I believe the fundamental problem is (1) the same AS-SET name can
exist in
multiple databases (duplication), (2) you don’t know which as-set
belongs
to which ASN (ownership), and which as-set to use (discovery).
i think these may be part of the same confuddle; what is the
“identity” of an as-set? in the irr, it is the maintainer (even
ignoring multiple irr bases); but we have no such concept in the rpki.
my understanding is that an as-set is a short-hand name for a collection
of names of ASs and the names of other as-sets. when you ask that an AS
owner sign an as-set, you are making an assertion of ownership/scope
that i am not sure i understand. the signing AS is saying that the
nickname is a valid list in some sense (part of brian’s question)?
as the old rpki joke goes, you can use your cert to sign a gif of naked
furries or a bank transaction. but what is the security *meaning* of
your doing so?
from the draft:
to enable operators to define a set of customers that can be found as
"right
adjacencies", or transit customer networks, facilitating the
construction of
prefix filters for a given ASN’
so, when AS42 signs a list {AS1, AS2}, is AS42 trying to say that
someone peering with AS42 should expect any prefixes for which there are
ROAs with AS42, AS1, or AS2 in the ROA’s asID. but *anyone* can put
an arbitrary AS number in an asID.
i keep following the heffalump tracks around this tree, but am becoming
more and more confused.
randy
_______________________________________________
GROW mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/grow
