wG Chair Hat Off
On 25/11/2008, at 11:27 AM, Robert Loomans wrote:
The inclusion of the AS number had just a little to do with
origination and probably more to do with the AS path - the semantic
intent of the inclusion of the AS number in a BOA was to say "I'm
the
holder of this AS number and I'm not using it in routing at all. If
you see a BGP update with this AS number anywhere in the AS Path
then
that's a lie!"
But this requires full enumeration of the AS number
space with each BOA, at least two ranges spanning all
but the AS(s) listed in the ROA(s).
This seems like a bad idea to me, as a matter of security
policy expecting folks to explicitly fully enumerate what
they will not accept, or what others should not accept,
rather than letting it be an implicit "deny everything
else".
I think there is a lack of clarity in the BOA draft as to what the
list
of ASs actually is saying:
My understanding is that the list of ASs and the list of IP prefixes
is
independent (ie, logical OR), and unlike with ROAs, only the holder of
an AS can sign a BOA with that AS in it.
That is, if AS5 and 10.0.0.0/8 appear in a BOA, it means that neither
AS5 *nor* prefixes 10.0.0.0/8 and more specific should *ever* appear
in
routing, together or separately.
Geoff, George, Terry, is my understanding correct?
yes, that understanding is correct.
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
