On 2015-09-10 15:09, Stephen Kent wrote:
At least initially, sig order was required to match the AS transit order, to ensure that the AS transit order is accurately represented. Is that no longer true?
Are you talking about (1) the order of the signatures on the wire, (2) the order of which AS path is covered by which signature, or (3) the chronological order in which the signatures are generated? I think Rob and I were talking about (3), but Rob should tell me if I misunderstood him.
For (1), the order needs to specified such that each signature can be correctly verified. Having the order of the signatures match the AS transit order seems like the most sensible way to do this.
For (2), I think it's critical that each signature covers that correct AS path, in the correct order.
For (3), the signatures will typically be generated in order, but I don't see the value of enforcing that. I.e., while I don't see the point of pre-computing signatures before including them in a BGPsec UPDATE, I also don't see any harm in it.
-- David Eric Mandelberg / dseomn http://david.mandelberg.org/ _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
