Re: [sidr] SIDR ReCharter - to capture/cover path validation work

>> >> If that is the case, having a set of policy objects expressing AS >> relationship should do the same >> thing and more with less overhead? (yes, I know that data integrity becomes >> an issue, but data >> integrity is always an issue.) I was deliberately keeping away from participating

Re: [sidr] SIDR ReCharter - to capture/cover path validation work

> If that is the case, having a set of policy objects expressing AS > relationship should do the same thing and more with less overhead? real policy is per prefix, customer, peer, and things disgustingly more complex, with complications of backdoor relationships, ibgp policies to implement regiona

Re: [sidr] SIDR ReCharter - to capture/cover path validation work

On Mon, Feb 28, 2011 at 11:28 PM, Andrew Lange wrote: > > If that is the case, having a set of policy objects expressing AS > relationship should do the same > thing  and more with less overhead? (yes, I know that data integrity becomes > an issue, but data > integrity is always an issue.) if y

Re: [sidr] SIDR ReCharter - to capture/cover path validation work

John, To reply to my own message, after reading through the rest of this chain. Is all we're trying to do here is to establish a "custodial chain" of a route to prevent some ill-behaving AS in the middle attempting to hijack a route, effectively by pretending that the source AS is behind it, s

Re: [sidr] SIDR ReCharter - to capture/cover path validation work

Geoff, My reasoning is that without a specific policy statement, such as "B should be announcing this route, signed A", then we can demonstrate that B did announce it, but not if B should have announced it. With that policy object then we can construct the route filter to check that not onl

Re: [sidr] SIDR ReCharter - to capture/cover path validation work

Sriram, Why would you accept a route de-aggregated by an upstream? If signed route-object says AS_A owns and announces only the route 1.2.3.0/20 and I'm seeing 1.2.3.0/21 from AS_B, the route filter should be configured not to accept more specifics. If AS_A wants to de-aggregate, it can spli

Re: [sidr] SIDR ReCharter - to capture/cover path validation work

John, But wouldn't a record of an existing announcement also show that AS_B did in fact announce which of AS_A's routes and in what form? Why does it need to be signed if all we want to do is record what happened? Perhaps I'm missing something Andrew On Feb 24, 2011, at 5:27 AM, John G.