On 5 Jan 2017, at 16:14, Randy Bush wrote:
Sorry, I did not mean that stripping was suggested; the previous
phrase (non-normatively) recommends against stripping. My question
is, since the subject of the sentence is "signed paths" whether the
"MUST be signed" language means "MUST NOT strip the signature"
(which I suspect to be the case), or something else.
how about
As the mildly stochastic timing of RPKI propagation may cause
version skew across routers, an AS Path which does not validate
at
router R0 might validate at R1. Therefore, signed paths that are
Not Valid and yet propagated (because they are chosen as best
path) MUST NOT have signatures stripped and MUST be signed if
sent
to external BGPsec speakers.
if not, use larger clue bat
It's likely I have this particular bat by the wrong end.
In the last sentence, does "MUST be signed" mean it must have a
signature (which would seem to make "MUST NOT strip" and "MUST be
signed" redundant), or does it mean the propagating router must add
it's own signature in addition to the existing one(s)?
yes, it must preserve the signed path and add its own signature.
Thanks, that helps. Would it make the last sentence say something to the
effect of "... and MUST additionally be signed by the propagating
router."?
Ben.
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
