In GROW, at the mike, I proposed another solution: Add a new attribute that means "this route may be advertised up". This attribute must be signed by the originator of the route.
Add a second attribute that means "The first attribute was added" This attribute must be included in the BGPSEC signature. If an AS asserts that the route can no longer be advertised up, it simply removes the first attribute along with its signature. Since the first attribute must be signed by the originator, no one else can add it back. Now, an AS that considers itself a provider of the advertised route to the peer from which it received the advertisement can filter on the presence of the second attribute and the lack of the first to prevent the leak. The advantage of this solution is that it will not expose the customer-provider relationship to any customers. --Jakob
_______________________________________________ GROW mailing list GROW@ietf.org https://www.ietf.org/mailman/listinfo/grow
