> I think Roque's suggestion of an EKU to mark an EE cert as being associated > with a route server is helpful here. Yes, this is a self-assertion, and thus > not authoritative. > But, it could be a convenient mechanism to assist in configuration for > checking when it's OK to receive an update with a 0 pCNT value. Specifically, > if we agree that an ISP knows when a configured peer is an RS, then we can > mandate that an ISP check to make sure that an update received from a peer > with a 0 pCNT is, in fact, coming from what it believes is an RS. Having a > marker in a cert that says "HI, I'm an RS" at least makes this intent clear. > (One also could imagine that, since IXPs are well known and the route servers > at IXPs are known, a third party could scan the RPKI looking for certs that > claim to be associated with RSes, and checking to see if they appear to be > legit.)
About this last statement, the RIRs keep a list of IP Addresses for the IXPs, we could ask them to sign that list and include their ASN to increase the "confidence" that they really are RS. This could be checked by the validator. Roque > BGPSEC also could mandate some configuration capabilities that enable ASes > further along a path to filter routes based on 0 pCNT values in a path. For > example, one might say that any AS can be configured to drop a route with 2 > or more 0 pCNT hops in a row, or more than 2 total, or whatever. If we can > reach agreement on any general rules with regard to 0 pCNT values, these > rules can become part of the validation standard. > > Steve > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
