On Wed, Nov 7, 2012 at 1:39 PM, Shane Amante <[email protected]> wrote: > Chris, > > On Nov 7, 2012, at 11:11 AM, Christopher Morrow <[email protected]> > wrote: >> there isn't data in bgp today data which tells you 'this path is a >> leak'. Even at the immediately-leaked-to peer there isn't data in the >> message that's helpful for this problem. > > Why isn't the above considered putting the cart in front of the horse? > Namely, > there is this (seemingly) hard requirement that all information must be > self-contained within BGP -- even though the above acknowledges that > we CANNOT get this information out from BGP. Shouldn't that suggest there > is a pretty fundamental problem here wrt the current definition of the > problem?
I think if you have only a bgp message to deal with that's all you have to base your judgement upon. The SIDR work so far has added a signature for origination and in BGPSEC proposes adding signatures as part of bgpsec-path. If you know of, or can create, or can find inexistence already, data that helps solve the 'route leaks problem' please bring it forward. I think the wgs involved here (at least: sidr, idr, grow) all have agreed that the first step is: 1) show/agree that this is a problem (route leaks) 2) see if bgp data already has the right bits to fix this (idr) 3) slap some verification on those bits arguing about carts and horses isn't moving the above 3 steps forward. > What's even more perplexing is the WG seems to accept that it's OK to > accept substantial complexity in creating, exchanging, validating information > using an "out-of-band" certificate repository system (RPKI) ... which is OK to > be used for Origin Validation by BGP, but for some reason ... BGPSEC is > saying that it cannot depend on external information sources for Path > Validation (other than per-router/per-AS certs). Something really does not what external source? _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
