On 29 Apr 2015, at 20:46, Sriram, Kotikalapudi <[email protected]> wrote:
> The validation in the BGPsec draft is only about the AS path signatures in > signed updates. > It is talking about the validity of the Secure_Path. > If all the signatures in a Signature_Block are valid, then the > Signature_Block (and hence Secure_Path) is 'Valid'; > Else, the Signature_Block is 'Not Valid'. So how does this work when a certificate expires without a new one in place? Then the signature over a hop in the path and therefore the path and therefore one or more prefixes are now "Not Valid". This presents us with two choices: 1. we accept those prefixes in our forwarding tables 2. we don't accept those prefixes in our forwarding tables Obviously 1. can't be the answer, because then BGPsec is pretty much a NOP. But 2. is not so great either, because now a mistake or delay in generating and propagating certificates can cause unreachability. So what we need is a third option, that provides better security than 1. and better reachability than 2. In other words, "couldn't validate because of certificate lifetime" and "validation failed because of a bad signature or bad certificate chain" are different enough that we need them to have different effects on the forwarding tables. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
