Hi, GROW folks. I'd like to offer some suggestions and explanations for them, on the AS-CONES draft.
I'll make this brief, and as such, will include only the conceptual parts, rather than explicit text. It should be relatively easy for the authors to incorporate them. Very briefly: The as-cone targets, even when they are leaf AS, always need to be entities that contain the AS number, plus a list of the AS's transit providers and peers. This object needs to be signed by the target AS (aka child AS). The downward links should be treated as informative, and the upward links as authoritative. An as-cone validation should exclude any member AS which does not have a signed object containing the as-cone's AS as one of its transit ISPs. Only the customer can authoritatively declare its transit provider(s), not the other way around. Otherwise, random small networks could claim one or more Tier-1 ISPs as their customers, and abuse all of the trust mechanisms that the as-cone draft offers. This view is much more consistent with how ROAs function; it is the delegatee who signs the ROA (the more specific prefix), not the delegator. Let me know if the above isn't clear or needs more explanation. Thanks, Brian
_______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
