Hi, I have a question for the WG. In a series of e-mail exchanges earlier this year, I had thought it was concluded that BGPSEC was merely being used as a means to express that a BGP UPDATE had passed through a series of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that can [later] be validated by receiver that are further downstream. IOW, it's not a validation of the TE policies (e.g.: AS_PATH prepending) applied by ASN's.
I went back to the BGPSEC requirements: http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00 ... and, if I look at Req #3.19: 3.19 A BGPsec design SHOULD NOT presume to know the intent of the originator of a NLRI, nor that of any AS on the AS Path. What was the intended meaning of the word "intent"? I thought that word was meant to say that BGPsec was not intended to validate TE policies that may, or may not, be applied to the NLRI. If that is correct, then why is the WG looking at signing an BGP attribute that expresses the the number of times an ASN may be prepended? Or, has the WG had a change of direction and I haven't kept up to speed? I would note that the reason I'm asking the above is that it may not be the originator that is performing AS_PATH prepending. Specifically, a customer may use a provider's BGP TE communities to ask the provider to perform AS_PATH prepending (selectively) on their behalf. But, since these BGP TE communities are not signed, then how would a receiver of the NLRI know that an AS_PATH should or should not have been prepended by an intermediate/transit ASN? Thanks, -shane _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
