Filtering of Unsafe VRPs

George Michaelson ggm at algebras.org
Wed Sep 23 22:32:28 UTC 2020


I see a distinction between missing data, and invalid objects.

Missing data, because the MNF file does not type the missing object,
nor specify the prefix and asn it certifies, is an "unknown unknowns"
problem: you can't tell if the intent of the missing data would permit
or deny *ANY* other data you have, at that point in the repository
data tree, and all descendent children. The object could (in
principle) radically alter your forwarding intent. Its not safe to
proceed. Because the definition of "missing" is that a valid Manifest
said it should be seen, you have a cryptographically strong statement
"something you don't understand" can't be seen. Not safe to proceed.

Incorrectly signed data, is different. You have reason to believe you
may know contextually what it is. If the ASN1 can shape more
information, its not inherently clear that you have to reject all
other things. It may be mal-signed. it may be mal-formed. It may not
be readable, in which case, you probably do have to go to "missing".
But, if you know what it says but just don't believe it, why would you
reject un-associated information, beyond general distrust of the
publication point?

There is an argument implicitly in the above, that for MNF, not having
it catalog the prefix and origin-as its talking about, may (in
hindsight) have been a mistake.

cheers

-G


More information about the RPKI mailing list