> However I would like to ask for some clarification on why bgpsec is all > about securing advertised nets and does not (at least to the best of my > knowledge) certify that such prefixes have been advertised with > legitimate next hops (the one which the prefix owner really owns).
considering next hop likely changes at AS boundaries (and for some ops practice, within the AS), how and why would one sign it? e.g. at the boundary between A and B, why bother having A sign it across what should be a trustable boundary. and, if A did sign it, and B changes the next hop when handing the update on to C, A's signature just got farbled. so bottom line, imiho, what's the need, and doing it would break things. randy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
