> On Oct 11, 2023, at 11:50, Dale W. Carder <[email protected]> wrote:
>
> Thus spake Delong.com via NANOG ([email protected]) on Tue, Oct 10, 2023 at
> 04:52:07PM -0700:
>> However, IF YY is paying attention, and YY wants to advertise 2001:db8::/32
>> as well as allow 2001:db8:8000::/36 and 2001:db8:f000::/36, I would expect
>> AS YY would generate ROAs for
>> 2001:db8::/32 with ORIGIN-AS=YY MAXPREFIXLEN=36
>> 2001:db8:0::/33 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
>> 2001:db8:8000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
>> 2001:db8:9000::/35 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
>> 2001:db8:a000::/34 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
>> 2001:db8:c000::/34 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
>> 2001:db8:e000::/36 with ORIGIN-AS=0 (no MAXPREFIXLEN needed)
>> 2001:db8:f000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
>
> Double check, but offhand I believe in this case you do not need all
> these AS0 ROA's. Any validated ROA payload fully matching should be
> all you need for it to be valid, and anything that is covered by a vrp
> but not matching is invalid.
>
> So, I think you can do
> 2001:db8::/32 with ORIGIN-AS=YY MAXPREFIXLEN=32
> 2001:db8:8000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
> 2001:db8:f000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
>
> Dale
My understanding is that the 2001:db8::/32 max=32 would block the /36s from
being considered valid (in order to prevent someone with trust anchor B
overriding the policy of someone with trust anchor A).
Since all the trust anchors are ::/0, I think that was deemed important.
I could be wrong, like you, I would need to double check the details.
Owen
