>> The inclusion of the AS number had just a little to do with >> origination and probably more to do with the AS path - the semantic >> intent of the inclusion of the AS number in a BOA was to say "I'm the >> holder of this AS number and I'm not using it in routing at all. If >> you see a BGP update with this AS number anywhere in the AS Path then >> that's a lie!" > > But this requires full enumeration of the AS number > space with each BOA, at least two ranges spanning all > but the AS(s) listed in the ROA(s). > > This seems like a bad idea to me, as a matter of security > policy expecting folks to explicitly fully enumerate what > they will not accept, or what others should not accept, > rather than letting it be an implicit "deny everything > else".
I think there is a lack of clarity in the BOA draft as to what the list of ASs actually is saying: My understanding is that the list of ASs and the list of IP prefixes is independent (ie, logical OR), and unlike with ROAs, only the holder of an AS can sign a BOA with that AS in it. That is, if AS5 and 10.0.0.0/8 appear in a BOA, it means that neither AS5 *nor* prefixes 10.0.0.0/8 and more specific should *ever* appear in routing, together or separately. Geoff, George, Terry, is my understanding correct? Rob -- Robert Loomans Email: [EMAIL PROTECTED] Senior Software Engineer, APNIC Phone: +61 7 3858 3100 http://www.apnic.net Fax: +61 7 3858 3199
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
