On Oct 23, 2012, at 5:04 PM, Murphy, Sandra wrote: > > Reviewing that was what led to my question to Randy. (something like "what > is the reason for having ORIGIN in the first place".)
Nice :-) > The responses when this came up in the past have been that protecting > integrity of ORIGIN might be conceivable, but the authenticity of the value > was not. That is, who says that the AS did indeed get the info from EGP. > Sounds like at one time, that mattered. I don't understand, if the origin router employs , say, a BGPsec Router Certificate to sign the origin code attribute, whom else would attest to such a thing? Of course, if the origin BGP router was iBGP only (which _very often is) or non-BGPSec this could be a problem -- that's why we need to start with threats and requirements. This whole "only some BGP speaking routers will be running this extension" gives me concerns for other reasons I suspect will surface as well. -danny !DSPAM:50870a2e120619193911432! _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
