Showing T13: OV: ROA Parent Prefix Revoked,New ROA DiffAS,I-Invalid
||2011-11-14 21:08:56 UTC
Check to see whether an IUT correctly determines and updates the validity state
of received Updates (routes) when a ROA for parent prefix (i.e., a covering ROA)
are revoked (or expired) and are subsequently renewed with the different AS.
Note that there exists a valid ROA with the same AS, which contains a more specific
prefix than parent prefix in the routing table.
The IUT is expected to demonstrate their impacts (i.e., the revocation/renewal of
a parent ROA) on the route selection based on the route validity state.
It is assumed that a ROA is considered as revoked or expired when an EE used to
sign the corresponding ROA is revoked or expired, or any intermediate CA
certificates in the certification chain used to validate the EE is expired (or revoked).
The IUT MUST be configured to reject "invalid", and to accept both "valid"
and "unknown" validity state of a received route (i.e., a prefix and an originAS)
for further process.
Here, the ROA is defined as "data record" received by the IUT from a RPKI Cache.
At the beginning of the test, two ROAs (a more-specific ROA and a covering ROA)
and 6 Updates (see below) are sent to the IUT.
A covering ROA is revoked and later renewed with different AS than that in the
previously revoked ROA to see how the IUT handles the revocation/renewal of a covering ROA.
Scenario and Expectations
- 00:00 - BRITE cache sends two ROAs (data records) to the IUT:
- ROA 2 [10.10.0.0/20,24,AS30]: ROA for covering prefix (i.e., super prefix) with maxLength.
- ROA 3 [10.10.0.0/24,24,AS30]: ROA for end-entity prefix with no maxLength (or prefix length is
equal to maxLength).
- 00:01 - The following BGP Updates are sent to the IUT:
- Update 2 (10.10.0.0/20, AS30)
- Update 3 (10.10.128.0/20, AS30)
- Update 4 (10.10.0.0/24, AS30)
- Update 5 (10.10.15.0/24, AS30)
- Update 6 (10.10.128.0/24, AS30)
- Update 7 (10.10.0.0/24, AS20)
- BRITE expects to receive five Updates (Updates 2-6) except an invalid route, Update 7, from the IUT.
- 00:02 - BRITE revokes ROA 2 and expects to receive no WDs or Updates. The IUT changes
the validity state of Updates 2 and 5, which became "unknown" from previously "valid",
sends no WDs or Updates. Update 4 is still valid since an exact match ROA exists.
- 00:03 - BRITE sends ROA 5, the previously revoked ROA with different AS. The IUT performs the following:
- Advertises WDs for the previously "unknown" routes (Updates 2 and 5), which became "invalid".
- Announces Update 7, the previously "invalid" route, which became "valid".
- 00:04 - Test ends.