Showing T17: OV: ROA Grandarent Prefix Revoked,New ROA Diff AS,I-Invalid

Owner okim
Date created 2011-11-14 21:13:56 UTC

Test Description

Check to see whether an IUT correctly determines and updates the validity state of received Updates (routes) when ROAs for grandparent prefix (super-super prefix) are revoked (or expired) and are subsequently renewed with the different AS. Note that there exist two valid ROAs with the same AS, which contain more specific prefixes than grandparent prefix in the routing table. The IUT is expected to demonstrate their impacts (i.e., the revocation/renewal of a grandparent ROA) on the route selection based on the route validity state. It is assumed that a ROA is considered as revoked or expired when an EE used to sign the corresponding ROA is revoked or expired, or any intermediate CA certificates in the certification chain used to validate the EE is expired (or revoked).

Requirements

The IUT MUST be configured to reject "invalid", and to accept both "valid" and "unknown" validity state of a received route (i.e., a prefix and an originAS) for further process. Here, the ROA is defined as "data record" received by the IUT from a RPKI Cache.

Test data

At the beginning of the test, three ROAs and 7 BGP Updates (as shown above) are sent to the IUT. A ROA for grandparent prefix is revoked and later renewed with the different AS than that in the previously revoked ROA to see how the IUT handles the revocation/renewal of a ROA for grandparent prefix.

Scenario and Expectations

  • 00:00 - BRITE cache sends three ROAs (data records) to the IUT:
    • ROA 1 [10.10.0.0/16,24,AS30]: ROA for grandparent prefix (i.e., super-super prefix) with maxLength.
    • ROA 2 [10.10.0.0/20,24,AS30]: ROA for parent prefix (i.e., super prefix) with maxLength.
    • ROA 3 [10.10.0.0/24,24,AS30]: ROA for end-entity prefix with no maxLength (or prefix length is equal to maxLength).
  • 00:01 - The following Updates are sent to the IUT:
    • Update 1 (10.10.0.0/16, AS30)
    • Update 2 (10.10.0.0/20, AS30)
    • Update 3 (10.10.128.0/20, AS30)
    • Update 4 (10.10.0.0/24, AS30)
    • Update 5 (10.10.15.0/24, AS30)
    • Update 6 (10.10.128.0/24, AS30)
    • Update 7 (10.10.0.0/24, AS20)
    • BRITE expects to receive six Updates (Updates 1-6) except an invalid route, Update 7, from the IUT.
  • 00:02 - BRITE revokes ROA 1 and expects to receive no WDs or Updates. The IUT changes the validity state of the previously "valid" routes to "unknown" (Updates 1,3 and 6).
  • 00:03 - BRITE sends ROA 4, the previously revoked ROA with different AS. The IUT performs the following:
    • Advertises WDs for the previously "unknown" routes (Updates 1, 3 and 6), which became "invalid".
    • Announces Update 7, the previously "invalid" route, which became "valid".
    • The routes (Updates 2, 4 and 5) are still "valid" since the exact match and covering valid ROAs exist.
  • 00:04 - Test ends.