Re: [Sidrops] Which 8210-bis error code should be used?

[Jay Borkenhagen <jayb@braeburn.org>]

Hi Claudio,

Regarding the case where an ASPA exists for one AFI but not the other:

I acknowledge your preference to not require separate but nearly
identical tables for ipv4 and ipv6, and I agree with you that an
ASPA-verifying bgp implementation can deal with this situation in its
hop-check function by inferring a table entry for that 'missing' AFI.

However, inferring an AS0 ASPA table entry is almost certainly not
what the creator of the single-AFI ASPA had intended.  I do not know
all the reasons why someone would create an ASPA for one AFI but not
the other, but two that come to mind are:

- "All my INRs are ipv4, so I don't care about ipv6" -- in which case
  it doesn't matter how ASPA-verification treats ipv6 for this ASN,
  
and:

- "I want to wade carefully into ASPA, so let me do only ipv6 first"
   -- in which case they do not intend to imply that they are
   default-free for ipv4. 

Because an assertion of being default-free is not what any single-AFI
ASPA creator would intend, this takes us down the path of whether
ASPA-generating CAs should prohibit or warn operators that they're
about to do something with more severe consequences than they may
realize.  It would be good to avoid that mess.


As an alternative, I would like to propose inferring a wildcard table
entry for the missing AFI, as if the signer had created an ASPA
indicating that every other ASN is one of its providers for the
missing AFI.


For the process of rejecting invalid AS_PATHs, a wildcard will have
the same result as if no ASPA existed, which is the actual situation
at hand for that 'other' AFI.


Thanks.

						Jay B.