On Nov 23, 2008, at 2:40 AM, Geoff Huston wrote:
Yes, I think there are lots of issues of this nature, issues which
BOAs only exacerbate.
I don't see the reasoning which leads to your observation that BOAs
_exacerbate_ the issue. There are much the same as the issues with
ROAs but I don;t see the case that makes the situation worse because
of the addition of these negative attestations in the form of BOAs.
Perhaps an example or two may help me (and possibly others)
understand precisely what you mean by "exacerbate" ?
To follow your previous example, you've now got 2x or more
objects and if you can't access one, or you miss publication
of one by seconds, you're increasing your vulnerability
surface.
The inclusion of the AS number had just a little to do with
origination and probably more to do with the AS path - the semantic
intent of the inclusion of the AS number in a BOA was to say "I'm
the holder of this AS number and I'm not using it in routing at all.
If you see a BGP update with this AS number anywhere in the AS Path
then that's a lie!"
But this requires full enumeration of the AS number
space with each BOA, at least two ranges spanning all
but the AS(s) listed in the ROA(s).
This seems like a bad idea to me, as a matter of security
policy expecting folks to explicitly fully enumerate what
they will not accept, or what others should not accept,
rather than letting it be an implicit "deny everything
else".
-danny
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
