*Working group chair hat _off_*
Stephen Kent wrote:
At 5:59 AM -0400 8/1/07, Michael Richardson wrote:
...
But, if the validity times are significantly different such that one
prefix is going to change prior to the certificates expiring, should the
ISP really even be advertising the aggregate?
The allocation certs may have validity intervals that overlap for a
number of months so why not advertise the aggregate for that time
interval? The ROA would have to have a validity interval that does not
exceed that of the cert(s) used to verify it, but that could still be a
usefully long interval.
There is no sense that the resource holder will loose the allocation
when it expires. Typically the allocation is renewed. However, if the
issuer (an RIR, NIR or LIR) wants to keep its life simple and drive cert
lifetimes off of its allocation management database, then it may not be
willing to issue a single cert covering the two allocations, hence the
motivation cited by Geoff and Sandy for this added complexity for ROAs.
It is not only validity dates that motivated my comment to support
multiple signings of a ROA - if one looked into the old B and C space
and follow the various trails of movement of some of these address
blocks then there may well be situations where there are adjacent
aggregateable prefixes that have different validation paths and hence
cannot be aggregated into a single certificate that covers the aggregate
prefix. If you want to have a ROA that covers the prefix and does not
ential the replying party making guessing games as to intent (ugh!) then
having multiple signings over the ROA makes sense to me as a capability
in the ROA specification.
Geoff
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
