> [Arjun] > The ASBR can still perform the validation based on configured key-id and > associated key > without having to perform any import operation. As explained before you can > have the key- > id map to a vpn-id and only the key-id and associated keys need to be defined > on the > ASBR.
There is no such a thing in VPNv4/v6 advertisement like "vpn-id". >>RTs do not associate routes to VPNs on the ASBRs. > > [Arjun] > We are not suggesting using RTs to do that in this scheme, just use the > context of the > key identifier to retrieve the associated key and verify the signature digest. That is precisely the main issue with your proposal. You would be much better off with adding RT validation (*based on the very same scheme as you proposed for NLRI validation in this draft*) Thx, R.
