(coming in late to the party, weee!) On Wed, Nov 2, 2011 at 1:08 PM, Brian Dickson <[email protected]> wrote: >>> (5) If any BGP path attribute used in Path Selection is not signed, >>> then BGPSEC has failed to meet its charter requirements. >> >> Then MED and Local Pref must also be signed, along with a number of >> communities, and even the next hop. > > Yes.
err, so... you receive a route update from AS1 at AS2, it looks roughly like: 1.2.3.0/24 nh = 192.168.1.1 this is signed (all of the above data) When you pass this route off to AS3 you do so as: 1.2.3.0/24 nh = 10.1.1.1 the nh changed, the sig originally is for 192.168.1.1 Did you really mean to sign the next-hop? it seems infeasible... Also, LocalPref is a locally used/determined/created (non-transitive) item, adding that set of bits into the signature seems blatantly wrong, since the data won't exist when you pass the route outside your ASN the verification is going to fail, for every route you send (which had a localpref != default), That CERTAINLY seems like something you would want to avoid, right? -chris _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
