On , Russ White <> wrote: >> I agree with John's observations. We need to stop making the >> statement "no roa == no route", because it's simply not true. > > There's something I probably don't understand here... > > 1. SIDR's ROA/RPKI infrastructure is designed to provide security for > route origination. > > 2. Security for route origination means that you shouldn't be able to > advertise routes unless someone in the infrastructure (other than you) > has stated (publicly through a signed certificate) "this is a > valid route." > > 3. But... If there's no certificate for a route, it's > perfectly fine to > advertise it and route to it. > > It seems, to me, that if the RPKI can't be used to actually > validate who > owns what route with certainty, we're going to a lot of trouble for > nothing... Or maybe folks are trying to have their cake and eat it to. > "We'll provide solid security which you can ignore if you like, no > problem." > > I know this goes back to the difference between "unknown," and > "invalid," but if all address space which no-one actually > claims is open > for whatever use anyone wants, then are we really making any > progress in > any meaningful way?
There is a difference. Invalid: someone is certified to own it and someone ELSE is originating. Unknown: No one is certified owner. -- Jakob Heitz. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
