On Wed, 28 Apr 2010, Sandra Murphy wrote:
On Thu, 29 Apr 2010, Geoff Huston wrote:
Thank you for this response. As I had noted earlier, if you had made it
clearer in which role you were posting in these discussions it would be
easier for others, or at least myself, to understand when you were making
pronouncements as WG chair and when you were asking questions and airing
opinions as an individual participant.
If proxy aggregation is "not part of our work" then the outcome of such
actions, namely AS Sets in the AS_PATH is likewise "not part of our work."
I will edit the roa validation draft accordingly.
Actually, no, that is not the case.
When I say that proxy aggregation is not part of our work, I mean that sidr
does not promise to protect BGP announcements formed by proxy aggregation.
While it is true that AS_SETS are principally generated in BGP updates by an
AS that is doing proxy aggregation, AS_SETS are still part of the BGP
protocol and might appear in a received AS_PATH.
Until and unless the idr working group decides to eliminate that feature from
the BGP protocol, the sidr route validation must still make a statement about
what happens when the AS_PATH origin is an AS_SET.
That is necessary for completeness. Furthermore, without such a statement,
implementers could make different decisions as to how to handle such cases
and attack paths could result.
The sidr wg is not now considering anything but origin authorization, so an
AS_PATH segment that is an AS_SET but is not the origin is not of our concern
at all.
--Sandy
Whoops!
I meant:
--Sandy, still conversing as wg chair
On 29/04/2010, at 3:16 AM, Sandra Murphy wrote:
I have said that it was the consensus even before sidr was officially a wg
that proxy aggregation would not be part of our work. And I pointed to
the email archive for that discussion.
You have said that you do not believe that it is possible at this point,
so I don't think that you are unhappy with that statement.
So I am confused as to what further statement I could make that would help
at this point.
Can you point me to where you still see a problem?
--Sandy
On Wed, 28 Apr 2010, Geoff Huston wrote:
three weeks ago I asked:
It seems to me that the essential requirements for securing proxy
aggregation are missing at this stage, which makes it somewhat difficult
for SIDR to work on mechanisms without some re-spinning of the SIDR WG
Charter (or some other WG) that would permit the preliminary work on
security requirements relating to proxy aggregation to come first.
So my question to the WG Co-chairs is: is work on securing Proxy
Aggregation within the current SIDR charter? If so, on what basis?
I would hope that by now the WGchairs have had sufficient time to
consider this question, so I'd like to ask once more: Is work on securing
Proxy Aggregation within the current SIDR Charter? If so, on what basis?
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
