Re: [Sidrops] Which 8210-bis error code should be used?

[Claudio Jeker <cjeker@diehard.n-r-g.com>]

On Wed, May 24, 2023 at 10:05:58AM +0200, Martin Hoffmann wrote:
> Claudio Jeker wrote:
> > 
> > I agree that ASPA-generating CAs (especially the RIR portals) need to
> > stop or warn operators when they create entries that only cover one
> > AFI. Actually the portals should discourage the operator to use AFI
> > specific entries in the first place.
> 
> This sounds a lot like we are creating the next max-len debacle. Have
> we seriously considered just not having afiLimit at all? The
> consequence would be that a couple ASPAs have a couple ASNs in their
> provider set that aren’t valid providers for a subset of prefixes.
> 
> How does the added protection weigh against the added complexity
> at all stages of the protocol, particular in view of the strong
> recommendation to not use the feature at all?
> 
> I.e.:
> 
> > Remember:
> > Rule number one to improve security is to remove options, not adding
> > them.> 
> 
> 
>   -- Martin
> 
> PS: Yes, I know it is very late in the process. But this keeps popping
>     up which is a good indicator that it will keep popping up later and
>     cause operational issues. Perhaps avoiding that is worth the extra
>     hassle now?

I would love to remove the optional afiLimit from ASPA.
I brought this up a few times (well before there was any implementation of
any ASPA draft) and every time the answer of some of the authors was no
(without any particular reason).

As one of the developers of the first RP and only BGP implementation
handling ASPA I would enjoy to remove all the code required to handle the
afiLimit. We probably control most test deployments (RP and BGP side) and
are willing to make this change.

-- 
:wq Claudio