Sorry for the delay in responding. Please see answers inline below. Sriram
> -----Original Message----- > From: Pradosh Mohapatra [mailto:[email protected]] > Sent: Monday, August 02, 2010 2:21 AM > To: Jeffrey Haas > Cc: Sriram, Kotikalapudi; [email protected] > Subject: Re: [sidr] Comment about aggregators and AS_SETs > > I support Jeff's proposal for matching the "first AS after AS_SET" with the > [AS4_]AGGREGATOR attribute. If I understand correctly, the suggestion is to > follow the below algorithm for deriving origin_as: > > 1. origin_as = rightmost AS in the final AS_SEQUENCE of the AS_PATH attribute > 2. If the UPDATE carries [AS4_]AGGREGATOR and AS_SET attributes > if (first AS after AS_SET == AS encoded in [AS4_]AGGREGATOR), then > origin_as = first AS after AS_SET > else > origin_as = NONE > > Sriram, a quick question on your enumeration tree: the right hand side in the > tree > starts with "No AS_SET", but later you have nodes that say "Matches the first > AS > after AS_SET"... What does that mean? It was a typo. I meant "Matches the origin AS (i.e., the AGGREGATOR ASN and the right most AS of the AS_SEQUENCE match). Please see the corrected updated slides: http://www.antd.nist.gov/~ksriram/AS_SET_Aggregator_Stats.pdf >Also, IMO, the attack vector you mention > in the slides are more related to path validation than origin validation. I think the attack vector is possible for path validation as well as origin validation. But if you require, in the algorithm, that the first AS after AS_SET == AS encoded in AGGREGATOR and only then take that AS to be origin (Jeff Haas's modification to what I suggested), then the attack vector goes away. The attack vector is possible if we take the AGGREGATOR ASN to be origin (for origin validation) without paying attention to the first AS after AS_SET. Sriram > > - Pradosh _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
