WG Chair Hat Off
The inclusion of the AS number had just a little to do with
origination and probably more to do with the AS path - the semantic
intent of the inclusion of the AS number in a BOA was to say "I'm
the holder of this AS number and I'm not using it in routing at
all. If you see a BGP update with this AS number anywhere in the AS
Path then that's a lie!"
But this requires full enumeration of the AS number
space with each BOA, at least two ranges spanning all
but the AS(s) listed in the ROA(s).
This seems like a bad idea to me, as a matter of security
policy expecting folks to explicitly fully enumerate what
they will not accept, or what others should not accept,
rather than letting it be an implicit "deny everything
else".
I'm confused here Danny - are you explicitly advocating that a ROA
should explicitly carry the semantics of "deny all else"?
Is that is the case, then from such a perspective of a ROA having a
"deny all else" interpretation, how should incremental use / piecemeal
deployment of ROAs be handled? Does a ROA for 10.0.0.0/8 Origin AS1
explicitly deny all other non-ROA advertisements of any prefix that is
equal to, or a more specific of 10.0.0./8 using any other origin AS
other than AS1? I'm not sure that this would be your intention, but it
seem to me that this logically follows from a "deny everything else"
semantic interpretation applied to a ROA.
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
