Re: [sidr] various

Brian Dickson <> Sat, 12 November 2011 17:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7EFC21F85AE for <>; Sat, 12 Nov 2011 09:29:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.546
X-Spam-Status: No, score=-3.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R7+PpKVNVKXH for <>; Sat, 12 Nov 2011 09:29:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 01C9521F8540 for <>; Sat, 12 Nov 2011 09:29:06 -0800 (PST)
Received: by bkbzv15 with SMTP id zv15so5325699bkb.31 for <>; Sat, 12 Nov 2011 09:29:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Eud7Z8Ee5b0OzdrHiFYhC4pQcv46IEBSJ+YJZ5LIt20=; b=QwROyoYXgHckCFwlUel0zhKn8dZWtBKn2xfhjChT7nY4/AZJUyiSPlTbvTPS1iXcmu OXnRh+pU2iVjH5rx4oAvpB2wFtz1BNlRNgSmvtATy359N1xgzYx5+ihPoBE3R5QjRDLp A2eRatA2IMIXQfD0TCfGReLU6EYsG2UD6H8QU=
MIME-Version: 1.0
Received: by with SMTP id d5mr12907497bkd.64.1321118945917; Sat, 12 Nov 2011 09:29:05 -0800 (PST)
Received: by with HTTP; Sat, 12 Nov 2011 09:29:05 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Sat, 12 Nov 2011 12:29:05 -0500
Message-ID: <>
From: Brian Dickson <>
To: Randy Bush <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: sidr wg list <>
Subject: Re: [sidr] various
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Nov 2011 17:29:07 -0000

In the case of confederations, and presuming BGPSEC is used among the
confederation members,
it should be the case that upon entry to the confederation, the "TO"
ASN of the sender's signature
is the AS Confederation Identifier, i.e. the externally visible ASN as
which the confederation appears
to its eBGP neighbors.

The confederation will, in propagating an eBGP announcement, create an
and corresponding signatures.

Removing the signatures and removing the AS_CONFED_SEQUENCE, I
believe, will preserve the
signature validity, since the confederation member sending to a
non-confederation member will add
the AS Confederation Identifier (ASN) to the AS_SEQUENCE, and add its
signature. The AS-path
and signatures over such, will be valid/consistent. I.e., I think it
"just works".

So, I propose the following alternative text:

  To prevent exposure of the internals of BGP Confederations [RFC5065],
  and to comply with the requirement that the AS_SEQUENCE be identical
  to the sequence of ASNs from the Signature-Block, a BGPsec speaker
  which is a Member-AS of a Confederation MUST remove every Signature-
  Segment which corresponds to a unique ASN in the AS_CONFED_SEQUENCE
  prior to the AS_CONFED_SEQUENCE being removed from the AS_PATH,
  and prior to adding its own Signature-Segment to the Signature-Block.

Or, wording to that effect.


On Fri, Nov 11, 2011 at 10:40 PM, Randy Bush <> wrote:
> to two of your comments, in my unpublished edit buffers
> draft-ietf-sidr-bgpsec-ops-02
>   To prevent exposure of the internals of BGP Confederations [RFC5065],
>   a BGPsec speaker which is a Member-AS of a Confederation MUST NOT not
>   sign updates sent to another Member-AS of the same Confederation.
> draft-ietf-sidr-pfx-validate-04
>   An implementation MUST support 4 Octet AS Numbers, [RFC4893].
> as our friendly blood-sucking vendors have said, the latter is thought
> to be obvious.  but i figured to document it anyway, no harm.
> cool?
> randy
> _______________________________________________
> sidr mailing list