On Fri, 6 Nov 2009, Larry J. Blunk wrote:
Sorry, should have provided more context. I was referring to
the particular "Partial Adoption" scenario presented in
http://www.antd.nist.gov/~ksriram/SIDR_ROA_BOA_Interpretation.pdf.
Where more specifics of a registered ROA (that do not not have
a matching ROA) are not invalidated for a certain grace period.
This dramatically limits the value of ROA's and it will be
difficult to end the grace period if there are significant
numbers of more specifics of ROA's that are unregistered.
It seems to me if you are unprepared to register ROA's for
all the more specifics of an aggregate ROA, it would be better
to hold off on registering the ROA for the aggregate until all
the more specific ROA's are in place.
I haven't figured out yet what you mean about registering ROAs for the
more specifics.
If you have sub-allocated to a customer and you want to register a ROA for
that more specific, would you register the ROA with your AS or your
customer's AS (or your customer's backup upstream).
--Sandy
-Larry
a certain grace period.
----- "Jared Mauch" <[email protected]> wrote:
I share the comments and concerns of Larry but want to take it a step
further. There will not be anything but partial deployment for years
to come. Trying to transfer costs to ISPs that are unwilling or unable
to issue certs is going to be an ongoing challenge.
See everyone soon!
Jared Mauch
On Nov 7, 2009, at 5:54 AM, Larry Blunk <[email protected]> wrote:
Sriram,
I think you are missing my point. I'm aware of these
sub-allocations, but I don't agree that providers SHOULD
or MUST issue CA-Certs for these suballocations, which seems
to be the assumption of some. Rather, it is my feeling
that we can only assume the provider MAY issue a CA-Cert for
the sub-allocations.
If they choose not to issue a CA-Cert to a customer, I believe it
is
reasonable to assume they will still issue ROA's for the routes
that are being announced by the customers at the time the ROA
for the aggregate announcement is issued. I'm not fond
of partial deployment scenarios where the more specifics
are not registered until some unspecified later date. It will be
difficult to go back and get all the more specifics registered
later if there are significant numbers of them. It should be
relatively straightforward to construct tools to assist providers
with issuing ROA's for the more specifics at the time the ROA
for the aggregate announcement is being issued.
It's my understanding (please correct me if I'm wrong)
that by issuing a CA-Cert a provider is
not only giving the customer authority to register their own
ROA's, but to also issue ROA's or CA-Cert's for
customers of the customer (and so on). I suspect many providers
would
be reluctant to grant this level of authority over the PA space
they have assigned.
-Larry
Sriram, Kotikalapudi wrote:
Larry:
I appreciate the information/thoughts you have shared. It would be
fine if it (the ROA registrations) plays out the way you envision
it should.
As Sandy mentioned, there are instances of sub-suballocations and
sub-sub-suballocations etc. as can be gleaned from examples at this
link:
http://stats.research.icann.org/bgp/cidr-map/origin-map.bgp.20091030.1800.html
http://stats.research.icann.org/bgp/
Sriram
________________________________________
From: Sandra Murphy [[email protected]]
Sent: Monday, November 02, 2009 4:09 PM
To: Larry J. Blunk
Cc: Sriram, Kotikalapudi; [email protected]
Subject: Re: [sidr] draft-pmohapat-sidr-pfx-validate-03.txt as SIDR
WG document
On Mon, 2 Nov 2009, Larry J. Blunk wrote:
----- "Sandra Murphy" <[email protected]> wrote:
On Mon, 2 Nov 2009, Larry Blunk wrote:
Sriram, Kotikalapudi wrote:
<snip>
If you are using PA space to multihome,
then you are going to have to play by the provider's rules.
If the provider does not allow multihoming using their
space, that's their right. You can either get PI
space or get another provider. Do you think clueless
customers will want to deal with signing ROA's? In
most cases, I suspect not. If a provider allows customers
to multi-home from the provider's address space, it seems
eminently
reasonable that they would also be willing to sign ROA's
for that space with the customer's AS. Why wouldn't they?
In the case of multi-origin multi-homing using PA
space, you are talking about a very small subset.
For the providers who allow such configurations, yes
I fully expect them to sign the ROA's. Be aware that
many providers will simply tell customers to go get
their own AS and/or their own PI space.
This fits my model and what several others have suggested as well.
What is your opinion of a level down from there - clueless
customers
multihomed clueless customers? I've heard that while a
relationship
exists between provider and customer, that's not likely between
provider
and customer's customers through which the ROAs could be requested
or
automatically created on certain events.
(Not expressing an opinion here, just exploring the wg's opinion.)
--Sandy
-Larry
<snip>
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
