> I think the current intention is to secure the network on the basis of > giving each prefix a badge and just check it at entrance door readers to > each AS.
Don't treat routing updates as packets. Routing protocols are distributed near real time databases, not applications that send and receive packets. > I am not sure if you actually need to know who should be in or not at > any given time if the backend provides the correct rules based on the > badge readings. Of course the assumption is that HR distributed the > badges correctly in the first place ;) But you see, that's intent. What we're trying to do is infer undefined intent (because we won't admit it's intent), from a rather loose and messy signature on the packet, combined with some timers that are set so far away from real time as to be almost useless (because it's too hard to secure route removal in a signed packet system). :-) Russ _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
