Substantial comment similar to that made on pfx-validate: We need to resolve the behavior for routes originated from the local AS to find their way into a Valid state, as by current definition they can only be "Not Found" or even "Invalid", even if ROAs exist in the mapping table for the local AS. The WG needs to agree on the proper accommodation and address it expressly in the text before this document is published.
Nits below: --- S.3 - Can you explain how it's "more likely to be noticed"? "One advantage of minimal ROA length is that the forged origin attack does not work for sub-prefixes that are not covered by overly long max length. E.g. if, instead of 10.0.0.0/16-24, one issues 10.0.0.0/16 and 10.0.42.0/24, a forged origin attack can not succeed against 10.0.66.0/24. They must attack the whole /16, which is more likely to be noticed." - s/While an operator using RPKI data/An operator using RPKI data/ --- S.5 - s/NotFound/Not Found/[g] throughout per the pfx-validate terminology. --- _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
