Re: [sidr] Origin Ops, TALs and Local TAs

Rob Austein <> Mon, 14 November 2011 23:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B833E21F8663 for <>; Mon, 14 Nov 2011 15:48:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.066
X-Spam-Status: No, score=-102.066 tagged_above=-999 required=5 tests=[AWL=-0.178, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KHcQVZrWSfg6 for <>; Mon, 14 Nov 2011 15:48:06 -0800 (PST)
Received: from ( [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by (Postfix) with ESMTP id 6DB7B21F853A for <>; Mon, 14 Nov 2011 15:48:03 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "", Issuer "Grunchweather Associates" (verified OK)) by (Postfix) with ESMTPS id 687B928465 for <>; Mon, 14 Nov 2011 23:47:57 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTP id 33CA96550DD for <>; Tue, 15 Nov 2011 07:47:54 +0800 (CST)
Date: Tue, 15 Nov 2011 07:47:54 +0800
From: Rob Austein <>
In-Reply-To: <>
References: <>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <>
Subject: Re: [sidr] Origin Ops, TALs and Local TAs
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Nov 2011 23:48:06 -0000


For purposes of this discussion, a LTA is semantically equivalent to a
collection of TAs plus a constraint list.  Since LTAs are also a more
general mechanism (they can be shared by a group of like-minded folks
more easily than a constraint list -- just create a TAL pointing at
the LTA) and since LTAs have the nice property of keeping the raw
constraint list out of the validator itself (thus keeping the
validator that much simpler), my advice to anybody who thinks they
need a constraint list would be to use a LTA.

We can discuss this further at the face to face meeting if you like,
but that's the summary as I see it at the technical layer.

Layers 8+ are mostly out of scope for this list, so let me just say
that I am really hoping that IANA and the RIRs will get their
collective act together and issue a single TA before this becomes a
serious problem.  They say that they intend to do so.  As somebody (KC
Claffy?) said a few years ago, relying parties should not have to sort
out this mess, that's what the industry pays the RIRs to do.  For the
moment I'm willing to take the RIRs' word that they intend to do their
job and just need a bit more time.  YMMV.

If that fails, well, maybe we can talk to Olaf Kolkman about having
his friend Bert sign the RPKI root.  This isn't rocket science.