Dear Denis, others, (still talking in person capacity) On Sat, Nov 19, 2022 at 04:00:23PM +0100, denis walker wrote:
To assist the RIPE NCC with their impact analysis can we be clear on how you want to change the syntax. My understanding is you want rules along these lines:
-An AS-SET name must be hierarchical -There must be at least one colon (:) character in the name -The first element of the name must be an ASN
Yes to the above.
-The second element of the name must be an AS-SET name starting with 'AS-'
The rules for what constitute valid AS-SET names are specified in RFC2622 section 5: https://www.rfc-editor.org/rfc/rfc2622#section-5 """ Set names can also be hierarchical. A hierarchical set name is a sequence of set names and AS numbers separated by colons ":". At least one component of such a name must be an actual set name (i.e. start with one of the prefixes above). All the set name components of an hierarchical name has to be of the same type. For example, the following names are valid: AS1:AS-CUSTOMERS, AS1:RS-EXPORT:AS2, RS- EXCEPTIONS:RS-BOGUS. """ I'd argue that the rules for what constitute valid hierarchical names should not be changed; so the second component of the name doesn't need to start with 'AS-'.
-Any further elements can be either ASNs or AS-SET names -Any other existing syntax rules that don't conflict with this change -These rules to only apply to creating new AS-SET objects -Existing non-hierarchical AS-SET objects can still be updated
Aye.
This discussion has focused on the AS-SET object and the authorisation problems they can cause. Should we make this change to all set object types?
To avoid scope creep I'd exclusively focus on AS-SET objects for now, because that's the object type for which operational issues were reported in recent weeks. Kind regards, Job