Showing T17: OV: ROA Grandarent Prefix Revoked,New ROA Diff AS,I-Invalid
||2011-11-14 21:13:56 UTC
Check to see whether an IUT correctly determines and updates the validity state
of received Updates (routes) when ROAs for grandparent prefix (super-super prefix)
are revoked (or expired) and are subsequently renewed with the different AS.
Note that there exist two valid ROAs with the same AS, which contain more specific
prefixes than grandparent prefix in the routing table.
The IUT is expected to demonstrate their impacts (i.e., the revocation/renewal of
a grandparent ROA) on the route selection based on the route validity state.
It is assumed that a ROA is considered as revoked or expired when an EE used to
sign the corresponding ROA is revoked or expired, or any intermediate CA
certificates in the certification chain used to validate the EE is expired (or revoked).
The IUT MUST be configured to reject "invalid", and to accept both "valid"
and "unknown" validity state of a received route (i.e., a prefix and an originAS)
for further process.
Here, the ROA is defined as "data record" received by the IUT from a RPKI Cache.
At the beginning of the test, three ROAs and 7 BGP Updates (as shown above) are sent to
the IUT. A ROA for grandparent prefix is revoked and later renewed with the different
AS than that in the previously revoked ROA to see how the IUT handles the
revocation/renewal of a ROA for grandparent prefix.
Scenario and Expectations
- 00:00 - BRITE cache sends three ROAs (data records) to the IUT:
- ROA 1 [10.10.0.0/16,24,AS30]: ROA for grandparent prefix (i.e., super-super prefix) with maxLength.
- ROA 2 [10.10.0.0/20,24,AS30]: ROA for parent prefix (i.e., super prefix) with maxLength.
- ROA 3 [10.10.0.0/24,24,AS30]: ROA for end-entity prefix with no maxLength (or prefix length is
equal to maxLength).
- 00:01 - The following Updates are sent to the IUT:
- Update 1 (10.10.0.0/16, AS30)
- Update 2 (10.10.0.0/20, AS30)
- Update 3 (10.10.128.0/20, AS30)
- Update 4 (10.10.0.0/24, AS30)
- Update 5 (10.10.15.0/24, AS30)
- Update 6 (10.10.128.0/24, AS30)
- Update 7 (10.10.0.0/24, AS20)
- BRITE expects to receive six Updates (Updates 1-6) except an invalid route, Update 7, from the IUT.
- 00:02 - BRITE revokes ROA 1 and expects to receive no WDs or Updates. The IUT changes
the validity state of the previously "valid" routes to "unknown" (Updates 1,3 and 6).
- 00:03 - BRITE sends ROA 4, the previously revoked ROA with different AS. The IUT
performs the following:
- Advertises WDs for the previously "unknown" routes (Updates 1, 3 and 6), which became "invalid".
- Announces Update 7, the previously "invalid" route, which became "valid".
- The routes (Updates 2, 4 and 5) are still "valid" since the exact match and covering valid ROAs exist.
- 00:04 - Test ends.