On Fri, 27 Feb 2026 at 11:29, Job Snijders via NANOG <nanog@lists.nanog.org> wrote:
What exactly is 'secure' about an AS-SET? How can those two words be used in the same sentence? As I understand it AS-SETs are plain-text blobs of unknown provenance which contain entirely arbitrary data for unknown purposes that can change at a moments notice.
With AS-SET in practice most ports will have explicit prefix-lists ensuring they can only send very small subset of all prefixes possible. Some are trash, but most are pretty good. For most ports, we offer in practice very high guarantees on what they could possibly break by UPDATE. We can say that they can add anything to AS-SET, and we can say RPKI does nothing, as they can set any origin. But we're not talking about what it could be, we are talking about what it is, and it is doing a lot and there is nothing else to reach anything close to its coverage today. If we are comfortable giving that away, because AS-SET could be anything. I am all for it, less work for me. If my customers tell me that it is not important to them, then I'm all for it. -- ++ytti