Re: [sidr] various

"George, Wes" <> Sat, 12 November 2011 05:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8E8981F0C4F for <>; Fri, 11 Nov 2011 21:40:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.345
X-Spam-Status: No, score=-0.345 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2Vaz3fmqBPOo for <>; Fri, 11 Nov 2011 21:40:51 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 014B41F0C3C for <>; Fri, 11 Nov 2011 21:40:50 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.69,498,1315195200"; d="scan'208";a="281299858"
Received: from unknown (HELO ([]) by with ESMTP/TLS/RC4-MD5; 12 Nov 2011 00:36:02 -0500
Received: from ([]) by ([]) with mapi; Sat, 12 Nov 2011 00:40:49 -0500
From: "George, Wes" <>
To: Randy Bush <>
Date: Sat, 12 Nov 2011 00:41:10 -0500
Thread-Topic: various
Thread-Index: Acyg7OK1AuGT5SM6Q/eB0ZwemBiAlAAAxTMA
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: sidr wg list <>
Subject: Re: [sidr] various
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Nov 2011 05:40:51 -0000

> From: Randy Bush []
> Sent: Friday, November 11, 2011 10:41 PM
> To: George, Wes
> Cc: sidr wg list
> Subject: various
> draft-ietf-sidr-bgpsec-ops-02
>    To prevent exposure of the internals of BGP Confederations
> [RFC5065],
>    a BGPsec speaker which is a Member-AS of a Confederation MUST NOT
> not
>    sign updates sent to another Member-AS of the same Confederation.

[WEG] does that mean that routes using confeds as transit ASes cannot participate in BGPSec at all?
(eg if the update path goes:
Origin ASN -> confed AS ($private) -> confed AS ($public) -> eBGP peer)
If that's the case, would be useful to be more explicit about it.

Or do you mean that confed AS1 will not be in the signature chain/AS path and the public ASBR (the external side of the confed) will sign as if it learned the routes directly from the Origin ASN? If it's the latter, you probably need more clarifying text, and that may actually require some text in the protocol definition to cover the special-case handling.

Related: It may be that we have to simply say that Private ASNs can't be BGPSec participants, whether in confeds or otherwise, for many of the same reasons - AFAICT it'd be impossible to build a signature path and then update it downstream to reflect the external AS it gets replaced with.

> draft-ietf-sidr-pfx-validate-04
>    An implementation MUST support 4 Octet AS Numbers, [RFC4893].
> as our friendly blood-sucking vendors have said, the latter is thought
> to be obvious.  but i figured to document it anyway, no harm.
> cool?

[WEG] works for me!


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.