►
From YouTube: IETF104-SIDROPS-20190326-0900
Description
SIDROPS meeting session at IETF104
2019/03/26 0900
https://datatracker.ietf.org/meeting/104/proceedings/
B
E
Good
morning,
it's
now
time
for
ITF
104,
cider
ops.
If
you're
here
for
sadder
ups,
that's
terrific,
if
you're
not
it
might
be
fun
I'm
Chris.
This
is
Kher.
Were
your
chairs.
If
you're
presenting
today
Mike
like
this
stand
on
X,
okay,
no!
Well,
everybody
brought
their
binoculars
good.
Here's
our
agenda.
We
have
two
hours.
So
you
know
ten
minutes
is
a
bit
fungible,
but
it
always
is
questions.
E
Well,
well,
we'll
fix
that
in
post,
okay,
so
we
have
some
drafts,
we
have
one
that's
in
the
editors
Q
rollover,
there's
four
that
are
in
processing
the
one
with
the
star.
Lt
use-cases
had
a
little
bit
of
extra
fun
and
may
have
some
more
fun
when
it
gets
to
ETF
last
call
we'll
see,
and
then
these
last
three
are
still
working
through
the
process.
E
If
you
are
an
editor
or
author
on
one
of
those
last
three
and
you
think
it's
ready
to
go,
you
should
definitely
email
list
and
say
I
think
this
should
be
sent
to
working
group.
Adoption
or
sorry
welcome
to
last
call
all
right.
No
questions,
good,
okay,
slides!
So
now
is
there
a
Daniel
in
the
room
with
slides?
Do
you
have
slides
what
no
you
didn't.
H
H
There
we
go
for
the
moment:
let's
use,
determine
evaluator,
which
is
an
origin
validation
device,
so
it
gets
bgp
data.
It
gets
our
Ovie's
in
the
term
of
whatever
we
called
them
once
we
throw
away
the
crypto
I
forget
and
it
signals
the
validity
signals.
Only
invalid
announcement
back
to
the
bat
devices
which
sent
the
invalid
BGP
announcements.
H
Ok,
so
that
the
device
can
drop
invalids.
The
idea
here
is
better
scale
out.
Ok,
so
that
all
the
devices
in
the
pop
do
not
have
to
have
origin
validation
code.
They
also
don't
have
to
load
the
rpki
cache.
It
can
also
make
the
poll
pop
more
consistent
in
terms
of
the
validation
state.
So
you
don't
get
excitement
with
stuff
going
around
it's
kind
of
like
route
reflectors
and.
H
H
H
Okay,
BMP
would
probably
be
better
choice.
If
we
could
choose,
the
discussion
on
list
was
essentially
how
do
we
signal
back
from
the
evaluator
to
the
BGP
speaker,
and
there
were
three
alternatives
on
list
and
I
throw
the
fourth
in
just
to
be
annoying
the
draft
as
it
stands
uses
in
band.
Okay,
the
evaluator
sends
the
announcement
it
received
as
it
received
it.
Paithan
all
with
a
community
tag
back
to
the
BGP
speaker.
H
H
Okay,
because
don't
want
the
router
doing
things
for
me
magically,
but
it
did
well
define
a
community
to
signal
state,
and
so
we
could
reuse
that
or
you
could
find
some
other
way
to
color
the
announcement.
Some
other
community
god
help
us
and
attribute
whatever
and
the
originator
of
the
bgp
announcement
when
she
hears
back
that
it
was
invalid,
presumably
drops
it
a
new,
a
theis
a
fee
could
return
invalid,
announced
since
backed
to
the
sender
with
an
a
fee.
Safi
specifically
for
this,
it
could
contain
more
granular
info
about.
H
Why
it
was
invalid,
Oliver
kind
of
likes
this
and
the
originator
drops
the
path,
of
course,
but
a
new
a
fee
Saffy's
a
lot
of
implementation,
which
is
why
it's
not
what
the
draft
is
suggested,
hack
up,
rpki,
router,
further
add
one
or
more
PDUs
6810
s,
not
the
right,
RFC
anymore.
Is
it
whatever
it's
called
now
ask
one
of
the
authors:
ask
a
different
one
of
the
authors,
so
the
pro
so
we
have
the
rpki
router
protocol.
H
H
I
H
I
H
H
J
L
So
I'm
here
with
signalling
prefix,
Arjen
validation,
results
from
occupier
to
other
PGP
speakers
and
one
of
the
co-authors.
Others
are
from
zzyx
I'm
from
dick
Hicks
and
one
is
from
for
Sikes.
L
This
draft
has
been
a
while
in
the
ITF
like
now
it's
three
years,
something
like
that
and
I
just
like
would
like
to
give
a
recap
and
show
you
what
it
is
about.
So
the
main
idea
of
this
draft
was
in
the
domain
of
an
XP
network
to
forward
the
validation
result
from
the
route
server,
which
is
doing
a
PKI
validation
within
community
to
the
peers.
So
this
in
the
domain
of
the
of
an
IXP.
So
it's
a
little
bit
complicated.
L
It's
also
its
external
BGP,
but
it's
a
kind
of
trust
that
domain
I
would
say.
This
was
always
a
discussion
point
here,
so
why
I
would
like
to
do
it
and
we
see
it
as
a
lightweight
method
to
to
do
applica
a
validation,
so
people
can
use
it
at
IXP
for
dropping
invalids.
Maybe
if
routers
can't
do
it
it's
out
themselves,
it's
like
a
backward
compatibility
or
for
monitoring
maintenance,
troubleshooting
or
research
or
educational
purposes.
L
So
there
might
be
a
variety
of
things
to
do,
even
if
even
if
they're
out
server
is
dropping
a
PK
by
default,
it
might
still
be
useful.
So
the
way
it
works
is
we
have
this
networks
and
BCD.
They
are
all
connected
to
the
Twitter
XP,
the
route
service,
receiving
routes
from
peers,
doing
applica
validation
and
forwarding,
like
the
announcement
to
other
peers
and
tagging
tagging.
The
validation
result
with
the
community
through
these
peers,
so
it
should
not
cross
the
border
from
say
see
to
why
it
should
stay
at
the
XP
at
this
community.
L
The
current
implementation
for
a
community
that
was
also
discussed
on
a
mailing
list.
Thus,
now
that
we
have
transitive
for
octet
AAAS
specific
extended
community
before
we
was,
we
had
the
same
like
1897
and
but
because
we
are,
the
ixp
is
technically
an
ex
an
external
bgp
community.
We
discussed
and
said
that
we
have
to
use
this
one,
which
also
has
to
be
transit
transit
if
we
don't
want
to
be
transitive,
but
for
the
remain
of
an
IXP,
I
was
said
we
have
to
use
this
one.
L
So
in
this
community
we
have
the
a
s
that
is
doing
the
prefix
validation,
which
would
be
the
XP
at
the
route
server,
and
we
have
the
validation
state
and
in
the
development
of
the
draft
we
also
came
up
with.
It
was
more
tailored
to
XP.
So
we
came
up
with
different
modes
of
operation
which
are
basically
the
things
you
could
think
of
that
could
run
at
the
route
server
you
could
either
when
the
route
service
forwarding
the
the
prefixes.
L
You
could
either
just
take
everything,
don't
do
anything
with
with
well
with
the
states
you
have
like
yeah,
keep
envelopes
and
everything
and
just
forward
everything
by
just
taking
it,
and
the
peer
can
do
it
at
once.
Then
you
can
drop
invalid
prefixes.
That
would
be
the
case
if
you
say
we
want
to
have
drop-in
ballots
at
iock
speed
by
default
and
still
forwarding
the
unknowns
and
developed
routes,
but
also
change
them,
and
you
can
also
drop
in
minutes
and
unknowns
and
just
for
what
the
valid
ones
so
I
mean.
L
You
could
also
think
about
doing
this
by
having
a
customer
portal,
and
you
say
I
want
to
have
that
mode.
That
mode
like
default
mode
could
be
more
to
drop
in
billets,
and
you
could
also
say
there's
something
wrong.
I
want
to
have
all
prefixes
and
say
what
it
is
yeah
to
troubleshooting
rough
timeline
to
understand
where
this
graph
is
coming
from
before
I
was
born
to
ITF,
and
this
draft
liked.
L
The
idea
of
this
try
to
hitchhike
with
this
80
79,
which
was
also
Randi
talking
about,
but
this
one
is
only
for
internal
BGP,
so
we
try
to
also
get
the
external
stuff
in
there,
but
it
was
too
late
was
already
last
call.
So
an
own
version
of
the
raft
born,
which
was
basically
just
the
same,
but
replaced
the
AF
of
BGP
with
the
e
of
BGP
and
was
externally
TP.
Then
it
was
tailored
to
IXPs
modes
of
operations
were
added
and
the
last
thing
that
happened.
L
The
major
last
thing
was
we
swapped
the
community
that
the
draft
and
the
RC
1879
used
with
the
external
prefix
origin
validation.
That
is
also
okay
for
external
bgp,
and
this
is
also
some
while
ago,
I
think
almost
a
year.
Meanwhile,
we
had
like
a
discussion
on
the
mailing
list.
Half
a
year,
I
think
we
implemented
the
most
technical
things.
There
was
what
there
was
also
a
lot
of
political
discussion
going
on,
and
meanwhile
the
ARCIC
adaption
is
continuing
in
ballots
are
being
dropped
by
default.
L
The
different
networks,
but
I
still
think
that
there's
demand
for
tagging
the
validation
state,
@ix
piece.
Why?
Because
people
ask
me
how
to
implement
it
and
I?
Think
there's
also
now
a
little
bit
confusion
with
some
FCAT
97
and
with
this
one,
because
they
see
they
want
to
tag
communities,
and
then
they
see
this
other
draft
and
then
they
see
our
draft
and
they
think
like
ok,
what
to
do
now
is
it
that
or
that
whatever
we
have
to
do,
and
so
I
think
this
is
a
little
bit
unsatisfying
situation.
M
Now
Jacob
hides
from
Cisco
I'm.
Sorry
I
haven't
read
that
route
recently,
but
I
believe
there
are
three
validation
states
right,
valid
invalid
and
not
found.
Is
that
correct?
Yes,
there
should
be
a
Fourth
Estate.
This
is
Shri
Rama's
point
through
three
rhymes
last
point.
The
fourth
state
is,
the
validation
has
not
been
performed.
Yet
it's.
L
M
A
A
It
is
really
questionable
whoever
you
want
to
continue
to
send
routes
that
you
determined
to
be
bad
to
your
customers
and
I,
hear
you
say:
yes,
you
and
your
friends
are
essentially
doing
the
dropping
and,
while
okay,
why
why?
Why
not
lift
the
burden
of
doing
decisions
themselves
and
coding
complex
policies
from
you
users,
and
just
do
it?
That's
one
thing.
The
other
thing
is
the
extended
community
coding
was
chosen
because
the
large
communities
were
not
yet
they're.
A
Asking
for
implementation
and
use
of
extended
communities
means
you
have
to
wait
about
two
years
until
the
Reuters
rollout
implementations
for
doing
the
marking
and
providing
the
policy
primitives
in
fact,
that
actually
can
read
can
make
decisions
based
on
what
communities
are
there
and
between
the
time
when
the
Ruta
code
becomes
available
in
production
quality
and
you
were
users
actually
deploy
it.
There
may
be
another
delay
of
two
to
ten
years
with
large
communities.
You
can
bet
every
vendor
that
would
be
supporting
the
new
extended
community.
H
A
L
Answer
to
that
I
understood
that
this
is
the
only
way
we
can
go
with
the
community.
I
would
have
been
happy
with
anything
I
think
if
we
are,
if
you
see
software
routers
implementing
stuff,
that
is
going
to
happen
faster.
So,
if
you
think
about
research
vacation,
it
would
still
make
sense-
and
we
are
already
three
years
on
this
draft
so
five
years
don't
mind.
N
H
Don't
want
to
get
into
how
many
validation
this
is
not
the
point
place
to
get
it
there.
Time
to
get
into
validation.
States
will
leave
that
when
we
talk
about
Tom,
Oliver
stuff,
but
I
want
to
agree
with
rüdiger,
both
of
the
previous
that
both
the
previous
draft
in
this
draft,
if
we're
going
to
use
a
community
signal,
should
use
a
large
community,
not
an
extended
community,
and
it
would
be
nice
if
they
both
use
the
same
community
definition.
N
Montgomery
NIST-
that's
not
close
enough-
did
I
understand
correctly
that
you
envision
a
mode
of
operation
where
the
ixb
could
offer
different
services
to
different
clients
right
one
one
was
dropped
and
potentially
drop
invalids.
One
was
just
signal
it
back
to
me
yeah.
Actually,
there
was
three
but
I
gave
you
a
third
one.
Yeah.
N
Right
so
that-
and
maybe
the
previous
draft
I
mean
that
makes
a
lot
of
sense
to
me
right,
you
can
opt
in
to
whatever
service
you
want
out
of
it,
while
in
some
ways
drop
invalid
seems
to
be
the
only
origin,
validation
policy
that
makes
sense
to
me,
I,
don't
think
we
should
eliminate
the
other
one.
So
I
kind
of
like
idea
that
you
can
opt
in.
O
O
You're
caught
your
colleague
states
I
specified
that
the
maximum
length
is
21
okay,
but
your
draft
is
suggesting
that
it's
fine,
if
I
propagate
these
invalids.
As
long
as
I
tacked
on
with
a
special
community
and
what
I
really
I
there's
a
strong
disconnect
between
how
operators
are
deploying
RPI,
how
they're
deploying
invalid
is
reject
policies
and
and
what
you're
suggesting
here.
I
would
ask
you
to
abandon
this
draft.
We
should
not
be
signaling
validation
states
over
ebgp
sessions,
especially
not
if
it
promotes
the
idea
of
propagating
in
pellets
or
dropping
unknowns.
L
Don't
think
like
I,
don't
see
it
like
that
I
mean
I,
don't
see
that
it's
weakening
some
something
that
brings
something
to
the
world
that
isn't
there
anymore
I
just
see
it
like
you're,
standardizing
or
you're,
saying
something
it
should
be
done
like
this
and
you're
notifying
people
hey
take
care
about
this.
Take
care
about
this
I
mean
the
tagging
of
stuff
has
been
done,
anyways
that
X
piece
and
there's
community
is
wobbling
around
to
the
whole
internet.
So
yeah
I
think
it's.
This
might
be
just
confusing
to
people
and
other
ways
their
will.
O
That's
not
a
transitive
community
and
in
previous
versions
of
the
draft
the
offers
were
attempting
to
use
non-transitive
extended
communities
across
a
bgp
sessions.
It
goes
to
demonstrate
that
this
idea
was
never
tested
in
practice,
because
there
is
no
BGP
implementations
that
would
propagate
that
and
that
further
emphasizes
that
this
is
not
anchored
in
reality.
In
my
opinion,
we
should
not
be
propagating
invalids.
Itf
should
encourage
engineers
to
reject
or
be
careful
of
announcements.
This
draft
is
the
opposite,
so
it
weakens
security
posture
all.
L
H
Randy
Pausch
IJ
anarchist.
The
trade-off
here
is
whether
you
act
for
the.
H
The
question,
of
course,
is
from
the
ixb
members
point
of
view.
If
you
listen
to
that
signal,
are
you
outsourcing
your
security
and
for
that
we've
had
the
discussion
of
when
you
drop
the
invalid
and
don't
give
it
to
me
I've,
let
you
control
my
security,
so
I'm,
counting
on
you
for
my
routing
in
the
first
place.
Is
this
any
worse
trying
to
signal
something
Chris.
L
E
N
Duck
montgomery
again,
so
you
know
I
personally
don't
buy
all
of
this
outsourcing
security
keep
hearing
over
and
over
again
right
that
people
want
an
incremental
way
to
adopt
these
technologies.
They
want
to
be
able
to
debug
them,
even
if
I'm
gonna
throw
invalid
on
the
floor.
I
might
want
that
signal
back
to
me
and
I'll,
throw
it
on
the
floor.
At
least
I
can
look
on
my
box
and
understand
what
happened.
P
Timothy
and
X
so
I
do
remember
when
this
proposal
was
was
emerging
and
I.
Remember
my
question.
That
was
a
couple
of
years
ago,
so
you
do
already
have
filtering
you're
already
using
office
say
why?
Don't
you
try
them
to
mark
these
embedded
routes
and
when
you
are
just
dropping
them,
I
hope.
So,
while
you
are
asking
for
flexibility
in
rural
validation
and
not
asking
for
flexibility
in
visit,
but
I'm
not
suggesting
this
drop-in
veditz,
okay.
P
L
A
If
you
want
to
add
real
value
by
signaling
to
your
members,
consider
signaling
the
guys
who
sent
you
invalid
stuff
and
get
them
informed
about
that.
The
other
way,
the
other
way
will
should
be
should
be,
should
be
evaluated
under
the
question.
What
is
how
to
responsibly
responsibly
act
as
a
network
operator
I.
L
No
yes,
I
mean
the
dropping
is
done
or
it's
coming
at
the
network,
but
this
tagging
is
not
going
out,
but
as
I
understand
it
correctly,
the
route
server
itself
is
doing
it
internally.
So
if
you
go
to
a
looking
class,
for
example,
you
will
see
there
there's
some
extended
communities,
TechEd
for
IRR
validation
and
there's
also
communities
tagged
for
the
aura
validation
and
but
they
are
not
sent
out
to
the
to
the
peers.
I
think
so
that's
just
what
I
saw
with
the
looking
glass.
J
A
A
Yeah
a
couple
of
months
no
well
okay
kind
of
almost
a
year
ago,
I
found
something
quite
surprising
that
seems
to
have
been
half
miss
in
using
rpki
for
a
lot
of
folks
and
in
January.
The
short
draft
came
out
that
has
yeah
well,
okay,
that
that's
explaining
it
and
let
me
let
me
just
go
through
the
ideas
oops.
A
A
Oh
something
went
wrong
there.
Oh,
yes,
then
I
have
a
couple
of
questions
for
the
working
group,
whether
we
need
to
do
a
little
bit
to
add
to
the
draft.
Your
questions
and
comments
and
I
have
some
ramblings.
That
kind
of
continue
the
line
of
thinking
beyond
the
draw
and
I
may
run
off
out
of
time
in
in
that
part,
so.
A
In
general,
I
usually
get
a
little
bit
annoyed
when
I
recently
hear
people
saying
well,
you
must
deploy
rpki
and
they
have
actually
have
essentially
a
very
specific
single
thing
in
mind
and
well.
Okay,
maybe
they
actually
are
acting
on
other
parts
of
the
game,
but
the
communication
to
the
larger
public
kind
of
may
confuse
the
larger
public
about
that.
A
There
are
several
different
parts
and
it
would
be
a
good
thing
to
identify
exactly
what
you
are
talking
about
so
I'm
talking
about
using
the
origin,
validation,
validation
for
in
filtering
policies
and
looking
closer
at
that,
we
find
the
first
order
of
thinking
in
the
community
and
for
the
and
for
the
implementations
and
deployment
has
been
the
idea.
Well,
okay,
I
should
protect
my
AAS
from
importing
bad
stuff
and
well
okay.
What
will
be
the
consequences
of
doing
so?
A
A
Yes,
the
number
of
Reuters
and
configurations
that
manage
the
egress
are
actually
fairly
slow,
fairly
small
and
actually
are
very
rigidly
controlled,
while
the
zoo
of
internal
systems
and
configurations
is
something
like
two
orders
of
magnitude
worse
and
the
control
exercised
on
the
implementations,
and
the
configurations
also
is
much
harder
to
do
say.
Well,
okay,
actually,
I,
don't
trust
what's
happening
there
in
many
cases,.
A
So
that's
essentially
yeah,
if
you,
if
you
don't
want,
if
you
don't
want
to
think
about
well
okay
responsibilities
and
practices
for
acting
responsibly
on
your
external
relations,
you
still
could
ask
yourself:
do
you
want
to
embarrass
yourself
by
relying
on
other
parties,
to
make
your
to
do
your
security
and
give
you
and
give
you
and
give
you
nasty
messages
about
hey?
You
are
sending
me
all
the
time
if
they,
if
they
choose
to
actually
tell
you
or
are
you
kind
of
even
worse,
relying
relying
if
you
are
making
something
bad
are
you?
A
A
There
are
also
implementers
of
BGP
might
also
create
weird
policy.
Primitives
like
well:
okay,
deliberately,
manipulating
a
s
path,
if
that's,
if
that's
provided,
obviously
all
bets
are
off
and
potentially-
and
potentially
things
can
be-
can
get
interesting
if
you
are
dealing.
If
you
are
processing
weird
RAS
paths
essentially
say
a
s,
paths
that
mix
private
and
public
a
SaaS
s
that
something
that
you
better
should
avoid.
A
A
A
Wanted
to
drop
a
couple
of
questions,
whoever,
while
okay,
we
really
need
to
add
stuff
to
the
simple
and
short
draft
questions
that
come
to
mind.
Is
it
necessary
to
to
explicitly
explain
that?
Yes,
this
is
at
this
time
marked
for
standards
track
because
kind
of
I
think
that's
really
right,
but
on
the
other
hand
it
does
not
change
the
protocol
it
just
it
just
it.
Just
not
makes
explicit
that
we
defined
protocol
and
logic
should
be
available
in
the
correct
manner
everywhere.
A
A
A
A
The
thing
that
I
feel
is
really
should
really
be.
Added
is
a
little
bit
of
operational
considerations
and
the
point
the
point
I
see
there
is
that
and
that's
going
to
be
I
think
not
that
trivial
for
the
implementers
as
an
operator,
it
would
be
of
high
value
if
I
can
pull
the
information
about
which
routes
I
do
not
announce,
because
they
are
invalid
and
dropped
to
pull
that
out
easily,
so
that
I
can
go
that
I
can
create
a
ticket
and
tell
my
op
staff
piece
research
where
the
bad
stuff
is
originating
internally.
A
A
H
Xiao
Jian
arcus,
so,
first
of
all,
what
you're
saying
is
that
whatever
RFC
origin
validation
clarifications
became
it's
incomplete.
My
apologies
due
to
the
fact
that,
oh
just
a
point
on
your
wanting
to
know
what
was
marked
as
invalid
and
drop,
how
about
SNMP
I
believe
we
do
have
a
Midlands
it
specifically
with
happiness.
There.
H
A
You
obviously
are
using
weird
policy
primitives
with
the
exception
that
yes,
if
the
neighbor
is
actually
private,
a
s
and
the
other
neighbor
is
public,
then
I
will
have
different
origin,
a
s
but
kind
of
the
the
necessary
logic
for
for
predicting
the
effective
origin.
A
s
is
in
these
cases,
quite
simple.
If
you,
if
you
announce,
if
you
announce
to
me,
origin,
AS
one
and
two
yo
origin,
a
s
free,
you
obviously
have
been
manipulating
the
a
s
path
in
ways
that
you
would
not
agree,
and
I
would
that
you
would
not
find
agreeable.
A
H
H
A
Kind
of
kind
of
I
think
I
think
we
are
in
the
in
agreement.
The
point
that
I
am
making
is
actually
detecting
that
you
have
something
where
the
origin,
a
s.
May
change
is
in
the
non
weird
cases
pretty
straightforward
and
in
the
non
weird
cases
it
is
pretty
straightforward
to
actually
predict
the
effective.
Is
the
effective
origin
and
kind
of
you
could.
A
Even
you
could
even
do
the
decision
somewhere
on
somewhere
in
between
it
is
it
it
is,
unfortunately,
more
tricky
than
I
thought
in
the
beginning,
Jeff
was
so
kind
to
explain
to
me
some
cases
and
well.
Okay
kind
of
the
important
thing
is
one
one
actually
needs
to
take
care
of
the
effective
origin,
and
this
may
be.
This
may
be
more
or
less
complicated,
but
my
argument
is:
unless
you
are
doing
something
that
is
completely
broken,
it
can
be
done.
A
A
Q
John
Scudder
I
don't
want
to
take
a
lot
of
your
time,
but
since
you
asked
about
standard
informational,
etc,
since
you're
telling
implementers
how
to
implement
the
standard,
you
probably
want
to
make
your
documents
say
that
it
updates
the
standard,
which
probably
means
it
needs
to
be
a
standard
which
is
fine.
With
me.
Q
R
Enter
grey
with
charter
communications,
like
the
draft.
From
our
perspective,
just
two
comments:
I
would
like
to
see
in
the
proposal
yeah.
Please
ask
the
implementers
make
how
viewing
what
got
dropped
on
egress
obvious,
because
we've
all
seen
vendors
and
their
tendency
to
kind
of
hide
things
behind
magic,
so
yeah
I
know
you
had
it
on
the
bullet
point
there.
I
was
reading
through
this.
Oh,
yes,
please
put
that
in
there.
R
A
A
A
H
In
Arcis
I
think
the
second
bullet
is
what
the
people
who
did
a
s0
were
trying
to
get
to.
If
I
am,
do
not
mean
to
announce
that
to
the
default
free
zone,
I,
probably
don't
want
anybody
else
announcing
it
either.
H
O
A
Okay
kind
of
I
am
surprised,
Randy
that
you
seem
to
think
that
a
s0
is
something
special
and
the
rules
for
they
are
not.
The
only
special
thing
about
a
s0
is
that
it
cannot
occur
in
real
paths
and
the
robust
it
is
forbidden
there,
and
there
are
even
vendors
that
don't
allow
you
to
put
the
CAS
zero
into
a
s
five
filters,
because
they
say
it
never
can
happen.
You
should
not
be
able
to
filter
it.
I
hope
it's
get
that
gets
fixed
fairly
soon,
but.
A
Yeah
well,
okay,
kind
of
kind
of
the
other.
The
other
thought
that
I
found
I
wanted
to
talk
about
is
well.
Okay,
regularly
do
specialties.
Oh
goodness,
this
looks
like
I
was
that's
a
repeat
of
the
previous
yeah,
but
kind
of
kind
of
the
important
thing
is
the
second
bullet
thinking
about
all
of
this
I
figured
out
in
the
past.
There
have
been
quite
some
people
talking
about
that.
They
want
to
tweak
special
views
of
the
rpki
by
playing
with
the
certificate
system
like
local
trust,
anchors
and
so
on.
A
Are
we
going
to
ask
for
a
split
horizon
RPG
I
in
Reuters
I?
Don't
think
so.
That
looks
to
me,
like
insanity,
not
either
the
way
to
insanity
and
kind
of
that's
that's
apart.
Randy
were
indeed
some
of
the
clarify.
If
clarifications
the
earth
draft
stuff
may
be
falling
to
the
side,
so
that's
oh
yeah
and
then
just
just
a
short
another
one.
I
am
looking
at
the
a
s
numbers
in
the
rpki.
A
Thanks
to
an
interesting
file
maintained
by
the
NRO
I
can
classify
the
a
SS
into
a
SS
that
are
actually
assigned
by
an
r
ir
to
some
user
network
versus
a
SS
that
are
essentially
owned
by
Ayana,
and
none
of
the
inr
owned
a
SS
should
ever
float
through
the
public
me
GP.
That
includes
a
zero.
That
includes
a
s
two
three
four
five,
six,
that
includes
the
private,
a
SS.
It
includes
the
documentation.
A
A
SS
is
includes
the
pools
that
have
not
been
assigned
to
anyone,
and
then
there
is
another
class
that
I
was
a
little
bit
surprised
to
be
able
to
figure
out
of
the
data.
That
is
the
SS
that
have
been
assigned
by
iana
to
the
rears,
but
the
rears
don't
assign
it
to
anybody.
They
may
have.
There
may
have
been
an
assignment
in
the
past
or
it
may
be
fresh
supply
of
a
SS,
that's
sitting
in
the
pools,
and
the
numbers
from
yesterday
are
seven
thousand
three
hundred
roots
a
SS
at
total.
A
As
total
occurring
in
row,
us
42
are
occurring
in
X
occurring
in
actual
rowers
that
never
should
show
show
up
in
the
public
and
for
weird
reasons:
I'm
not
going
to
talk
about
publicly.
The
ASCO
is
not
even
included
and
the
number
the
of
Una's
unassigned.
Our
IRS
is
also
a
quite
interesting
number
and
I.
Think
I
think
I
have
some
a
SS
that
I
own
were.
A
What
I
am
thinking
about
to
do
is
install
a
filter
between
the
cryptographic,
a
relying
party
evaluation
and
the
rpki
Rooter
and
map
all
the
stuff
that
should
not
appear
in
public
to
zero
and
that
prevents,
and
that
prevents
that
if
anybody
manages
to
push
out
into
the
wild
roots
that
actually
are
making
use
of
the
unwanted
a
SS
to
be
purged
from
the
routing
system.
As
far
as
origin
validation
drops
invalids
of.
A
Inr,
the
Ayana
is
delegating
blocks
of
thousand
a
SS
once
in
a
while
to
rears,
and
that
way
there
is
a
dynamic,
but
it
is
a
very
low
frequency
dynamic
while
of
course,
the
dynamic
of
rears
assigning
or
taking
big
things.
That
is
happening.
That
is
happening
about
two
per
day
or
three
per
day.
The
Ayana
is
happening,
something
like
every
a
half
year
or
so,
and
Aria
Block
pools
the
same
question.
Is
that
study?
No,
that's!
That's!
A
Q
H
Q
So
I
I
don't
know
how
much
time
we
have
for
Q&A
I
saw
Chris
looking
at
his
watch.
So
not
a
lot
and
Jobe
is
behind
me.
So
I
I
will
just
say
that
that
last
slide
you
presented
is
interesting.
Thought-Provoking
I
have
a
bunch
of
things
to
say
about
it
and
I
think
that
it
would
be
useful
to
either
talk
about
later
or
you
know,
to
have
a
full.
You
know
session
slot,
for
it.
O
Job
Snider's
entity
communications:
can
you
go
back
to
the
a
s
number
slice?
Okay,
yeah
I?
Think
there
may
be
some
explanations
why
you
are
seeing
this
I
know
some
entities
that
have
attempted
to
try
to
validate
who
the
customers
are
interacting
with
by
having
the
customer
put
private
a
essence
in
row.
Us
act
as
a
magic
token,
so
that
maybe
some
of
it
there
can
be
typos.
I
know
that
one
of
the
re
ARS
stopped
accepting
private
essence
in
Rojas,
so
that
can
maybe
help
reduce
this
type
of
error.
O
A
Presents
this
information,
of
course
nobody
is
going
to
fix
the
stuff.
Quite
obviously,
the
number
the
Ayana
number
is
high,
essentially
because
of
private,
a
SS
and
yes,
okay,
they
should
not
occur
and
you
do
not
want
you
do
not
want,
and
that's
why
I
was
saying
in
the
previous
slide.
I
want
to
replace
the
or
node
on
this.
One
comment
on
this:
one
I
want
to
replace
the
bed
a
SS
in
the
rows
by
zero.
A
S
If
I'm
going
to
be
the
bad
idea,
Geoff
Huston
a
penny,
I'm,
not
sure
if
I'm
going
to
be
the
bad
idea,
theory
or
just
insanely
crazy.
But
you
know,
if
you
really
want
it
to
understand
the
validity
of
an
a
s
number
in
aura.
Why
don't
you
sign
with
an
a
s
number,
because
right
now,
I
can
put
anything
I
like
in
Arella,
because
the
signature
is
the
prefix,
not
the
a
s
if
you're
really
really
concerned.
If
you
are
concerned
about
the
a
s
and
you're
concerned
at.
H
A
A
N
A
N
N
A
Don't
think
I
don't
think
Sloane
really
gets
into
the
picture.
I
think
it
is
in
many
cases
typos
and
people
not
thinking
about
the
consequences
and
having
no
guideline
that
they
should
only
put
roars
for
roots
that
they
want
to
see
in
the
dsm
that
supported
in
that
form
so
kind
of
kind
of.
If
you
think
about
it,
there
is
actually
quite
rigid
relation
between
the
various
points.
I
brought
up.
N
Guess
it's
the
last
comment:
I'm
a
little
bit
concerned
that
one-off
implementations
of
validators
might
take
some
path
here
to
clean
this
up.
Once
again,
you
know
those
who
are
reluctant
constantly
point
that
the
ability
to
diagnose
what's
going
on
so
hopefully
we
would
clean
this
up
in
some
more
general
way
than
your
filters
are.
H
E
Okay,
thank
you,
I
think
the
end
result
was
somebody
wants
you
to
put
a
presentation
together
for
the
next
and
probably
some
discussion
on
the
list
with
some
numbers.
An
actual
content
I
mean
sorry
that
came
with
that
came
out
wrong.
I
mean
things
like
INR
here
you
probably
they
probably
want
you
to
see.
Oh
the
ones
that
are
yes.
E
I
Okay
good
morning,
so
this
talking
about
is
about
doing
route
analysis
of
invalid
routes.
Looking
into
some
details
regarding,
what's
causing
them
to
be
invalid,
that
kind
of
an
understanding
might
be
useful,
especially
considering
that
now
operators
are
getting
serious
about
dropping
invalid
routes.
I
I
So
before
early
February,
this
actually
goes
back
to
December
and
also
I
also
have
numbers
for,
after
so
before,
whether
they
were
dropping,
they
were
seeing
about
six
thousand
invalids
back
in
December,
65%
are
routable
to
valid
or
not
found,
and
35
percent
are
not
routable
and
after
meaning
that
after
February
of
early
February
in
2019
there
is
they
started
to
drop
invalid
routes
only
from
peers,
not
from
customers.
So
there's
so
from
looking
at
it.
I
So
that's
the
story
on
what
happens
at
a
high
level
high
level
view
in
terms
of
out
of
the
invalids.
If
you
were
to
drop
all
of
them.
But
what
for?
How
many
prefixes?
The
traffic
is
still
routable
to
a
less
specific,
valid
or
not
found
or
not,
or
the
traffic
simply
lost,
so
they
were
AT&T
looked
at
the
the
actual
traffic
rather
than
the
route
invalid
route.
Behaviors
like
what
we
are
looking
at
and
Jay
mentioned
on,
Nanog
that
they
saw
that
very
miniscule.
I
Amount
of
traffic
was
being
lost
when
they,
if
they
were
to
drop
the
in
valleys
and
based
on
that
they
decided
to
go
ahead
and
drop
the
invalids
from
the
piers,
but
not
from
the
customers.
It's
also
important
to,
of
course,
look
at
not
just
the
traffic
percentage,
but
also
the
routes,
that's
what
this
is
doing,
and
it
also
digs
deeper
into
the
invalid
routes.
I
A
millions
of
people
would
be
affected
by
that,
even
though
the
traffic
may
be
in
the
very,
very,
very
low
insignificant
in
terms
of
percentage,
so
I
think
operators
should
also
consider
route
analysis
and
see
what
what
might
be
the
likely
impact
of
the
of
due
to
the
doubts
that
invalid
routes
that
they
are
dropping
so
looking
at
a
detailed
analysis
of
the
invalid
routes
over
the
next
few
few
slides.
Let
us
get
some
definitions
in
place.
First,
invalid
MLS
route
is
invalid.
I
Only
due
to
prefix
length
greater
than
max
length
invalid,
a
SS
route
is
invalid.
Only
due
to
s
mismatch
and
I
ASML
represents
doubt
is
invalid,
due
to
both
reasons
max
length
and
s
mismatch,
and
once
we
look
at
the
invalids
when
we
do
further
deeper
analysis
of
it.
We
also
look
at
when
you
are
routing
and
invert
the
traffic
for
an
invalid
route
to
a
less
specific,
same-same,
prefix
or
a
less
specific,
valid
or
not
found
in
that
case,
does
the
less
specific
or
the
same
prefix
that
which
is
valid
or
not
found.
I
That's
does
that
route
have
the
same
origin,
a
s
as
the
invalid
route
in
question,
and
if
the
answer
to
that
is
no,
if
it
is
different,
then
we
also
look
at
whether
that
different
a
s
happens
to
be
the
origin
areas
of
the
immediate
transit
provider,
of
the
a
s
that
is
propagating
the
invalid
route.
So
those
are
some
of
the
details
of
the
analysis
of
invalid
routes
in
the
next
few
slides,
so
March
16th
data.
Again,
the
total
number
of
invalids
that
level
3
sees
is
about
4000
ballpark
and
on
the
left.
I
I
If
we
ask
the
question
the
valid
route,
that
is
possibly
less
specific
in
this
case
yeah
it
does.
It
have
the
same
origin
areas
as
the
invalid
route.
So
that
means
that
the
traffic
is
still
getting
delivered
to
the
to
the
s
that
originated
the
invalid
route.
So
that's
a
good
thing.
So,
on
the
left
side
as
things
as
you
move
to
the
left
or
in
this
diagram
at
each
forth,
its
it's
it's
better
than
moving
through
that
to
the
right
fork.
I
So
that's
the
general
principle
here
so
again,
looking
at
route
in
the
middle
are
n
F.
So,
in
this
case,
the
invalid
ml
route
is
being
the
traffic
is
being
routed
to
a
route
that
is
not
found
and
those
are
1701
point
%
small
number
17
and
of
those
again
13
have
the
same
origin,
areas
and
and
4
or
24%
have
different
origin
ears
and,
interestingly,
when
it
is
a
different
origin,
AAS
or
for
all
of
those
cases,
the
origin,
a
s,
is
the
transit
provider
of
the
originators
of
the
invalid.
I
So
again,
that's
a
good
thing,
because
the
you
have
got
the
invalid
route,
but
the
traffic
is
still
going
to
the
transit
provider
of
the
AAS
that
originated
the
invalid
Road
and
hopefully
it
is
getting
delivered.
So
the
thing
that
is
lost
is
on
the
that
I
on
the
right,
which
is
n
R,
so
not
pout
Abul.
So
35%
of
the
prefixes
are
such
that
you
are
dropping
the
those
in
valleys
and
that
traffic
is
not
getting
routed
any
way
anywhere.
But
one
interesting
thing
in
this
picture
is
that
the.
I
The
so
the
NR
is
so
there
are
579
routes
that
are
getting
dropped,
that
is
35%
of
the
prefixes,
and
the
interesting
thing
is
that
the
those
are
ml
invalid,
a
max
length
invalid,
which
means
that
the
traffic
is
going
to
the
correct
originating
s.
It's
just
that
they
miss
configured
the
rover.
They
got
them
accident
wrong.
I
So
in
this
case,
perhaps
the
operator
can
be
considerate
and
and
tolerant
of
these,
and
and
maybe
go
ahead
and
call
forward
be
traffic
I'm,
not
sure
if
operator
wants
to
do
that,
but
if
they
did
it,
what
would
happen
is
that
the
traffic
is
not
going
to
a
incorrect
or
invalid
guess
it
is
going
to
the
valley
dais,
which
has
a
rower.
It
just
just
happened
to
configure
the
max
length
incorrectly,
so
something
to
think
about
now.
This
is
the
digging
down
deeper
into
the
invalid.
I
I
Both
are
possible
in
this
case,
because
the
invalid
a
s
as
the
wrong
a
s,
but
the
same
prefix
has
a
as
a
Roja
the
right
a
s
has
registered
a
rower
for
so
it
is
routable
to
the
to
the
route
that
is
valid
and
has
the
same
prefix.
So
that's
a
good
thing,
of
course,
and
that's
about
only
1%
but
99%
of
the
time
when,
when
you
are
routing
it
to
valid,
it
is
getting
routed
to
a
less
specific.
I
And
then
you
can
ask
all
these
same
questions
different
SMAS,
and
if
it's
a
different,
a
s
is
it
the
same?
Is
it
the
a
s
of
the
transit
provider
of
the
invalid?
So
all
these
questions
are
kind
of
answered
through
this
diagram,
which
tries
to
enumerate
the
different
paths
that
you
can
follow
in
looking
at
the
details
of
the
invalid
routes.
I
The
next
thing
is
yeah.
We
can
skip
this.
This
is
looking
into
the
detailed
analysis
of
further
in
valise
with
the
max
length,
as
well
as
a
s.
So
we
intend
to
do
this
analysis
and
report
it
through
our
monitor.
So
we
currently
have
a
PKI
monitor.
That's
been
up
and
running
for
last
few
years
the
monitor
is
going
through
a
major
upgrade
will
we
should
have
a
monitor
to
in
the
near
future
102
dato,
and
that
will
give
same
kind
of
results
that
I
presented.
I
It
will
present
it
possibly
in
this
sunburst
format
or
sunburst
picture,
where
you
can
look
at
like
how
many
invalids
and
what
are
all
the
details
once
you
I
mean
you
can
naturally
interactive.
You
can
move
your
mouse
around
and
look
at
the
details
of
what's
causing
some
something
to
be
invalid,
whether
it
is
covered
by
valid
or
non
not
found,
and
if
that,
if
it
is
the
Train
same
origin,
alias
as
that
of
the
invalid
loud
or
a
different
and
so
on.
I
So
so,
basically,
this
tells
you
that
if
you
are
dropping
invalids,
what
percentage
of
traffic
is
still
making
it
to
a
destination
AAS,
which
is
either
the
same?
A
s
as
that
of
the
invalid
or
or
it
is
their
prayer
and
meaning
that
the
transit
provider?
And
if
those
are
the
situations,
then
you
feel
more
comfortable
about
dropping
the
invalid
and
if
you
are
dropping
it
entirely,
and
a
few
of
those
are
of
course
hijacks
which,
which
you
don't
want,
I
mean
which
you
are
happy
to
reject.
I
But
there
are,
there
are
some
reasonable
percentage
out
there
like.
We
saw
for
the
max
length
the
for
the
case
of
max
length.
There
are
five
hundred
seventy
nine
or
thirty
five
percent.
They
are
actually
the
traffic
actually
would
go
if
you
did
not
copy
the
traffic
actually
would
end
up
at
the
correct
a
s,
but
that
would
not
happen
if
you,
if
you
drop
it
in
this
case
it
looks
harmless.
So
it's
good
to
get
all
these
in
size
and
look
for
the
monitor
to
dot.
T
I
We
need
to
plan
that
we
have
the
data
in
early
analysis
capability.
We
are
using
analytics,
we
we
can
give
you
a
global
view
or
or
we
can
we
can.
We
can
give
you
a
view
/.
Yes,
in
principle,
we
we
need
to
actually
code
that
in
and
give
you
the
ability
to
enter
the
a
s
number
I.
Don't
think
we
have
quite
done
it
yet,
but
we
can.
We
can
facilitate
that.
Yes,.
C
V
Said
shouting
was
okay?
Can
we
do
the
modified
validation
first,
because
it's
short
I.
V
Actually
wanted
to
call
this
slide,
the
assassination
of
jean-claude
Marat
by
the
inmates
of
the
assailant
at
Charenton
under
the
direction
of
the
marquis
de
sade.
There
wasn't
enough
room
on
the
slide
to
put
it
there.
So
I
am
here
to
talk
about
deployment
of
the
reconsidered
validation
model
in
the
resource,
public
key
infrastructure,
and
this
is
an
O
one
version
of
our
document.
V
V
We
can't
realistically
ask
for
adoption
of
this
activity
if
we
don't
have
code,
so
we
went
and
found
some
code
and
we
now
have
running
code
which
implements
this
form
of
validation
in
the
process
of
thinking
about
what
a
deployment
might
look
like,
given
also
strong
opposition
in
the
community
to
flag
days
moving
completely
from
one
world
to
another,
we're
probably
going
to
have
to
recommend
some
form
of
mixed-mode
operation.
So
I
made
a
very
simple
change
to
the
structure
of
the
document
to
include
a
tabular
view
that
says
well
in
a
mixed
world.
V
What
would
it
look
like?
What
is
the
actual
meaning
of
encountering
a
chain
of
certificate
with
different
Oh
IDs?
What
you
do
so
I
made
some
clarifying
words
and
the
principle
question
is:
where
do
we
go
from
here?
Okay,
so
code
route,
inator,
I,
love
that
name
I,
think
going
to
krill
was
really
boring.
I
definitely
wanted
more
inators,
but
I'm
rat
inator
have
actually
implemented
this
thing.
We
have
functioning
code
out
there,
which
will
recognize
this
OID
and
performs
the
pruning
function
in
the
act
of
constructing
the
state
of
valid
prefixes
under
consideration.
V
Looking
down
the
certification
chain,
ripe
ncc
actually
had
this
method
in
a
beater
of
their
version,
three
code,
threes
in
a
bit
of
an
odd
state.
At
the
moment,
if
you
will
have
seen
on
the
lists
that
is
kind
of
being
moving
around
the
space
of
being
able
to
perform
validation,
but
they
actually
do
have
a
backlog
item
to
add
this
mode
of
validation
and
another
validator
that
is
under
development,
but
I,
don't
believe
I
should
out.
Who
is
responsible
for
that.
V
But
another
implementation
has
this
model
on
backlog
and
will
be
appearing
later
in
the
year.
So
we
now
have
at
least
two
and
probably
three
strong
indications,
but
one
firm
implementation
and
I
have
discussed
the
implementation
with
other
validators,
with
our
pista
and
with
Dragon,
but
obviously
they
were
noncommittal.
V
So
in
general
sense
nobody
likes
Flag
days.
I,
don't
understand
that
it
looks
like
everyone
likes
driving
around
periodically
with
a
flag
on
their
car,
but
no
one
on
the
internet
likes
a
flag
day
and
nobody
wants
to
move
over
to
an
entirely
different
mode,
so
we're
going
to
have
to
have
the
flag
day
that
isn't
the
flag
day
when
we
flag
that
we're
now
in
a
mixed
mode.
V
So
the
general
sense
here
is
that
the
OID
that
you
find
in
a
certificate
has
to
apply
to
what
you're
going
to
do
in
the
consideration
of
that
certificate.
It's
set
by
your
parent,
your
parent
made
you
that's
what
parents
are
they
make
you
and
they
minted
into
you
an
OID,
so
whatever
our
ID,
they
had
in
them
directed
how
you
validated
them.
But
when
you're
doing
a
validation
moment
of
you,
your
row
ID
was
given
to
you
by
their.
It
says
what
you
should
do
in
you.
V
But
the
point
is
it's
not
a
recursive
descend.
When
you
come
to
the
next
certificate,
it's
got
an
OID
that
you
minted
int
it.
So
if
you
were
minted
as
a
strictmode
old
OID
and
you
mint
a
child
that
is
a
lacks
mode.
Obviously
the
child
should
be
interpreted
in
lacks
mode,
because
why
us
did
you
put
a
lacks
mode
OID
into
it
and
once
you
are
in
a
lacks
mode,
oh
I,
D
space
and
you
mint
a
child.
It's
now
a
grandchild
with
strict
mode
that
grandchild
should
be
validated
with
strict
mode.
V
V
So
where
do
we
go
from
here?
So
we
would
like
to
call
for
adoption
and
the
fundamentally
reason
is
the
bottom
bullet
the
risk
issue.
The
fundamental
risk
issue
that
underpins
this
problem.
Why
we
are
here
has
not
gone
away
and
I
know
people
say,
but
you
did
0/0,
but
unfortunately
the
risk
doesn't
go
away,
because
the
0/0
is
an
assertion
about
our
trust,
anger.
V
Our
operational
states
necessarily
create
products
that
have
literal
three,
seven,
seven,
nine
lists
in
them
and
they
generate
sub
states
which
all
of
you
inherit
the
risk
hasn't
gone
away
and
it
was
never.
It
was
never
just
our
risk.
This
is
a
generalized
community
risk.
Now
there
are
disagreements
in
this
room
about
the
extent
to
which
we
should
allow
lawyers
in
the
room,
but
nonetheless
we
have
a
clear
sense
of
an
emergent
risk
and
it
has
lawyered
up
honest.
We
have
been
given
a
sense.
V
It's
a
global
third
party
risk
and
we're
exceptionally
uncomfortable
about
operating.
A
public
infrastructure
benefit
outcome
facing
global
routing.
That
has
this
risk.
We
need
this,
but
essentially
it's
the
community's
decision.
We
can't
do
an
imposition
that
isn't
how
it
works.
The
community's
got
to
decide
if
it
wants
to
move
and
the
community's
got
to
decide
when
to
move,
but
we
would
really
like
adoption
of
this
draft,
so
we
can
have
a
grown-up
conversation
about
it.
That's
it.
U
Last
time
arcus
DRL,
hi
Rob,
so
I
will
skip
over
the
I.
Do
not
agree
with
the
lawyer
hang
up
thing,
but
let's
just
give
that
in
this
cuz
we've
got
that
flight
in
this
room
too
many
times
already
the
check
it
at
every
level.
Thing
I'm,
not
sure
that
works
technically
without
retroactive,
we're
going
back
and
rewriting
all
the
early
deployed
code.
Yeah.
V
V
W
Josh
hi
hi
as
a
developer
of
the
reliant
party
software
artista
I,
can
assure
you
something
like
the
our
visitor
has,
has
been
ready
to
support
this
event
and
reconsider,
but
we
don't
use
the
new
variety
right
now.
We
just
rise
the
algorithm
to
support
the
vendors.
We
considered
your
honor,
we
don't
use
the
or
the
other
know
trigger
trigger,
so
we
expand
the.
V
Both
know
that
quick
I
do
appreciate
it,
but
I
did
not
want
to
put
an
obligation
on
you
because
you
never
formally
said
we
can
and
will
you
just
said
it's
up
for
discussion
and
you
know
that's
reasonable.
Yeah
people
don't
have
to
commit
in
this
space
because
we
have
implementations.
If
the
community
decides
to
move
there,
we
all
have
to
do
it,
but
we're
in
the
conversation
yeah
so
ensure.
B
V
V
Okay,
we
have
been
working
on
a
mechanism
that
is
designed
to
allow
strong,
trustable
assertions
to
be
made
about
internet
number
resources
about
anything
unconstrained
statements.
I
wish
to
buy
a
hamburger
from
Denny's
I
have
Network
ten
and
I
can
prove
it.
That's
what
we
want
to
be
able
to
do,
and
tomorrow
it's
Arby's
I
can
prove
that
too,
and
nobody
can
limit
what
I
can
say,
but
I
can
prove
I
have
Network
ten
when
I
say
it
and
we
want
it
to
be
totally
self-contained
and
the
reason
is
I.
V
V
Now
the
other
thing
is
I'm
going
out
for
burger
with
my
buddy
and
he's
got
Network
nine
and
we
want
to
say
we're.
Gonna
have
burgers
with
Network
nine
and
ten,
and
we
both
wanna
sign
and
if
neither
one
of
the
shows,
that's
not
cool,
but
if
one
of
us
shows
that's
not
cool,
but
if
both
of
us
show
that
is
enormously
cool.
V
So
we
need
to
be
able
to
say
a
signing
outcome
that
has
both
of
us
as
a
required
membership
and
both
of
our
resources.
So
it's
multi
signing
multi-party.
You
can
get
a
super
set
outcome
and
it's
unconstrained.
What
a
sign
you
want
to
sign
over
a
Greek
salad.
You
can
do
that.
It's
not
just
about
burgers,
so
we
went
to
Rus
Housley
the
guardian
of
all
things
OID
and
we
said:
can
we
get
no
ID
in
the
space
and
he
said
sure-
and
he
gave
us
one.
V
So
we
are
not
talking
about
routing
routing
or
routing
either
of
them.
We
are
talking
about
the
business,
the
business
activity
that
takes
place
outside
of
BGP
that
is
classic
provisioning.
Okay
and
that,
to
my
mind,
is
quintessentially
a
private
matter,
I'm
in
a
contract
with
someone
in
Deutsche
Telekom
talking
to
them
about
doing
amazing,
stuff
and
I'm
thinking.
I
need
to
go
and
do
business
with
a
competitor
like
Liberty
global
I.
V
Don't
want
to
publish
that
in
the
world
I'm
in
a
contract
negotiation,
it's
private
and
I'm
entitled
to
do
stuff,
privately
business
to
business
with
Liberty
global
and
have
a
way
of
proving
I'm.
The
one
in
control
of
the
resource
I
mean
I
know
it's
not
very
fair
for
Deutsche
Telekom
I'm
going
to
pull
the
contract,
but
this
is
business.
V
It's
private,
but
I
still
need
to
be
able
to
show
control
and
ownership
of
the
resources,
and
we
think
there
is
a
lot
of
private
business
that
can
benefit
from
the
ability
to
prove
transactional
control
over
the
resource,
and
we
want
to
put
trust
into
business
now.
You
can
model
a
whole
lot
of
stuff
with
this,
because
we
have
tried
to
design
a
fully
general
mechanism.
It
does
not
specify
what
is
signed
and
in
particular
it
does
not
specify
the
semantics
intent.
V
What
is
the
applicability
of
the
internet
resources
to
the
thing
that's
being
signed
on
I
have
no
idea,
and
it
doesn't
say
how
to
apply
them,
to
derive
that
semantics.
Intend
I
don't
know,
I
can't
know
it's
private,
because
I
want
to
be
taken
out
of
that
conversation.
I,
don't
want
a
rigorous
validation
definition
in
me
about
what
it
means.
I
just
want
to
be
able
to
say
the
address
part,
the
a
s
part
is
provable,
but
what
it
means
is
private
between
the
consenting
parties.
So
how
did
we
do
it?
There's
just
CMS.
V
So
initially,
we
actually
did
this
a
few
years
back
about
seven
years
back
using
some
homebrew
a
s
and
one
and
we
made
zip
files
at
was
awful.
I
mean
it
was
terrible
and
Russ,
who
is
very
nice
man,
so
you're
wasting
your
time.
Do
this
as
CMS,
because
CMS
has
a
model
for
doing
detached
signature
signing
and
it
encompasses
almost
everything
you
need.
V
So
we
have
defined
a
CMS
object,
which
has
all
the
extra
components
in
asn.1
to
add
in
the
key
identifies
of
the
must
be
present
signers
and
the
three
seven
seven
nine
list
of
the
resources
that
should
be
asserted
and
we
also
included
the
bag
concept,
get
all
the
5:09
covering
componentry
to
do
the
trust,
anchor
and
included
in
the
object.
Because
then
you
get
standalone
validation.
You
don't
need
to
go
to
a
repository
because
you've
got
everything
in
the
signing
path
between
the
trust
anchor
and
this
easy
certificate.
V
It's
all
there,
so
it
doesn't
have
to
be
in
the
repository
to
be
validated.
You
could
put
it
there
if
you
want
to
so
you
get
a
certificate
or
you
get
a
set.
You
get
them
to
contain
the
resources
you
could
use
a
super
set
certificate
with
everything
you
can
narrow
it
down,
because
there's
a
list
of
the
applicable
resources.
You
get
a
check
sum
you
sign
over
the
check
sum
you
sign
over
metadata.
You're
done,
that's
it
so
for
validation!
You
use
the
bag
to
do
path.
Construction!
V
You
validate
the
chain,
sir,
to
the
e,
so
you
can
then
prove
signature
on
the
object
against
the
valid
cert,
and
then
you
get
the
thing
out
of
band
to
perform
that
check.
We
do
not
specify
how
you
get
the
third
data
and
we
can't
do
the
applicability,
because
it's
out
of
scope,
okay,
so
you
could
use
it
and
bring
your
own
provisionally.
This
is
the
classic
need.
V
Large
enterprises
are
currently
using
HTTP
REST
with
JSON
they're
performing
provisioning
and
they've
reached
a
point
where
they
need
to
know
you
control
the
resource,
but
they
don't
know
what
origin
is
you're
gonna
use.
So
a
rower
at
this
point
won't
fly
because
the
a
s
is
in
their
hands
when
they
decide
how
they're
going
to
provision
you
as
a
customer
can't
use
a
rower.
In
any
case,
the
rower
has
no
field
to
tag
who
the
hell.
V
You
are
in
a
business
moment
to
perform
the
business
mechanism
if
you
submit,
but
if
you
use
our
mechanism
you
get
this,
you
make
a
JSON
blob,
you
rest
serve
it
back
up.
It
just
flies.
It's
very
slow
friction
to
do
this,
so
we
have
another
idea,
which
is
that
you
take
the
current
letter
of
authority,
the
PDF
file
that
we
all
Forge
whenever
we
want
to
say
that
we
have
control
of
a
resource
and
how
you
digitally
sign
it.
V
So
you
can
still
ship
the
PDF
with
your
nice
minted
letterhead
saying
that
I
work
for
the
NSA,
please
route,
my
prefixes,
but
you've
got
a
digi
cig
to
go
with
it
and
we
think
again,
it's
minimally
invasive
on
the
process
to
do
that.
So
we
also
think
that
you
could
have
any
idea.
I
mean
anything,
we
don't
care
test
an
idea
and
we
actually
have
talked
with
operators.
V
If
you
had
an
ability
to
do
this,
instead
of
some
of
the
stuff
that
you're
doing
at
the
moment,
like
put
it
in
the
Whois
record,
would
you
do
this
and
they
said
yes,
they
would.
We
got
strong
indications
of
motivation
from
CD
ends
large
providers
for
this
class
of
mechanism,
and
we
think
it's
a
no-brainer.
We
have
code,
I
thought
this
was
the
newest
slide,
so
I
wasn't
going
to
tell
you
that,
so
we
have
code
and
it's
available
as
an
online
demo
and
there's
code
available
as
well.
V
So
you
get
a
page
where
you
get
to
stipulate
the
resources
that
are
available.
You
get
to
sub
specify
you
nominate
this
resource
set.
You
give
the
document,
it
generates
a
downloadable
object
that
you
then
pass
to
someone.
They
perform
verification
by
getting
two
objects.
The
thing
that's
under
consideration
and
the
blob,
and
then
they
come
up
with
a
validation
moment.
Saying
yup
the
signature
checks
out:
here's
the
things
that
are
associated.
What
do
you
want
to
do?
You
can
run
it.
V
So
we
want
adoption.
We
think
this
is
useful
and
we
think
the
community
is
ready
and
we
want
to
encourage
the
business
community
to
do
this
in
things
like
BYO,
but
to
do
that
we
actually
have
to
have
a
commitment
that
we're
going
to
permit
either
CSR
requests
classic
certificate.
Sign
requests
to
be
given
a
nice,
not
not
a
CA,
certs
I'm,
not
up
down.
This
is
not
up
down.
This
is
give
me
a
thing.
I
can
do
some
signing
with,
but
I
won't
be
a
CA.
V
We
need
that
or
we
need
a
hex
port
of
the
private
key
from
inside
a
portal
which
is
I
mean
nobody
wants
to
do.
Pkcs
15
or
pkcs12
rap-
that
is
horrible.
Key
export!
Don't
do
that,
but
we
need
it
or
we
need
it
embedded
inside
the
mechanisms
to
do
the
generation.
But
that's
what
we'd
like
to
do
stepping
away
from
the
microphone.
U
E
V
O
X
X
So
I'm
all
over
budget
NIST
I,
can
make
this
fairly
quick.
What
we
propose
is
validation,
signaling
and
BGP
SEC,
so
we're
already
up
a
little
draft,
I
just
uploaded
it
maybe
an
hour
ago.
So
if
you
want
to
read
it,
it's
pretty
much
the
same
like
the
RPK
origin,
validation
just
on
the
BGP
SEC
side.
So
what
you
can
eat.
Why
would
you
do
that
in
especially
in
b2b
SEC?
X
So
I
could,
for
example,
say
I
first
quality
I'd
ever
seen
coming
in
via
ebgp,
before
I
validate
as
anything
that
comes
in
through
ibgp
or
they
could
even
before
it
completely
so
just
to
go
back
to
RFC
8205,
and
there
is
explicit
explicitly
said
that
you
are
allowed
to
defer
validation
and
yeah
there's
another
part
in
the
RFC.
That
is
interesting.
X
The
hour
C
says
that,
however,
an
implementation
should
ensure
that
you,
ferment
of
validation
and
status
of
deferred
messages,
is
visible
to
the
operator,
and
that
goes
a
little
bit
back
to
the
presentation
I
gave
at
last
IETF.
Is
he
unverified
bgp
SEC
currently
only
has
two
validation
States
valid
and
invalid.
If
I
defer
a
validation,
I,
don't
have
a
validation
state
so
having.