At 9:27 AM -0500 12/10/08, Andrew Newton wrote:
On Dec 2, 2008, at 7:24 PM, Stephen Kent wrote:
An AS 0 ROA is a positive assertion about the prefixes expressed in
it, as far as RP software is concerned. The "feature" of this
assertion is that, any unauthenticated assertions about the
prefixes should be rejected in favor of this verifiable ROA
(assuming that the ROA was signed by an entity that holds the
prefixes in question). In saying that I am making some assumptions
about how ROs use ROAs, and Danny has argued that we need to be
more precise about such assumptions.
I see the AS 0 ROA as a valuable tool to deal with unallocated and
reserved address space, during the very long period when relying
parties will see a mix of verifiable and unverifiable assertions
about route origination. I have not thought so much about the
utility of this capability in a fully deployed system. I also did
not consider assertions about AS numbers, a feature of BOAs.
Steve,
Sorry for the late reply on this subject, but I was rereading the
archives and it brought to my recollection a statement you made at
the microphone in Minneapolis regarding AS 0 ROAs. I didn't readily
grasp the meaning of what you said, so I'm seeking clarification.
As I recall, you stated that a registry wishing to use a BOA to
cover its space could just as well use AS 0 ROAs with a different
practice.
Whenever that registry allocated space, it would have to reissue the
AS 0 ROAs so the newly allocated space is not covered. At least I
think that was the gist of what you described.
Is this correct, or can you explain again the scenario you mentioned?
-andy
Andy,
Your characterization is good paraphrase of my comments at the mic.
In fairness to Geoff's BOA proposal, my ROA As 0 convention is not as
powerful, in that it has no provisions for making a negative
assertion about AS numbers.
If I were a registry (or an ISP) making use of the AS 0 ROA approach,
I would issue one EE cert and one associated ROA )covering all of the
unallocated space that I hold). The EE cert would have a lifetime
consistent with the time I take to respond to allocation requests,
maybe on 1-day lifetime. That way I would not have to put the EE cert
on a CRL when a new AS 0 ROA was issued; I'd just be issuing one new
cert and one new ROA every day. Since it is probably good practice to
issue a CRL every day, the set of objects published by the
registry/ISP would have to change that frequently anyway, so this is
not much of a new burden, (e.g., the manifest has to change whenever
a new CRL is issued).
I also note that even if we don't adopt AS 0 ROAs as a recognized way
to make this sort of assertion, any ROA issuer can use it anyway,
either explicitly or via analogous means :-).
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
