Re: [sidr] various

Brian Dickson <> Sun, 13 November 2011 01:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4C7D521F8ABE for <>; Sat, 12 Nov 2011 17:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.55
X-Spam-Status: No, score=-3.55 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6IHZBnwUCDdp for <>; Sat, 12 Nov 2011 17:29:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 2C56F21F8541 for <>; Sat, 12 Nov 2011 17:29:50 -0800 (PST)
Received: by bkbzv15 with SMTP id zv15so5637100bkb.31 for <>; Sat, 12 Nov 2011 17:29:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=we5yp9NwbKtw7aPKCslXn9Lk4tpAhODVjchCk0Qmtz0=; b=gkxsjTL8weuYzNywJaD/OlWSY/33QYIP7SuNzN8Mwh0YheyHjxKmWz0v6KflPKcjXe uXOLrtMcxqdFgAfJJ74iAP7w2uxBEsjufz0k03u69aT+c+D4ERa6427gSghPeNjPKb1+ sCRo4DP62A89dRuIh5Mb/DBduFOAdEK01sfu4=
MIME-Version: 1.0
Received: by with SMTP id fv15mr13805959bkc.100.1321147789178; Sat, 12 Nov 2011 17:29:49 -0800 (PST)
Received: by with HTTP; Sat, 12 Nov 2011 17:29:49 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
Date: Sat, 12 Nov 2011 20:29:49 -0500
Message-ID: <>
From: Brian Dickson <>
To: "George, Wes" <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: sidr wg list <>
Subject: Re: [sidr] various
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 13 Nov 2011 01:29:51 -0000

On Sat, Nov 12, 2011 at 7:45 PM, George, Wes <> wrote:
>> From: Randy Bush []
>> Sent: Saturday, November 12, 2011 9:58 AM
>> To: George, Wes
>> Cc: sidr wg list
>> Subject: Re: various
>> > Do you or do you not agree that on the transition between private ASN
>> > and public, if remove-private is configured, any signatures
>> containing
>> > private ASN must be removed even if the eBGP peer is BGPSec capable?
>> with the statement as is, if it is a private asn or a public asn, it is
>> not signing.
> [WEG] sigh. Let me try one more time.
> This question is not about confederations so "the statement" is not applicable.
> Think just bog-standard, vanilla eBGP, with two BGPSec speakers, one of whom is using a private ASN, announcing routes that must be carried to the DFZ. Make more sense now as to why I'm making the distinction between private and public ASN?

Should we presume in your example, that the sequence is:

private -> public -> public

I.e. that there is no public ASN before the private ASN, and the route
is originated by the private AS?

I think the answer is something along the lines of, the private AS
announces with its private AS as the origin,
and the upstream public AS has its own trust anchor for assigning its
instances of private AS ROA records.

The public AS, to the outside world, appears to be the real
originator, so the original signature is stripped completely,
and a new signature block created using the public AS's "real" ROA
info and signed as if it really was originated.

Everything works beyond that.

There really cannot be a transitive 1918->non-1918 signature path,
because there cannot be 1918 ROAs with global significance, because of
the AS's non-uniqueness.

BGPsec from the announcer, transitively, can only be done with a
public ASN. 4-byte ASNs are available now, expect demand to increase
with BGPsec, IMHO.