Another thought about one point in my long list of comments.
> On Nov 14, 2017, at 9:07 PM, Sandra Murphy <sa...@tislabs.com> wrote: > > > 4. “corresponds” again - there’s no mention of a router verifying that the > router cert it receives has an AS that is configured on the router. There > are lots of other checks and double checks - why not this one? Is it possible for a router to be configured with an AS before it actually brings up a BGP/BGPsec session to a neighbor? (my guess: yes. but IANAOp) If the router does not know its AS configuration unless it has already started a BGP session, then the check of the AS in a received cert would have to be done while BGP was active but BGPsec was not yet activated. Is there a way for a router to receive a cert and check the AS after it has been configured with an AS, but before the session with the neighbor actually starts? If the BGP session must be up before the configured AS is known, and the desire was to check a received cert for a configured AS, then a session could not start with BGPsec from the very beginning. So. Q1: Is the sequence (1) configure AS (2) check AS in received cert (3) start BGPsec session possible? Q2: If the sequence needs to be (1) configure AS (2) start BGP (3) check AS in received cert (4) start BGPsec is that acceptable? Q3: If the second sequence is necessary, then is that bad enough, sufficient reason, to abandon the idea of checking the AS in the cert? —Sandy _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr