On Oct 7, 2009, at 10:47 AM, Robert Kisteleki wrote:
Suppose you're ISP1, and want to sell some part of your clients to ISP2 (this happens: mergers, splits, you name it). In other words, you want to transfer a live, routed and used chunk of space to another party. How would you execute this while ROAs are in place?
ISP1 would issue ROAs with ISP2 as authorized origin AS for prefixes in question, no?
If you think about it you'll realize that there have to be multiple ROAs which overlap in terms of validity time, otherwise you introduce exact timing, which sounds pretty difficult to execute with 30K+ participants.
My concern isn't about collision/overlap of ROAs at the bottom of the RPKI hierarchy, that seems perfectly reasonably to me if the operator so chooses. My concern is about resolution of collisions among TAs and CERTs at the top, in particular when the TAs are NOT congruent to the address allocation hierarchy - how does a relying party elsewhere resolve this when the TA and allocation hierarchy are not congruent (not to mention implications on attack surface as a result). -danny _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
