Re: [Idr] John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)

"Juan Alcaide (jalcaide)" <jalcaide@cisco.com> Thu, 27 May 2021 11:59 UTC

Return-Path: <jalcaide@cisco.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64BFD3A1AA2; Thu, 27 May 2021 04:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.596
X-Spam-Level:
X-Spam-Status: No, score=-9.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TcZqUgXP; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=L3scTnSS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LVyvvIwYJVT; Thu, 27 May 2021 04:59:53 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE1273A1AA1; Thu, 27 May 2021 04:59:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4578; q=dns/txt; s=iport; t=1622116792; x=1623326392; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=MohjMJcnQcfw1IazjJhDg097ZazcDnPCxdz4quT+ufs=; b=TcZqUgXPjotbHVqrZee3ww50O44eXSZv4CSavkKs7JG0uM4GHVFssLO9 clDmWv9GrKgyX8dct29ZCbF95PUrWYKXF8yby2jSV2tWZ56xLdBtKkZSi 7xkCuiJy0Ir55LgQIadSSRjt8zzAKxRFyZEmjgeNYqj0ztj8diLKUdWMK Q=;
X-IPAS-Result: =?us-ascii?q?A0BgAAD4iK9g/5NdJa1aHAEBAQEBAQcBARIBAQQEAQFAg?= =?us-ascii?q?UMHAQELAYFSUQeBUTcxC4Q9g0gDhFlgiHEDmgmBLoElA1QLAQEBDQEBPwIEA?= =?us-ascii?q?QGEUAIXgWcCJTQJDgIEAQEBAQMCAwEBAQEFAQEFAQEBAgEGBHEThWgNhkQBA?= =?us-ascii?q?QEBAgESEQQNDAEBNwEECwIBCA4MAiYCAgIwFRACBA4NGoUlAw4hAQObBgGBO?= =?us-ascii?q?gKKH3p/M4EBggcBAQYEBIVRGIIxCYEQKgGCeoQOhl8nHIFJRIEVQ4JfPoQsG?= =?us-ascii?q?hWDADaCLoFZcWQEgWuBBg2UPgFCpxoKgxedfBGDXosZllyXWZ0LhH0CBAIEB?= =?us-ascii?q?QIOAQEGgVQ7K4EucBWDJFAXAg6OHwwWFYM5il5zOAIGAQkBAQMJfIglLYEHA?= =?us-ascii?q?YEQAQE?=
IronPort-PHdr: A9a23:XIHmux9IqT9glf9uWMPoyV9kXcBvk7fpOA8N54Bhjb9SIeyv/JXna UrY4/glzFrERp7S5P8Mje3K+7vhVmoN7dfk0jgCfZVAWgVDhZAQmAotU8yYD0zjIeSsaSEmT 4xOUVZ/9CS9Nk5YUM/1e1zVpCi06jgfUhXyPAZ4PKL7AInX2s+2zOu1vZbUZlYguQ==
IronPort-HdrOrdr: A9a23:guPbw61q+RVBz44MA/Xm3QqjBWdyeYIsimQD101hICG9Lfb4qy n+ppomPEHP5wr5AEtQ5uxpOMG7MBThHO1OkPcs1NCZLUjbUQqTXc9fBO7ZowEIdBeOjdK1uZ 0QFpSWTeeAcWSS7vyKoDVQcexQuuVvmZrA7Yy1ohsdLnAJV0gj1XYFNu/xKDwReOAyP+tAKH Pq3Ls/m9PPQwVyUu2LQl0+G8TTrdzCk5zrJTQcAQQ81QWIhTS0rJbnDhmxxH4lInBy6IZn1V KAvx3y562lvf3+4ATbzXXv45Nfn8ak4sdfBfaLltMeJlzX+0SVjcVaKvi/VQIO0aaSAWUR4Z /xStAbTp1OAkbqDyWISN3WqlHdOXgVmiTfIBSj8AreSITCNUIH4ox69Nhkmt+z0Tt9gDm6u5 g7gl5x/qAnfi/ojWDz4cPFWAptkVfxqX0+kfQLh3gaSocGbqRNxLZvsH+9Pa1wVh4S0rpXXd WGzfusrcq+emnqIEwxflMfi+BEe05DaCtubnJyzvB94gIm1EyRlXFosfD3tk1wg67VZaM0ld j5Dg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,334,1613433600"; d="scan'208";a="707480927"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 May 2021 11:59:50 +0000
Received: from mail.cisco.com (xbe-rcd-002.cisco.com [173.37.102.17]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 14RBxoSZ028285 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 May 2021 11:59:50 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xbe-rcd-002.cisco.com (173.37.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 27 May 2021 06:59:50 -0500
Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 27 May 2021 06:59:49 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 27 May 2021 06:59:49 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VVuthW8B7J98Dw7Sv2praArn/NAJdK1orFt5rGph16MSxfysVSKWbtelqbcFUahHTI+xI9n+m4K0ZJ7H8axUBGIDRV9PkWoaFeME4/NYU0OVf3vvzLCe7UyxSWogDD3nm1pdwR+cxmITALzDTU1m9dNqYiXx0XAV24mxLSMJ7M4+nuXiDIOzPHwOCAxSwdMMX+HhXhmnIABGhdN6NPeBRlNbe/kXowiCPvE1uCaT2No47Icb+tyBKwoDeMalGoV3H2J6S0c+LEBR9KRIODpA6jiRzBfJKxTLYRDzl6UcTlDLmDaUau4oNsQQGZ/IhatdiHqs1kShdGf+0z7BazrFwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MohjMJcnQcfw1IazjJhDg097ZazcDnPCxdz4quT+ufs=; b=CyDApPfImXVsEk+7pS1lUwu34w9i/sF1Yr47Whj1XDCYc1o6sd4WxvKLwlo/HtOrr7B7URs6gpEzMTYyf6O7lQ35z2pi7TSpQ/FB/7RcqvweeM9hEOQ0JKsoCJ8RnxLQqqaNL7JVC1VTO87gSmQSbJ6gnRftLCUxZBDngF1LIbgER8b7ZWkj0Oybvu8ZnXfaJ3n+1/b0htPOsV4S7ALKmSIbE4TwO8pKJkjD1vdEI6MpXVdgck6NZZLbkLXniNZrjy7TfPgpg0gKcbTpAtuDyF4WSrcUFdmU1u2TLZQHB/xgfesRUAYapX0oKgCwB9+GMdSJJ7wAeIW/YKptfA+FnQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MohjMJcnQcfw1IazjJhDg097ZazcDnPCxdz4quT+ufs=; b=L3scTnSSLg/sIo8ekJ00M9cbHWfIBe8KvT1LBVlzuINXe805Kl3OYJ2N2nPa9lPMiaKu9TJLtwoX+aMMcYJ7gJVa3hJrr1wa5pbgPK9B8zx2uQJ/snsnsd0a8kbXZ6v0sJdpbv1701v6AcTeudwv61pZ5HL2Q/0hdEaYTvljm6U=
Received: from BL1PR11MB5416.namprd11.prod.outlook.com (2603:10b6:208:319::22) by BL0PR11MB3027.namprd11.prod.outlook.com (2603:10b6:208:77::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.22; Thu, 27 May 2021 11:59:48 +0000
Received: from BL1PR11MB5416.namprd11.prod.outlook.com ([fe80::95e1:5bbb:188a:1aed]) by BL1PR11MB5416.namprd11.prod.outlook.com ([fe80::95e1:5bbb:188a:1aed%7]) with mapi id 15.20.4173.020; Thu, 27 May 2021 11:59:48 +0000
From: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
To: John Scudder <jgs@juniper.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>, "idr-chairs@ietf.org" <idr-chairs@ietf.org>, "idr@ietf.org" <idr@ietf.org>, Hares Susan <shares@ndzh.com>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>, "Lars Eggert" <lars@eggert.org>, "David Smith (djsmith)" <djsmith@cisco.com>, =?utf-8?B?TWFnbnVzIE55c3Ryw7Zt?= <magnusn@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
Thread-Index: AQHXQ3tJiP7jAt0U4UqyoDg/3TXRCKriDsNQgAFTtwCAAYgw0IAJUMiAgAka6UA=
Date: Thu, 27 May 2021 11:59:48 +0000
Message-ID: <BL1PR11MB5416ED515B089D04F4F92D54CD239@BL1PR11MB5416.namprd11.prod.outlook.com>
References: <162041746726.16037.6421894058933171338@ietfa.amsl.com> <DM6PR11MB3194EAEC2799AD9213E2B527CD519@DM6PR11MB3194.namprd11.prod.outlook.com> <3A5161A8-6187-4CB9-A796-7381EC598388@juniper.net> <DM6PR11MB3194BA315E52D59325830C00CD2F9@DM6PR11MB3194.namprd11.prod.outlook.com> <B434F54F-33E5-43E4-8502-5199B5604DB3@juniper.net>
In-Reply-To: <B434F54F-33E5-43E4-8502-5199B5604DB3@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: juniper.net; dkim=none (message not signed) header.d=none;juniper.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [83.55.133.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 130869bd-87dc-471c-0b3d-08d92106ed57
x-ms-traffictypediagnostic: BL0PR11MB3027:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BL0PR11MB30278F2B6DBF50C9EE14ED2ECD239@BL0PR11MB3027.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KCnptErKvlZWdK/Vs8LJyMPVUyoHcCma4o6dnIzxCSTuArKh+kI1RZtugsM7Za1W+Dxp3qHG3RnBTRNP7A1L1Zui3VvmO32Wpf+dacOjB3OX1GdOXj/8f3AYa/9ocenqi/VjMlr8XjIh07qrODu5sIoVn/FUGZ0nNDSaEd5fd9ka+ZAREfEY6O+4vWjWhC03xzRudCIib8LfBdLcjCibYkVrcDlLl5YzwNTJOAHAi/1VhkRxh9dvhu3eerfg9lgo+PTClhvV9z7cDq9XUnTo+TImArG1x8Uf8hJVJ5CkgvJkhGiubUapkftfOwXtg3aQPxt0bFF78vau6qDVpTL/odIqv5mDg80LEaPCGZBAR4bHTPkF5QcR0PQv/WOgOYp19YRNDqClHWLO2JTEA7TjmXg8g66NA5U9hEm8DDCCRb7Q8oPRNH0UkGYyYH8emTRrs8wfczlUP1iNO5ME8qw1btWRAoNMNjxnGnWLUNIbyDHmijl+pBqC8u/uhtEavse/GjuhH9brF+jx3I4BQp128B/NZ7uzo7+ZZjUmIisKusBMFewO9JmX+oegWN4WUBXQ135OO3y784bYNVuVJhGqYX+SQDcxcu3wnUFtwQ/GoJc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL1PR11MB5416.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(136003)(346002)(366004)(39860400002)(6916009)(38100700002)(33656002)(122000001)(86362001)(478600001)(55016002)(2906002)(8936002)(71200400001)(4326008)(8676002)(9686003)(64756008)(66476007)(76116006)(66446008)(54906003)(5660300002)(26005)(6506007)(66946007)(66556008)(7696005)(52536014)(7416002)(186003)(316002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?WVVkdFEzWWlXdDh4WEJmY0V4TzV5Mk5paHE2SldQWDdUQ0FFeW02ZTVodTZy?= =?utf-8?B?NmxTZlc3S3M5UStzRnVkbXBFU2U4RTkzWGNPZ3FNRitYN1ZpdEdiOFlEMGJF?= =?utf-8?B?ZTFzcDg1RjJROHdSclFLNDRyaHlabjQ0Z1lRa3pjQ3kxL1p5ai9JbjJhcEVE?= =?utf-8?B?NzFZOENhd2VNV1I2eHZDK2N6UXhOM2JBT2pxNFZJcG5XVWk2MXNNYVR3NUZD?= =?utf-8?B?S2dneGRYVnNoTW1tT0VKRmZFS01sSXpNd1ZuRXdscUxNbUYyNWlGb3E4MFFZ?= =?utf-8?B?dytLR3U4QXAzcGx6T1orVUtvL1dqS1NGUU9jQVNYZjRucnBQTS9HNEtSTkp4?= =?utf-8?B?blZFT1JDZzI5R1FDVVRpMDRTdmUxTW1yU1JrTDVnZE9NZUtld2oycW9Fby9q?= =?utf-8?B?eGVJNHhrQUxSbXVXQmNZdXdvYmtRY1VsVXRnZmxzYy94MU1sSjltRS9vc0xC?= =?utf-8?B?TTRnRE1sTFgxbk0zVDYrK1NUL29WbVJUUUF6M1JjWitzdEdXWHlyTUZqWXhP?= =?utf-8?B?R0lUNmtuYlVBZ0gwV08reVB6eDNUWnZzUllXTmFJS3hjWERyQkJDZ0ZTT29I?= =?utf-8?B?OUJCSGI5UmhtQ3hlc2dBTHFCalZmb1Uyd0pqUXNQS2w2UUk1bE0ra0lDSENB?= =?utf-8?B?dENoMG5TN09vS2w5Wk9WL3NGN2VpaGJBWk9iNkJSbG9JUzYwbjVPeFptWjN2?= =?utf-8?B?UnZVK3FacEEya016Q2JvUE00UTUwUlF5Q1R3TWplQUhmeG5qUkZQemIxMWlV?= =?utf-8?B?NTV5Z3U1SlNqdkFJblM1MXFFdUN2TDR6QWtZUzZadXRyaXczNTlwYjE1MGdH?= =?utf-8?B?aFlZaFBWL2t3dDBiYkZkOXVNSFFTQmI1bFJkOUJKbWFrd3BTVVgrUjk2NmNX?= =?utf-8?B?eWRhS3k0NllaOEw2elVRcWFodGpPV3lVRFR0cHZlUUo3MlJqdjJMOFRmTWMx?= =?utf-8?B?SW1qR3Izd0M3M2paaFRJOWVDYjd5emtDT05FZWg1SHhoWktBalE0d2dINXFy?= =?utf-8?B?MG1rZlNHSWZ3TEhoZ3FvRU1Xa2xRTUM1UUliaUNZYmtwN3pFUnVJNkl3Z3VR?= =?utf-8?B?OGt0blBEZy9oVm9KOXNGU0drbkdxRExRMDFpdUNFdVpoZnJMQk5mNHR5Z3Jk?= =?utf-8?B?Z1piNWdFMERUY2wweDFWRVNPR2NDWTFlNXpMTUdvSnNjYjE2ckY4UDViRHVv?= =?utf-8?B?YVFGTER5Z1VqQkltb0hERXdnUUYvUnl5SmJhazJhRUlva1ljS1ZBYVFzOUJO?= =?utf-8?B?RjY3S2pvbTg2ZHhQUnV1S2JjdUoyUnlObWNCUWJxUFkzRktybjU1QnF0TGdx?= =?utf-8?B?b0VUaDI5dFNWd2Y5V0s1UEgycWJ3ejFMcGRMNjJxRGNIc0ZOVEh1MFpqVjVQ?= =?utf-8?B?Wmdhc0l1M2VZVU8vc3U2T2RkeTNORFEvZE5CanlUc3hVSzlsNm5qVXlYWThR?= =?utf-8?B?Q0pkSDltWGtyTExhU3hMblNwMVFaRGk4enNNOUZFWE5zLzNFWTduZzlqd1or?= =?utf-8?B?Tkg5dDZQVmJpQ3djc0tnbzZYUzlKTGlYY0pPOEJOQzJmdGlENFJ5OWxsVjFF?= =?utf-8?B?RlVLY3NmNlN4K2JKcHljOFVIWHhpUk9ISUxOV2hQVjNaOVUxVy95QkZpVXht?= =?utf-8?B?TmZLTnlsWkdZNGxONDhlc0x3em5INGxVNStRaXl6eEgySzBFVnVXbTVtRVNG?= =?utf-8?B?Nm53ZjRVVnUzQ0hmaHI1VWhNMFV4WWVYdXA3NHpIWjhobjNTOWp1Q3Y0aGxa?= =?utf-8?Q?swEzQYcDseF89Q9c6A=3D?=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL1PR11MB5416.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 130869bd-87dc-471c-0b3d-08d92106ed57
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2021 11:59:48.3089 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u5Rtm2/tJ2Xhzx9UB+T+4GgStN6sQxWetbVF/wSxi65hQyO0Jrn/DLi0NfAVXcxdfMVrczL0vF6Q8NtDyd2Eqg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3027
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xbe-rcd-002.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/bjfOpJJ04MN3F19rQzQDbmgIIok>
X-Mailman-Approved-At: Thu, 27 May 2021 08:55:37 -0700
Subject: Re: [Idr] John Scudder's No Objection on draft-ietf-idr-bgp-flowspec-oid-13: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 11:59:58 -0000

Hi,

We talked internally and we don't think it's worth pursuing. It would enhance security as defined in [RFC8955] (what is not the purpose of this draft), and upset all
existing implementations. There is nothing forbidding any implementation to enhanced security in this way via a knob if they think it's suitable.

But we need to modify the explanation because it didn't fit the new rule. We also introduce the concept of instead of suggesting to enforce neighbor-AS match of FS, suggesting to just to enforce it on the unicast route.

Please take a look to make sure it's accurate and clear.


# Revision of AS_PATH Validation -> Explanation

Comparing only the left-most AS in the AS-PATH for eBGP learned
      Flow Specification NLRIs is roughly equivalent to checking the
      neighboring AS.  If the peer is a route server, security is
      necessarily weakened for the Flow Specification NLRI, as it is for
      any unicast route advertised from a route server.  An example is
      discussed in the Security Considerations section.

      Redefinition of this AS_PATH validation rule for a Flow
      Specification does not mean that the original rule in [RFC8955]
      cannot be enforced as well.  Its enforcement remains optional per
      [RFC4271] section 6.3.  That is, a BGP speaker can enforce the
      first AS in the AS_PATH to be the same as the neighbor AS for any
      address-family route (including a Flow Specification address-
      family route).  If the BGP speaker peer is not a route server,
      when enforcing this optional rule, the security characteristics
      are exactly equivalent to those specified in [RFC8955].

      Alternatively, enforcing this optional rule for unicast routes
      (even if not enforced on Flow Specification NLRIs) achieves
      exactly the same security characteristics.  The reason is that,
      after all validations, the neighboring AS will be the same as the
      left-most AS in the AS-PATH for the unicast route, and the left-
      most AS in the AS_PATH for the unicast route will be the same as
      the left-most AS in the AS_PATH for the Flow Specification NLRI.
      Therefore, the neighboring AS will be the same as the left-most AS
      in the AS_PATH for the Flow Specification NLRI (as the original
      AS_PATH validation rule in [RFC8955] states).


# Security Considerations

If configuration (or other means beyond
   the scope of this document) indicates that the peer is not a route
   server, that optional rule SHOULD be enforced, for unicast and/or for
   Flow Specification routes (as discussed in the AS_PATH Validation
   section, just enforcing it in one address-family is enough).


-J



> Do we really want to match only the last-AS, or as many ASes as we 
> want?  The paragraph above in the explanation would seem to favor as many AS_PATHS as we can. Transit ASes could still originate FS rules.
> 
> Ex:
> 
> Validate         Unicast: 100 101 102 103, FS: 100 101
> Do not validate  Unicast: 100 101 102 103, FS: 100 102

That's a fair point. If you want to update the doc accordingly though, it would be a significant enough technical change that I think you would need to go back to the WG for discussion of it. Your call (and Alvaro and the IDR chairs’).