> Hi, > > this question addresses the scenario, in which a BGP update contains > an AS_SET. According to draft-ietf-sidr-pfx-validate-01, the variable > origin_as would be defined as "NONE". In case of a valid certificate for > the prefix, the prefix validation function would return "INVALID". > > BGP updates including an AS_SET with a valid certificate would never > be valid. Correct?
> This seems a bit rough. Can you clarify the reason > behind? I would expect that if a valid record for at least one origin AS > within the AS_SET exists, the funcion will return "VALID". no, as consequence of your criterium for VALID, it would get very easy to spread VALID routes with a short prefix by doing the proxy aggregation including one AS that has a ROA for some more specific... (in the extreme ROA for a /128 would VALIDate a ::/0, or say 2000::/3, or an aggregate for a very large block of your RIR's IPV6 space) If we wanted to support proxy aggregation and the related AS_SET the ROA to check for VALIDity would be one matching exactly the aggregate for the origin AS of the aggregator. Fiddling and fixing with the different cases (beware of optional attributes!) certainly allows for implementations to get it wrong (and create unwanted test requirements/efforts); seems nobody stepped forward with a convincing case really needing the AS_SET. Gruss, Ruediger Ruediger Volk Deutsche Telekom AG -- Internet Backbone Engineering _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
