Re: [Gen-art] Gen-ART telechat review of draft-ietf-sidr-roa-validation-10.txt

Geoff Huston <> Thu, 28 April 2011 05:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD9B6E0682 for <>; Wed, 27 Apr 2011 22:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.283
X-Spam-Status: No, score=-101.283 tagged_above=-999 required=5 tests=[AWL=-0.612, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AU=0.377, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T0423BKO5YAp for <>; Wed, 27 Apr 2011 22:14:03 -0700 (PDT)
Received: from ( [IPv6:2001:dc0:2001:11::199]) by (Postfix) with ESMTP id BA9D1E0678 for <>; Wed, 27 Apr 2011 22:14:02 -0700 (PDT)
Received: from (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTP id 04CCCB681F; Thu, 28 Apr 2011 15:14:00 +1000 (EST)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Geoff Huston <>
In-Reply-To: <>
Date: Thu, 28 Apr 2011 15:13:55 +1000
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <>
To: Brian E Carpenter <>
X-Mailer: Apple Mail (2.1084)
Cc:, General Area Review Team <>
Subject: Re: [Gen-art] Gen-ART telechat review of draft-ietf-sidr-roa-validation-10.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Apr 2011 05:14:03 -0000

On 23/04/2011, at 11:51 AM, Brian E Carpenter wrote:

>>   It is a matter of local routing policy as to the actions to be
>>   undertaken by a routing entity in processing those routes with
>>   "unknown" validity states.
> That leaves open the possibility that an AS_SET aggregated route (which
> is by definition "unknown") would be rejected as part of a general policy
> choice. At the least, it seems that this should be mentioned to ensure that
> operators are aware of it. This is orthogonal to the fact that AS_SET
> is intrinsically a security problem.
> Suggested sentence to add:
> Operators should be aware that a policy that rejects all "unknown" routes
> will thereby reject any aggregated (AS_SET) route.

Thanks for your review Brian.

The draft already states "you really should not reject "unknown" routes":

   "Due to considerations of partial use of
   ROAs in heterogeneous environments, such as in the public Internet,
   it is advised that local policy settings should not result in
   "unknown" validity state outcomes being considered as sufficient
   grounds to reject a route outright from further consideration as a
   local "best" route."

I believe that this is sufficient in terms of guidance for an informational 
document to say "please don't shoot your foot off!" :-)