Message info
To:Jeffrey Haas From:Christopher Morrow Subject:Re: [Idr] [sidr] iBGP, BGPSEC and incremental deployment (was No BGPSEC intradomain ?) Date:Thu, 12 Apr 2012 11:28:44 -0400

On Thu, Apr 12, 2012 at 10:52 AM, Jeffrey Haas <> wrote:
> On Wed, Apr 11, 2012 at 03:53:29PM -0400, Christopher Morrow wrote:
>> > Functionally, confed segments are stripped prior to the global AS being
>> > added to the path. ?The box performing this function is the one that needs
>> > to amend the BGPSEC signature, not some box in the middle of the
>> > confederation.
>> I suppose you could re-sign... the case I was thinking of was
>> attempting to validate inside your domain a prefix supposedly
>> originated by an iBGP speaker inside your domain.
> If you don't trust your own boxes to originate, I think you have a bigger
> problem. :-)

yes... where's that box in $HOSTILE_COUNTRY ? are we SURE that no one
has tampered with it during the recent 'unscheduled power outage' ? :(
darned crapblarghistan and it's ongoing power grid problems!

> That said, there's little stopping you from using RPKI (perhaps with a local
> view) data to provide prefix sanity checking. Internally the signature
> piece is probably excessive.

this is all from another frequent-poster to this list (the requirement
I mean)... I'm just parroting it back for the record. (though I do see
a valid case to sign on origination as well, and check internally)

you don't seem to disagree that the functionality could be there, so
... 'violent agreement'!

Idr mailing list