Hi Thomas, Attributes in the BGP update such as the nexthop and aspath are rewritten/modified at the ebgp boundary so signing the attributes at the originator is of little value unless the same is done at each hop, In which case we are attempting path validation - this would introduce a lot more complexity into the solution and require intermediate hops to be aware of the scheme - The primary scope of the draft is to accomplish origin validation for VPN routes (verify routes are coming from valid originator) similar to the RPKI based prefix validation for internet.
Thanks Arjun -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, November 15, 2012 6:43 AM To: [email protected] Subject: Re: draft-ymbk-l3vpn-origination-02 Hi Arjun, Arjun Sreekantiah: > Please note that the scheme does provide protection against attack scenarios > as well, this is not just protecting errors from configuration. If only the NLRI is signed, as specified in the dratf, and not the attributes nor the rest of the MP_REACH_NLRI attribute, how does it provide an efficient protection against attacks ? -Thomas _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, France Telecom - Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, France Telecom - Orange is not liable for messages that have been modified, changed or falsified. Thank you.
