| > What if: when "I have been allocated 203.10.61.0/24", I | issue an ROA | > for the same with my origin AS? Doesn't that automatically | mean that | > all the advertisements of the prefix from another origin AS are | > automatically invalid? | | | No. Some folk believe that this should be the case, others | believe that this should not be the case. Those who believe | that this should not be the case are proposing the BOA as a | form of explicitly stating what is invalid without having to | state what is valid.
Why should this not be the case? | By the way, given that you have published a ROA aithorizing | your origin AS to advertise the prefix, I suspect that this | has created some further vulnerabilities that a BOA would not | create. What happens if I use this ROA you've created to | hijack with your prefix by prepending your origin AS to my | AS? Can a third party detect that this is a hijack of your | prefix from the origination information and the ROA? I do not | think so. This is a good example case for path attestation / complete AS_PATH validation, no? When a third party tries to verify whether the path leads back to origin AS, that should fail (whenever we get to that part)... | > As others have suggested, when "I have been allocated | 203.10.60.0/22", | > I issue an ROA for 203.10.60.0/22-22. That automatically means that | > there can't be any other advertisements for this prefix or its more | > specifics (unless I suballocate a more specific block and a new ROA | > gets added to the repository for that]. Is there any case | that's not | > handled by doing this? | > | | That's your _assumption_ of the sematics of a ROA. What | reference material or working group draft can you cite for | semantic interpretation of a ROA? | draft-ieft-sidr-roa-validation? I don't think so. The point | of hte BOA draft it that it challenges this assumption by | taking the position that such route aorigination authorities | are explicitly scoped to the authority described in the | object, without the implicit inclusion of any other authority | or denial. So are you saying that an entity who is not owner of prefix 10/8 can issue an ROA for it and it would be present in/added to the RPKI repository? - Pradosh _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
