On Thu, Apr 12, 2012 at 10:52 AM, Jeffrey Haas <[email protected]> wrote: > On Wed, Apr 11, 2012 at 03:53:29PM -0400, Christopher Morrow wrote: >> > Functionally, confed segments are stripped prior to the global AS being >> > added to the path. ?The box performing this function is the one that needs >> > to amend the BGPSEC signature, not some box in the middle of the >> > confederation. >> >> I suppose you could re-sign... the case I was thinking of was >> attempting to validate inside your domain a prefix supposedly >> originated by an iBGP speaker inside your domain. > > If you don't trust your own boxes to originate, I think you have a bigger > problem. :-)
yes... where's that box in $HOSTILE_COUNTRY ? are we SURE that no one has tampered with it during the recent 'unscheduled power outage' ? :( darned crapblarghistan and it's ongoing power grid problems! > That said, there's little stopping you from using RPKI (perhaps with a local > view) data to provide prefix sanity checking. Internally the signature > piece is probably excessive. this is all from another frequent-poster to this list (the requirement I mean)... I'm just parroting it back for the record. (though I do see a valid case to sign on origination as well, and check internally) you don't seem to disagree that the functionality could be there, so ... 'violent agreement'! -chris _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
