On Tue, Apr 21, 2020, at 23:53, Job Snijders wrote: > a normal or a large community (within your own 'namespace') and tell > your peers that's the one you are using for a specific purpose.
This is what LINX and France-IX do, this also works on IBGP, and this is why RFC8097 has a very low (close to zero) value. > However, I don't think you can really signal the validation state > across administrative boundaries. The trust is not transitive, > especially over most-likely unsecured BGP transport. There is no > mechanism in BGP to verify if the peer can be trusted to set the right > communities, operational parameters about the peer's validation process > are not visible through BGP. Take it like "RPKI As A Service". People ready to take/use pretty much everything "aaS" (whether it makes sense or not) are not difficult to find. You have several kinds of "security as a service", including "managed security", so RPKIaaS isn't much worse than that. -- R.-A. Feurdean _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
