Transcript of "Validation of RPKI Objects Using a Local Cache"
Validation of RPKI objects using a local cacheThursday, November 8, 12
Problems with current • Very tight coupling to rsync – Need to process objects not on manifest – Vulnerable to updates happening during fetch • Preﬁx validate wants to know all ROAs • Implementations use URI as identiﬁers for objects – Multiple publication points complicated – Same for alternative fetch mechanisms Tim Bruijnzeels, IETF85 2Thursday, November 8, 12
Decoupling object retrieval • Use SIA, AIA and CRLDP only for object discovery • Allows for other retrieval mechanisms – rsync – bittorrent – http with / without deltas – multiple publication points – other.. Tim Bruijnzeels, IETF85 3Thursday, November 8, 12
Validation using ‘just objects’ ﬁnd by: ﬁnd by: Key Identiﬁer hash TA Cert MFT EE CRL there can be SKI AKI AKI only one... TAL latest? CA1 Cert MFT EE signature ok? SKI AKI all objects? CA2 Cert MFT EE SKI AKI Tim Bruijnzeels, IETF85 4Thursday, November 8, 12
Differences from current RFCs • Strict interpretation of current repository standards – Some clariﬁcation for CAs might be useful: MUST 1 mft, 1 crl, all objects that need to be known • Manifests authoritative source for walking the tree – Ignores objects that the CA does not put on mft – May be strict if objects are missing, e.g. go with last known good state if available • SIA, AIA and CRLDP only for discovery Tim Bruijnzeels, IETF85 5Thursday, November 8, 12
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.