On Thu, 29 Apr 2010, Geoff Huston wrote:
Thank you for this response. As I had noted earlier, if you had made it clearer
in which role you were posting in these discussions it would be easier for
others, or at least myself, to understand when you were making pronouncements
as WG chair and when you were asking questions and airing opinions as an
individual participant.
If proxy aggregation is "not part of our work" then the outcome of such actions, namely
AS Sets in the AS_PATH is likewise "not part of our work." I will edit the roa validation
draft accordingly.
Actually, no, that is not the case.
When I say that proxy aggregation is not part of our work, I mean that
sidr does not promise to protect BGP announcements formed by proxy
aggregation.
While it is true that AS_SETS are principally generated in BGP updates by
an AS that is doing proxy aggregation, AS_SETS are still part of the BGP
protocol and might appear in a received AS_PATH.
Until and unless the idr working group decides to eliminate that feature
from the BGP protocol, the sidr route validation must still make a
statement about what happens when the AS_PATH origin is an AS_SET.
That is necessary for completeness. Furthermore, without such a
statement, implementers could make different decisions as to how to handle
such cases and attack paths could result.
The sidr wg is not now considering anything but origin authorization, so
an AS_PATH segment that is an AS_SET but is not the origin is not of our
concern at all.
--Sandy
On 29/04/2010, at 3:16 AM, Sandra Murphy wrote:
I have said that it was the consensus even before sidr was officially a wg that
proxy aggregation would not be part of our work. And I pointed to the email
archive for that discussion.
You have said that you do not believe that it is possible at this point, so I
don't think that you are unhappy with that statement.
So I am confused as to what further statement I could make that would help at
this point.
Can you point me to where you still see a problem?
--Sandy
On Wed, 28 Apr 2010, Geoff Huston wrote:
three weeks ago I asked:
It seems to me that the essential requirements for securing proxy aggregation
are missing at this stage, which makes it somewhat difficult for SIDR to work
on mechanisms without some re-spinning of the SIDR WG Charter (or some other
WG) that would permit the preliminary work on security requirements relating to
proxy aggregation to come first.
So my question to the WG Co-chairs is: is work on securing Proxy Aggregation
within the current SIDR charter? If so, on what basis?
I would hope that by now the WGchairs have had sufficient time to consider this
question, so I'd like to ask once more: Is work on securing Proxy Aggregation
within the current SIDR Charter? If so, on what basis?
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
