Re: [sidr] various

Randy Bush <> Sat, 12 November 2011 06:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4698221F84D2 for <>; Fri, 11 Nov 2011 22:49:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WaYQpEaysa5K for <>; Fri, 11 Nov 2011 22:49:56 -0800 (PST)
Received: from ( [IPv6:2001:418:1::36]) by (Postfix) with ESMTP id 8451121F84D1 for <>; Fri, 11 Nov 2011 22:49:56 -0800 (PST)
Received: from localhost ([] by with esmtp (Exim 4.76 (FreeBSD)) (envelope-from <>) id 1RP7PX-000KsN-4Z; Sat, 12 Nov 2011 06:49:55 +0000
Date: Sat, 12 Nov 2011 14:49:54 +0800
Message-ID: <>
From: Randy Bush <>
To: "George, Wes" <>
In-Reply-To: <>
References: <> <> <> <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Cc: sidr wg list <>
Subject: Re: [sidr] various
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Nov 2011 06:49:57 -0000

>> draft-ietf-sidr-bgpsec-ops-02
>>    To prevent exposure of the internals of BGP Confederations [RFC5065],
>>    a BGPsec speaker which is a Member-AS of a Confederation MUST NOT
>>    sign updates sent to another Member-AS of the same Confederation.
> [WEG] does that mean that routes using confeds as transit ASes cannot
>       participate in BGPSec at all? 

no.  and it does not in any way say that, does it?

> (eg if the update path goes:
> Origin ASN -> confed AS ($private) -> confed AS ($public) -> eBGP peer)
> If that's the case, would be useful to be more explicit about it.

the statement attempts to very clearly apply ONLY to two members of the
confed speaking to each other, period.  if it is not clearly restricted
to that case, please say how it could be reworded to more clearly be so

( i should be able to differentiate you and shane.  he sends text :)

> Or do you mean that confed AS1 will not be in the signature chain/AS
> path and the public ASBR (the external side of the confed) will sign
> as if it learned the routes directly from the Origin ASN?

if bt AS1 you mean what you call "AS ($private)" above, yes, that is
what is meant.

> If it's the latter, you probably need more clarifying text, and that
> may actually require some text in the protocol definition to cover the
> special-case handling.

why is it needed to cross over into the large space of what is to be
signed?  the point of the bullet is what is NOT to be signed.

> Related: It may be that we have to simply say that Private ASNs can't
> be BGPSec participants

tell that to someone trying to secure some multi-as private network
using rfc 1918 addresses and asns.