Matt,
Firstly, this posting has the *wg chair hat off* disclaimer
Personally, I'm happy to have multiple signatures on a ROA. However, I
think that multiple signatures is not the only way that we can provide
guidence in all envisaged situations.
Sandy had previously posted the following list of possible solutions:
(1) create multiple singly signed ROAs, say for two /20's, and let the
recipient interpret whether you meant to authorize the origination of
the /19 as well.
(2) mandate that all sources (all CAs) MUST produce an aggregate cert
when there are aggregatable certs
(3) tell prefix holders whose source is not willing to sign an aggregate
cert that they are just out of luck in originating the aggregate, maybe
just until the next prefix renewal period, maybe forever.
(4) allow a prefix holder whose source is not willing to sign an
aggregate to sign an aggregate ROA with multiple signatures.
There seems to be consensus that (1) is not a workable solution.
yes, I agree with this perspective
Some
people (including myself) like option (4), but others feel that
implementing multiple signatures would introduce needless complexity.
as is evident from the discussion in this wg mailing list.
However, if the cases we are discussing are truly rare, then a
combination of (2) and (3) may also be reasonable.
I disagree with that position.
in response to 2) I am if the view that the entire discussion is about
those cases where this does not happen. (i.e. yes, you can mandate that
the tide must not come back in, but frankly its an exercise in Canutian
posturing if issuers have local policies relating to certificate
issuance that create differing validation paths of more specifics of an
intended aggregate address advertisement!)
And in response to 3), it seems like the cart is placed before the horse
here. One would've thought that any sensible exercise in securing BGP
would be able to secure what we do today, rather than only a subset.
Our documents could
specify that a CA MUST produce an aggregate cert whenever possible and
that a prefix holder needs to have an aggregate cert in order to
advertise an aggregate prefix (otherwise, the prefix holder can only
advertise the longer [non-aggregate] prefixes).
I find multiple signatures on a ROA a personally preferred option,
supported already in available software and one that imposes minimal
constraints on issuer policies, and minimal constraints on the ablity to
secure BGP as we use it today.
regards,
Geoff
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
