I have just submitted a new version of the BGPsec protocol document. This version includes text changes to improve the security considerations section of the document as well as review comments based on the previous version of the document. (In particular, many thanks to Sriram -- for his very thorough review -- and to everyone who made helpful comments on the list.) Also, to make this document consistent with other documents in the document suite, this document now specifies a BGPsec_Path attribute instead of a BGPSEC_Path attribute.
==================== One minor issue that arose in making these revisions: Consider the case where you are creating a new update message somewhere within your AS (to originate a route to one of your own prefixes) and you are sending this new update message via iBGP to an internal peer. The document currently says that you omit the Secure_Path attribute (that is, the BGPsec_Path attribute is added by your edge router ... since the signature depends on the eBGP peer to whom an update is being sent). An alternative would be to include an 'empty' BGPsec_Path attribute ... that is, one with zero Secure_Path segments and zero Signature segments. If you think sending an empty BGPsec_Path is better than omitting the BGPsec_Path, please speak up now. (Both approaches seem perfectly fine to me.)
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
