[c-nsp] RPKI extended-community RFC8097
Radu-Adrian FEURDEAN
cisco-nsp at radu-adrian.feurdean.net
Tue Apr 21 19:15:22 EDT 2020
On Tue, Apr 21, 2020, at 23:53, Job Snijders wrote:
> a normal or a large community (within your own 'namespace') and tell
> your peers that's the one you are using for a specific purpose.
This is what LINX and France-IX do, this also works on IBGP, and this is why RFC8097 has a very low (close to zero) value.
> However, I don't think you can really signal the validation state
> across administrative boundaries. The trust is not transitive,
> especially over most-likely unsecured BGP transport. There is no
> mechanism in BGP to verify if the peer can be trusted to set the right
> communities, operational parameters about the peer's validation process
> are not visible through BGP.
Take it like "RPKI As A Service". People ready to take/use pretty much everything "aaS" (whether it makes sense or not) are not difficult to find. You have several kinds of "security as a service", including "managed security", so RPKIaaS isn't much worse than that.
--
R.-A. Feurdean
More information about the cisco-nsp
mailing list