On Thu, Jul 17, 2008 at 04:02:34AM -0400, Rob Austein wrote: > > To put it in a slightly different way, what I wondering was is there a > > means of specifying this "minimal expression" you refer to? > > Aye, that is the question. I've tried to specify an algorithm for > this twice already, and failed both times.
Unless I have missed something about the subtleties of an ROA, the prefixes contained therein are of the form: <prefix> [maxlen <n>] | n >= prefix-length. Given any two prefixes, A and B of the above form where A has the shorter prefix length: If prefix A covers prefix B and maxlength A >= maxlength B Then A completely covers B and B is redundant. If prefix A covers prefix B and maxlength B > maxlength A Then B has a portion of it's address space that is not covered by A. Given the above, you can pair-wise compare each prefix and eliminate redundant prefixes. (Insert common optimizations of pre-sorting by prefix length, etc.) I'd honestly just expect implementors to toss the prefixes into a prefix trie and not worry about the redundant nodes. > As Jeff and the other Robs have been discussing, there's some question > of whether one actually needs an equivalence operation; more > precisely, whether one needs an efficient equivalence operation. The main concern would be someone's ROA having so much noise in it that it's consider a resource exhaustion attack. Given that people would be using these things to say "hey, I want traffic to reach my network!" it seems less than likely that someone would intentionally try to do that, especially since the response is to blacklist the ROA. -- Jeff _______________________________________________ Sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
