speaking as a regular ol' member On Aug 4, 2014, at 4:42 PM, "George, Wes" <[email protected]> wrote:
> Late to the discussion because I needed to have cycles to read and think > about this draft... > > > On 7/31/14, 4:03 PM, "Stephen Kent" <[email protected]> wrote: > > This is probably true for routes that transition from > Valid to Unknown, but not if they are actually found to be Invalid, which > is what I understand would be the result of the problem discussed in this > draft - invalid certs = invalid routes. Well…. invalid EE certs = invalid ROA (for the most part - there's operational consideration about not removing an EE cert if a repository is unavailable, I suppose) An invalid ROA does not necessarily mean an invalid route. If there is no other covering ROA, then a BGP route for that prefix becomes unknown, as Terry pointed out. If there is another ROA which covers the same prefix, then a route may be invalid -- if no covering ROA authorizes the ASN that the invalidated ROA mentions. --Sandy, speaking as a regular ol' member
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
