On Wed, Apr 11, 2012 at 3:48 PM, Jeffrey Haas <[email protected]> wrote: > On Wed, Apr 11, 2012 at 12:28:32PM -0400, Christopher Morrow wrote: >> On Wed, Apr 11, 2012 at 12:17 PM, Jakob Heitz <[email protected]> >> wrote: >> > Confeds are out of scope. >> >> how are confeds out of scope? >> if you want path validation for ibgp/originated-by-you routes and the >> originating router is in one of the confed sub-ases you have that >> router sign with the confed-external/public asn, no? I'm fairly >> certain we planned to support this sort of activity... though I could >> be missing the part which is out-of-scope? > > Functionally, confed segments are stripped prior to the global AS being > added to the path. The box performing this function is the one that needs > to amend the BGPSEC signature, not some box in the middle of the > confederation.
I suppose you could re-sign... the case I was thinking of was attempting to validate inside your domain a prefix supposedly originated by an iBGP speaker inside your domain. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
