On Nov 25, 2008, at 6:39 PM, Geoff Huston wrote:
Sure. So here's some use cases of BOAs:
1. I have been allocated 203.10.61.0/24. I do not use it today in
any public routing context. It should not appear in BGP at all. I do
not give my authorization to any AS to originate a route for this
prefix, or any more specific of this prefix. If I generate a BOA for
203.10.61.0/24 then my intention of saying that any use of this
prefix in the public Internet is unauthorized is clear.
If you do not give your authorization then do not issue a ROA.
With the incremental deployment argument, I'm not sure who would
be looking at BOAs if they're not looking at ROAs.
2. I have been allocated AS 131074 as an AS number. I do not use it
today in any public routing context. It should not appear in BGP at
all either as an origination AS nor as a transit AS in any AS path.
If I generate a BOA for AS131074 then my intention of saying that
any use of this AS number in the public Internet is unauthorized is
clear.
But the draft currently does not mitigate "nor as a transit AS",
unless I'm missing something. Specifically:
S.5 graf 2:
"If a route object has an AS origination that refers to an AS number
that is listed in a valid BOA, then the route object can be regarded
as a Bogon object, and local policies that apply to Bogon AS's can be
applied to the object. This holds whether or not the address prefix of
the route object is described by a valid ROA or not."
I see nothing about "or as a transit AS" in there.
3. I have been allocated 203.10.60.0/22. I wish to ensure that any
more specific advertisement of this prefix is unauthorized. If I
generate a BOA for 203.10.60.0/23 AND 203.10.62.0/23 then my
intention is clear.
I still don't by it.. As an operator, you tell me who is authorized
to originate and that's the only origin AS I accept. That's easier to
configure in a router, requires less objects in the RPKI, and makes life
much simpler.
And a non-use case of BOAs:
4. I am a wholesale ISP, and while I allocate address space to my
clients from my aggregate address block (10.0.0.0/8) I also permit
my clients to use their more specific prefix at local exchanges. My
AS number is 131072 and I have generated a ROA for 10.0.0.0/8 ,
maxlength=8 origin AS 131072. I do not have a problem with more
specifics of 10.0.0.0/8 being used in routing contexts, as part of
my wholesale stance. I would prefer that my ROA did not cause my
customer's more specifics to be treated as unauthorized routes,
irrespective of whether they are ready to use a ROA today or not.
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
