Showing T13: OV: ROA Parent Prefix Revoked,New ROA DiffAS,I-Invalid

Owner okim
Date created 2011-11-14 21:08:56 UTC

Test Description

Check to see whether an IUT correctly determines and updates the validity state of received Updates (routes) when a ROA for parent prefix (i.e., a covering ROA) are revoked (or expired) and are subsequently renewed with the different AS. Note that there exists a valid ROA with the same AS, which contains a more specific prefix than parent prefix in the routing table. The IUT is expected to demonstrate their impacts (i.e., the revocation/renewal of a parent ROA) on the route selection based on the route validity state. It is assumed that a ROA is considered as revoked or expired when an EE used to sign the corresponding ROA is revoked or expired, or any intermediate CA certificates in the certification chain used to validate the EE is expired (or revoked).

Requirements

The IUT MUST be configured to reject "invalid", and to accept both "valid" and "unknown" validity state of a received route (i.e., a prefix and an originAS) for further process. Here, the ROA is defined as "data record" received by the IUT from a RPKI Cache.

Test data

At the beginning of the test, two ROAs (a more-specific ROA and a covering ROA) and 6 Updates (see below) are sent to the IUT. A covering ROA is revoked and later renewed with different AS than that in the previously revoked ROA to see how the IUT handles the revocation/renewal of a covering ROA.

Scenario and Expectations

  • 00:00 - BRITE cache sends two ROAs (data records) to the IUT:
    • ROA 2 [10.10.0.0/20,24,AS30]: ROA for covering prefix (i.e., super prefix) with maxLength.
    • ROA 3 [10.10.0.0/24,24,AS30]: ROA for end-entity prefix with no maxLength (or prefix length is equal to maxLength).
  • 00:01 - The following BGP Updates are sent to the IUT:
    • Update 2 (10.10.0.0/20, AS30)
    • Update 3 (10.10.128.0/20, AS30)
    • Update 4 (10.10.0.0/24, AS30)
    • Update 5 (10.10.15.0/24, AS30)
    • Update 6 (10.10.128.0/24, AS30)
    • Update 7 (10.10.0.0/24, AS20)
    • BRITE expects to receive five Updates (Updates 2-6) except an invalid route, Update 7, from the IUT.
  • 00:02 - BRITE revokes ROA 2 and expects to receive no WDs or Updates. The IUT changes the validity state of Updates 2 and 5, which became "unknown" from previously "valid", sends no WDs or Updates. Update 4 is still valid since an exact match ROA exists.
  • 00:03 - BRITE sends ROA 5, the previously revoked ROA with different AS. The IUT performs the following:
    • Advertises WDs for the previously "unknown" routes (Updates 2 and 5), which became "invalid".
    • Announces Update 7, the previously "invalid" route, which became "valid".
  • 00:04 - Test ends.