On Wed, Apr 11, 2012 at 03:53:29PM -0400, Christopher Morrow wrote: > > Functionally, confed segments are stripped prior to the global AS being > > added to the path. ?The box performing this function is the one that needs > > to amend the BGPSEC signature, not some box in the middle of the > > confederation. > > I suppose you could re-sign... the case I was thinking of was > attempting to validate inside your domain a prefix supposedly > originated by an iBGP speaker inside your domain.
If you don't trust your own boxes to originate, I think you have a bigger problem. :-) That said, there's little stopping you from using RPKI (perhaps with a local view) data to provide prefix sanity checking. Internally the signature piece is probably excessive. -- Jeff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
