On Mon, 1 Dec 2008, Danny McPherson wrote:
On Nov 25, 2008, at 6:39 PM, Geoff Huston wrote:
Sure. So here's some use cases of BOAs:
1. I have been allocated 203.10.61.0/24. I do not use it today in any
public routing context. It should not appear in BGP at all. I do not give
my authorization to any AS to originate a route for this prefix, or any
more specific of this prefix. If I generate a BOA for 203.10.61.0/24 then
my intention of saying that any use of this prefix in the public Internet
is unauthorized is clear.
If you do not give your authorization then do not issue a ROA.
With the incremental deployment argument, I'm not sure who would
be looking at BOAs if they're not looking at ROAs.
The issue in incremental deployment is not what the people who haven't
deployed it should do but what the people who DO deploy it should do.
What do the people who DO understand ROAs(and BOAs) do when they see
something unsecured - it might be legit, just not produced by someone who
understands ROAs(BOAs).
2. I have been allocated AS 131074 as an AS number. I do not use it today
in any public routing context. It should not appear in BGP at all either as
an origination AS nor as a transit AS in any AS path. If I generate a BOA
for AS131074 then my intention of saying that any use of this AS number in
the public Internet is unauthorized is clear.
But the draft currently does not mitigate "nor as a transit AS",
unless I'm missing something. Specifically:
S.5 graf 2:
"If a route object has an AS origination that refers to an AS number that is
listed in a valid BOA, then the route object can be regarded as a Bogon
object, and local policies that apply to Bogon AS's can be applied to the
object. This holds whether or not the address prefix of the route object is
described by a valid ROA or not."
I see nothing about "or as a transit AS" in there.
3. I have been allocated 203.10.60.0/22. I wish to ensure that any more
specific advertisement of this prefix is unauthorized. If I generate a BOA
for 203.10.60.0/23 AND 203.10.62.0/23 then my intention is clear.
I still don't by it.. As an operator, you tell me who is authorized
to originate and that's the only origin AS I accept. That's easier to
configure in a router, requires less objects in the RPKI, and makes life
much simpler.
So it seems you are in the "and that's all" camp in interpreting ROAs,
right?
Does your answer assume operators are using ROAs to produce route filters?
Does your answer change if operators are using ROAs in the decision
procedure, as presented at the last meeting?
--Sandy
And a non-use case of BOAs:
4. I am a wholesale ISP, and while I allocate address space to my clients
from my aggregate address block (10.0.0.0/8) I also permit my clients to
use their more specific prefix at local exchanges. My AS number is 131072
and I have generated a ROA for 10.0.0.0/8 , maxlength=8 origin AS 131072.
I do not have a problem with more specifics of 10.0.0.0/8 being used in
routing contexts, as part of my wholesale stance. I would prefer that my
ROA did not cause my customer's more specifics to be treated as
unauthorized routes, irrespective of whether they are ready to use a ROA
today or not.
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
