is a longer announce invalid or not found?
To: sidr wg list
Subject: [sidr] is a longer announce invalid or not found?
From: Randy Bush
Date: Fri, 30 Sep 2011 11:39:21 +0900
there has been a bit of confusion over whether announcement of a longer prefix than is covered by a roa is valid, invalid, or not found. so let me try to clarify the underlying decision process for valid, invalid, and not found so we are all on the same page. i believe this is as it is documented in pfx-validate.
---
if i publish a roa for 10.0.0.0/16-16 for AS 42 (and there are no other roas for 10/...)
no announcement of 10.0.0.0/16 or any longer prefix thereof from any AS may be marked NOT FOUND, after all, a covering roa is there.
any announcement of any prefixes in that space, from /16 to /32, from an AS other than 42 are INVALID. this is the purpose of the exercise.
and, an announcement of 10.0.666.0/24 from AS 42 is INVALID, as it has a prefix length not specified by the roa. someone is trying to punch a hole, not allowed. this could be an origin forger trying to punch a /24 in my /16.
but if i publish a roa for 10.0.0.0/16-24 for AS 42, then an announcement for 10.0.666.0/24 from AS 42, would be marked VALID.
randy