Re: [sidr] draft-ietf-sidr-bgpsec-protocol-13's security guarantees

Sandra Murphy <> Tue, 01 September 2015 13:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6A42E1B3F44 for <>; Tue, 1 Sep 2015 06:54:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dQ5Ervk-ZHEQ for <>; Tue, 1 Sep 2015 06:54:41 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 81C671B465A for <>; Tue, 1 Sep 2015 06:54:41 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id CABEC28B0052; Tue, 1 Sep 2015 09:54:40 -0400 (EDT)
Received: from [IPv6:::1] (localhost.localdomain []) by (Postfix) with ESMTP id B00631F8035; Tue, 1 Sep 2015 09:54:40 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_24BAB446-0D35-4EB7-8F04-8B07E074C64D"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5
From: Sandra Murphy <>
In-Reply-To: <>
Date: Tue, 01 Sep 2015 09:54:24 -0400
Message-Id: <>
References: <> <> <> <>
To: Randy Bush <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Cc: sidr wg list <>, Sandra Murphy <>
Subject: Re: [sidr] draft-ietf-sidr-bgpsec-protocol-13's security guarantees
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Sep 2015 13:54:43 -0000

Speaking as a regular ol’ member

On Aug 27, 2015, at 5:02 PM, Randy Bush <> wrote:

>>> an intermediate AS, which does not validate but signs, could apply
>> I’d say that the intermediate AS who didn’t verify the signatures it
>> received could be acting on bad info at any time, without any
>> conspiring ASs around.  The intermediate AS has no more assurance than
>> a non-bgpsec speaker that the route it receives is valid.
> it is not worse than unsecured is a form of reasoning i do not buy.


>> But the intermediate AS and any bgp4 (i.e. non-bgpsec speakers?) peers
>> have chosen to be insecure - I see no reason to be concerned.
> same fallacious argument.  we are supposed to be making things better,
> not leaving them the same.

Are you saying that any system that does NOT check the protections and does not spot invalid signatures should still be protected?  I think that’s a pretty tall order.

My concern is with those who do check the signature but who, because conspiring ASs “violate the guarantee”, do not get the bgpsec protection in some way.

David’s suggestion that more of the data should be covered by the signature still does not help the hapless intermediate AS who does not check the signature, I would think.  That AS could still fooled.  So I don’t think that the new signature makes anything better for the non-checkers.

—Sandy, speaking as a regular ol’ member