Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-protocol-01.txt

Matt Lepinski <> Tue, 01 November 2011 17:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BA3FF21F8461 for <>; Tue, 1 Nov 2011 10:01:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KZXy9a6aqKGe for <>; Tue, 1 Nov 2011 10:01:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CA3E721F844D for <>; Tue, 1 Nov 2011 10:01:34 -0700 (PDT)
Received: from [] (port=1354) by with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.74 (FreeBSD)) (envelope-from <>) id 1RLHgE-000F6B-M3 for; Tue, 01 Nov 2011 12:59:19 -0400
Message-ID: <>
Date: Tue, 01 Nov 2011 12:59:50 -0400
From: Matt Lepinski <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-protocol-01.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Nov 2011 17:01:35 -0000

I have updated the BGPSEC protocol specification.

At the SIDR meeting in Quebec, there was significant discussion about 
how BGPSEC could provide security of the AS-PATH attribute while still 
accommodating the needs of route servers that participate in BGP, but do 
not wish to increase the length of the AS-PATH attribute. The -01 
version of the draft contains  a mechanism (a field called pCount) which 
attempts to address this issue by having route servers create BGPSEC 
signatures without increasing the effective length of the AS-PATH 
attribute. I would greatly appreciate comments on this mechanism and 
whether it adequately addresses the issues raised at the last SIDR 
meeting and subsequently discussed on the list.

There was has also been significant discussion on the SIDR list of the 
"Expire TIme" field in BGPSEC and the associated "Beacon-ing" (that is, 
periodic re-advertisement of a prefix with a new signature and a new 
Expire Time) as a mechanism to address replay attacks (as well as 
attacks where a malicious peer fails to propagate the withdrawal of a 
route). My understanding is that the consensus of  the working group was 
that the current Expire Time mechanism is reasonable as long as 
re-advertisement is only required at the origin AS (and not at 
intermediate ASes). The current -01 version of the draft attempts to 
reflect that consensus.

Finally, there are a number of small editorial changes that I believe 
will improve the clarity of the draft. Thanks again to everyone who has 
reviewed the document, feedback on how the text could be made more 
easily understandable is especially welcome.

- Matt Lepinski

On 10/31/2011 3:38 PM, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.
> 	Title           : BGPSEC Protocol Specification
> 	Author(s)       : Matthew Lepinski
> 	Filename        : draft-ietf-sidr-bgpsec-protocol-01.txt
> 	Pages           : 28
> 	Date            : 2011-10-31
>     This document describes BGPSEC, an extension to the Border Gateway
>     Protocol (BGP) that provides security for the AS-PATH attribute in
>     BGP update messages.  BGPSEC is implemented via a new optional non-
>     transitive BGP path attribute that carries a digital signature
>     produced by each autonomous system on the AS-PATH.
> A URL for this Internet-Draft is:
> Internet-Drafts are also available by anonymous FTP at:
> This Internet-Draft can be retrieved at:
> _______________________________________________
> sidr mailing list