Re: [sidr] draft-pmohapat-sidr-pfx-validate-03.txt as SIDR WG document

["Larry J. Blunk" <ljb at merit.edu>]

   Sorry, should have provided more context.  I was referring to
the particular "Partial Adoption" scenario presented in
http://www.antd.nist.gov/~ksriram/SIDR_ROA_BOA_Interpretation.pdf.
Where more specifics of a registered ROA (that do not not have
a matching ROA) are not invalidated for a certain grace period.
This dramatically limits the value of ROA's and it will be
difficult to end the grace period if there are significant
numbers of more specifics of ROA's that are unregistered.

    It seems to me if you are unprepared to register ROA's for
all the more specifics of an aggregate ROA, it would be better
to hold off on registering the ROA for the aggregate until all
the more specific ROA's are in place.

 -Larry



a certain grace period.  

----- "Jared Mauch" <jared at puck.nether.net> wrote:

> I share the comments and concerns of Larry but want to take it a step 
> 
> further. There will not be anything but partial deployment for years 
> 
> to come. Trying to transfer costs to ISPs that are unwilling or unable
>  
> to issue certs is going to be an ongoing challenge.
> 
> See everyone soon!
> 
> Jared Mauch
> 
> On Nov 7, 2009, at 5:54 AM, Larry Blunk <ljb at merit.edu> wrote:
> 
> >
> > Sriram,
> >    I think you are missing my point.   I'm aware of these
> > sub-allocations, but I don't agree that providers SHOULD
> > or MUST issue CA-Certs for these suballocations, which seems
> > to be the assumption of some.   Rather, it is my feeling
> > that we can only assume the provider MAY issue a CA-Cert for
> > the sub-allocations.
> >
> >  If they choose not to issue a CA-Cert to a customer, I believe it
> is
> > reasonable to assume they will still issue ROA's for the routes
> > that are being announced by the customers at the time the ROA
> > for the aggregate announcement is issued.   I'm not fond
> > of partial deployment scenarios where the more specifics
> > are not registered until some unspecified later date.   It will be
> > difficult to go back and get all the more specifics registered
> > later if there are significant numbers of them.   It should be
> > relatively straightforward to construct tools to assist providers
> > with issuing ROA's for the more specifics at the time the ROA
> > for the aggregate announcement is being issued.
> >
> >   It's my understanding (please correct me if I'm wrong)
> > that by issuing a CA-Cert a provider is
> > not only giving the customer authority to register their own
> > ROA's, but to also issue ROA's or CA-Cert's for
> > customers of the customer (and so on).   I suspect many providers  
> > would
> > be reluctant to grant this level of authority over the PA space
> > they have assigned.
> >
> >
> > -Larry
> >
> >
> >
> > Sriram, Kotikalapudi wrote:
> >> Larry:
> >>
> >> I appreciate the information/thoughts you have shared. It would be 
> 
> >> fine if it (the ROA registrations) plays out the way you envision 
> 
> >> it should.
> >>
> >> As Sandy mentioned, there are instances of sub-suballocations and 
> 
> >> sub-sub-suballocations etc. as can be gleaned from examples at this
>  
> >> link:
> >>
> http://stats.research.icann.org/bgp/cidr-map/origin-map.bgp.20091030.1800.html
> >> http://stats.research.icann.org/bgp/
> >>
> >> Sriram
> >> ________________________________________
> >> From: Sandra Murphy [sandy at sparta.com]
> >> Sent: Monday, November 02, 2009 4:09 PM
> >> To: Larry J. Blunk
> >> Cc: Sriram, Kotikalapudi; sidr at ietf.org
> >> Subject: Re: [sidr] draft-pmohapat-sidr-pfx-validate-03.txt as SIDR
>  
> >> WG document
> >>
> >> On Mon, 2 Nov 2009, Larry J. Blunk wrote:
> >>
> >>
> >>> ----- "Sandra Murphy" <sandy at sparta.com> wrote:
> >>>
> >>>
> >>>> On Mon, 2 Nov 2009, Larry Blunk wrote:
> >>>>
> >>>>
> >>>>> Sriram, Kotikalapudi wrote:
> >>>>>
> >>
> >> <snip>
> >>
> >>
> >>>   If you are using PA space to multihome,
> >>> then you are going to have to play by the provider's rules.
> >>> If the provider does not allow multihoming using their
> >>> space, that's their right.  You can either get PI
> >>> space or get another provider.   Do you think clueless
> >>> customers will want to deal with signing ROA's?   In
> >>> most cases, I suspect not.  If a provider allows customers
> >>> to multi-home from the provider's address space, it seems
> eminently
> >>> reasonable that they would also be willing to sign ROA's
> >>> for that space with the customer's AS.  Why wouldn't they?
> >>>
> >>> In the case of multi-origin multi-homing using PA
> >>> space, you are talking about a very small subset.
> >>> For the providers who allow such configurations, yes
> >>> I fully expect them to sign the ROA's.   Be aware that
> >>> many providers will simply tell customers to go get
> >>> their own AS and/or their own PI space.
> >>>
> >>
> >> This fits my model and what several others have suggested as well.
> >>
> >> What is your opinion of a level down from there - clueless
> customers
> >> multihomed clueless customers?  I've heard that while a
> relationship
> >> exists between provider and customer, that's not likely between  
> >> provider
> >> and customer's customers through which the ROAs could be requested
> or
> >> automatically created on certain events.
> >>
> >> (Not expressing an opinion here, just exploring the wg's opinion.)
> >>
> >> --Sandy
> >>
> >>
> >>> -Larry
> >>>
> >>>
> >>>
> >>>
> >>
> >> <snip>
> >>
> >
> > _______________________________________________
> > sidr mailing list
> > sidr at ietf.org
> > https://www.ietf.org/mailman/listinfo/sidr