On Mon, 1 Dec 2008, Danny McPherson wrote:
On Dec 1, 2008, at 4:12 PM, Sandra Murphy wrote:
The issue in incremental deployment is not what the people who haven't
deployed it should do but what the people who DO deploy it should do. What
do the people who DO understand ROAs(and BOAs) do when they see something
unsecured - it might be legit, just not produced by someone who understands
ROAs(BOAs).
Right, but if the owner also published a BOA about who they
should not accept it from - what's the value add for those
who have deployed it again? They can say, ohh, there's a ROA
for AS 1 to originate 10.0.0.0/8. They also published a BOA
for AS2 to originate 10.0.0.0/16. So, what's that mean to me
since I deployed it? Accept 10.0.0.0/8 only from AS 1. I'm
not going to put a policy in my router that says AND accept
it from anyone else, or any more specific, except AS 2. Tracking
those BOAs is costing money (hardware, time, complexity) and
there is no added benefit.
Danny, BOAs don't say "don't accept 10/8 from AS2". They say "don't
accept any advertisement for 10/8".
I still don't by it.. As an operator, you tell me who is authorized
to originate and that's the only origin AS I accept. That's easier to
configure in a router, requires less objects in the RPKI, and makes life
much simpler.
So it seems you are in the "and that's all" camp in interpreting ROAs,
right?
No, I'm in the "show-me-how-to-configure-this-in-a-router-and-
convince-me-that-all-the-complexity-and-added-infrastructure-is
worth-the-investment-when-I'm-pretty-sure-I'd-be-just-as-happy
with-an-'explicit accept'='implicit deny'-model-like-all-my-other-
security-policies" camp.
I was trying to guess what you think a ROA means. Your previous
statements and this statement make it sound like you think a prefix holder
will sign ROAs for every and all ASs that are allowed to advertise the
prefix, so signing ROAs means "these ASs are allowed to announce the
prefic -- and that's all". Those configuring their routers use that
semantics to decide what to configure.
If you think that a set of ROAs means "these ASs are allowed to announce
the prefix, but not necessarily only these ASs", then router configuration
goes differently.
We are presently working out how the meaning of these ROAs results in
router configuration.
If you have ideas of how the configuration would happen, it would be
valuable for us to hear them.
I'm certain that if more people who are supposed to deploy this
stuff were paying attention they'd be making the same arguments,
but they're not, and so we need to give heavy consideration to this.
Does your answer assume operators are using ROAs to produce route filters?
Maybe.
Does your answer change if operators are using ROAs in the decision
procedure, as presented at the last meeting?
Maybe.
I presume there's a smilie in there. So when you figure it out, you'll
let us know, right? :-)
--Sandy
-danny
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
