0
Validation of RPKI                           objects using a local                           cacheThursday, November 8, 12
Problems with current        •    Very tight coupling to rsync                –   Need to process objects not on manifest ...
Decoupling object retrieval        •    Use SIA, AIA and CRLDP only for object discovery        •    Allows for other retr...
Validation using ‘just objects’                                          find by:      find by:                             ...
Differences from current RFCs        •    Strict interpretation of current repository standards                –   Some cl...
Upcoming SlideShare
Loading in...5
×

Validation of RPKI Objects Using a Local Cache

386

Published on

Presentation given by Tim Bruijnzeels at IETF 85 in Atlanta, GA, USA on 8 November 2012

Published in: Lifestyle
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
386
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Validation of RPKI Objects Using a Local Cache"

  1. 1. Validation of RPKI objects using a local cacheThursday, November 8, 12
  2. 2. Problems with current • Very tight coupling to rsync – Need to process objects not on manifest – Vulnerable to updates happening during fetch • Prefix validate wants to know all ROAs • Implementations use URI as identifiers for objects – Multiple publication points complicated – Same for alternative fetch mechanisms Tim Bruijnzeels, IETF85 2Thursday, November 8, 12
  3. 3. Decoupling object retrieval • Use SIA, AIA and CRLDP only for object discovery • Allows for other retrieval mechanisms – rsync – bittorrent – http with / without deltas – multiple publication points – other.. Tim Bruijnzeels, IETF85 3Thursday, November 8, 12
  4. 4. Validation using ‘just objects’ find by: find by: Key Identifier hash TA Cert MFT EE CRL there can be SKI AKI AKI only one... TAL latest? CA1 Cert MFT EE signature ok? SKI AKI all objects? CA2 Cert MFT EE SKI AKI Tim Bruijnzeels, IETF85 4Thursday, November 8, 12
  5. 5. Differences from current RFCs • Strict interpretation of current repository standards – Some clarification for CAs might be useful: MUST 1 mft, 1 crl, all objects that need to be known • Manifests authoritative source for walking the tree – Ignores objects that the CA does not put on mft – May be strict if objects are missing, e.g. go with last known good state if available • SIA, AIA and CRLDP only for discovery Tim Bruijnzeels, IETF85 5Thursday, November 8, 12
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×