Geoff,
Geoff Huston wrote:
So if seems to me that you are saying that an advertisement for
192.0.2.0/24 originated from AS65000 could be validated by two ROAs,
namely 192.0.2.0/25 authorizing AS65000 and 192.0.2.128/25 authorizing
AS65000
To me, this appears to make the relying party's job harder given that
the relying party is no longer just looking for either exact match
ROAs or covering aggregate ROAs but now also has to search for a
collection of more specific ROAs that could be used to construct an
aggregate that matches the prefix to be validated.
I completely agree. This option makes life very difficult for a relying
party.
For instance, an advertisement for 192.0.0.0/18 could be authorized by
- A single ROA for 192.0.0.0/18
- A pair of ROAs, one for 192.0.0.0/19 and one for 192.0.32.0/19
- Three ROAs for 192.0.0.0/19, 19.0.32.0/20 and 19.0.48.0/20, respectively
- A large number of other possibilities including ROAs for the following
set of prefixes:
192.0.0.0/20
192.0.16.0/22
192.0.20.0/22
192.0.24.0/22
192.0.28.0/22
192.0.32.0/21
192.0.40.0/21
192.0.48.0/20
At the very least, if we're going to pursue this option, we need to
provide a description of the algorithm that a relying party would use to
determine if AS65000 is authorized to advertise the prefix 192.0.0.0/18.
(E.g., would the relying party take the collection of all ROAs for
AS65000 and then construct all possible aggregates?)
- Matt Lepinski :->
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
