Should ROA's ASN be validated as a subset of parent's cert ASN range? - Githubissues

NICMx / FORT-validator

RPKI cache validator

MIT License

49 stars 24 forks source link

Should ROA's ASN be validated as a subset of parent's cert ASN range? #10

Closed TheRedTrainer closed 5 years ago

TheRedTrainer commented 5 years ago

If a ROA contains an ASN that is not included on its parent's EE and CA certs ASN range (for example, the parent EE and CA define an ASN range like 1000-2000 and the ROA contains the ASN 999999), the validator doesn't report any error.

Should ROA's ASN be validated as a subset of parent's cert ASN range?

ydahhrk commented 5 years ago

RFC 6482:

4.  ROA Validation

   Before a relying party can use a ROA to validate a routing
   announcement, the relying party MUST first validate the ROA.  To
   validate a ROA, the relying party MUST perform all the validation
   checks specified in [RFC6488] as well as the following additional
   ROA-specific validation step.

   o  The IP address delegation extension [RFC3779] is present in the
      end-entity (EE) certificate (contained within the ROA), and each
      IP address prefix(es) in the ROA is contained within the set of IP
      addresses specified by the EE certificate's IP address delegation
      extension.

It doesn't say that the ASN needs to match. (Or that we have to validate the ASN, for that matter.)

ydahhrk commented 5 years ago

I just sent you an e-mail that explains the rationale.