At 5:59 AM -0400 8/1/07, Michael Richardson wrote:
... But, if the validity times are significantly different such that one prefix is going to change prior to the certificates expiring, should the ISP really even be advertising the aggregate?
The allocation certs may have validity intervals that overlap for a number of months so why not advertise the aggregate for that time interval? The ROA would have to have a validity interval that does not exceed that of the cert(s) used to verify it, but that could still be a usefully long interval.
There is no sense that the resource holder will loose the allocation when it expires. Typically the allocation is renewed. However, if the issuer (an RIR, NIR or LIR) wants to keep its life simple and drive cert lifetimes off of its allocation management database, then it may not be willing to issue a single cert covering the two allocations, hence the motivation cited by Geoff and Sandy for this added complexity for ROAs.
Steve _______________________________________________ Sidr mailing list [email protected] https://www1.ietf.org/mailman/listinfo/sidr
