Re: [sidr] comments needed (Re: I-D Action: draft-ietf-sidr-rtr-keying-14.txt)

Sandra Murphy <> Fri, 08 December 2017 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60BB31272E1; Fri, 8 Dec 2017 13:04:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5wc4t3GrezPx; Fri, 8 Dec 2017 13:04:47 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E01A9128D40; Fri, 8 Dec 2017 13:04:46 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTP id 43C5128B003B; Fri, 8 Dec 2017 16:04:46 -0500 (EST)
Received: from [] (localhost.localdomain []) by (Postfix) with ESMTP id 3C3361F8036; Fri, 8 Dec 2017 16:04:46 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sandra Murphy <>
In-Reply-To: <>
Date: Fri, 8 Dec 2017 16:04:45 -0500
Cc: Sandra Murphy <>, sidr chairs <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: sidr list <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Subject: Re: [sidr] comments needed (Re: I-D Action: draft-ietf-sidr-rtr-keying-14.txt)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Dec 2017 21:04:48 -0000

Another thought about one point in my long list of comments.

> On Nov 14, 2017, at 9:07 PM, Sandra Murphy <> wrote:
> 4.  “corresponds” again - there’s no mention of a router verifying that the router cert it receives has an AS that is configured on the router.  There are lots of other checks and double checks - why not this one?  

Is it possible for a router to be configured with an AS before it actually brings up a BGP/BGPsec session to a neighbor?  (my guess: yes.  but IANAOp)

If the router does not know its AS configuration unless it has already started a BGP session, then the check of the AS in a received cert would have to be done while BGP was active but BGPsec was not yet activated.

Is there a way for a router to receive a cert and check the AS after it has been configured with an AS, but before the session with the neighbor actually starts?

If the BGP session must be up before the configured AS is known, and the desire was to check a received cert for a configured AS, then a session could not start with BGPsec from the very beginning.


Q1: Is the sequence

(1) configure AS (2) check AS in received cert (3) start BGPsec session 


Q2: If the sequence needs to be

(1) configure AS (2) start BGP (3) check AS in received cert (4) start BGPsec

is that acceptable?

Q3: If the second sequence is necessary, then is that bad enough, sufficient reason, to abandon the idea of checking the AS in the cert?