[address-policy-wg] 2008-08 (Initial Certification Policy in the RIPE NCC Service Region) going to Last Call

On 5 May 2011, at 10:04, Randy Bush wrote:

>>> shall we have a policy that covers black helicopters and sci-fi attacks 
>>> as well as demanding perfection in everything?
>> No.
> 
> :)
> 
>> Right now it's a bigger problem that people can announce other peoples 
>> address space (intentionally or not), so let's get that fixed.
> 
> trying
> 
>> Put in a recommendation in the implementation descriptions that there
>> should be the possibility of local policies for whitelisting, meaning
>> it doesn't rely on the central authority for some resources, or we
>> could have parallell authorities in multiple juristictions.
> 
> i do appreciate contributions to draft-ietf-sidr-origin-ops

Good point, because the implementation that the RIRs are making is based on the work that is being done here. Some elements of Certification that people are discussing here should actually be held in the IETF SIDR WG. Some of the concerns have actually already been taken into account there. 

In a nutshell: My take is that Resource Certification drives routing *preferences*. If a network operator sees an expired or invalid prefix, they can investigate and *choose* to take action. This also applies to decisions when using router hardware, as described in section 5 of "BGP Prefix Origin Validation":
http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-01#section-5

"Considering invalid routes for BGP decision process is a pure ***local policy matter*** and should be done with utmost care."  (Emphasis mine)

-Alex