Re: [sidr] No BGPSEC intradomain ?

Robert Raszuk <> Tue, 10 April 2012 16:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D664C11E812A for <>; Tue, 10 Apr 2012 09:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id izTkwhIyy7D2 for <>; Tue, 10 Apr 2012 09:34:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AA0B111E8129 for <>; Tue, 10 Apr 2012 09:34:42 -0700 (PDT)
Received: (qmail 21358 invoked by uid 399); 10 Apr 2012 16:34:42 -0000
Received: from unknown (HELO ? ( by with ESMTPM; 10 Apr 2012 16:34:42 -0000
Message-ID: <>
Date: Tue, 10 Apr 2012 18:34:41 +0200
From: Robert Raszuk <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To:, " List" <>
References: <> <> <>, <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [sidr] No BGPSEC intradomain ?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Apr 2012 16:34:44 -0000

Hi Warren,

Many thx for your comment. It clarifies my question very well.

So you are effectively confirming that as long as there is one ASBR, one 
RR or one confederation edge which does not yet speak BGPSEC anywhere in 
the UPDATE path the peer sending to him over ebgp or ibgp will convert 
BGP_SIGNED_PATH to AS_PATH/AS4_PATH attributes and from now on that path 
will remain unsigned.

Likewise each RR/confed peer will need to convert BGP_SIGNED_PATH to set 
of AS_PATH/AS4_PATH attributes when sending to "legacy" BGP speakers.

I do not know what is the rationale for recommendation of not sending 
mandatory BGP attributes any longer even if their content could be 
already contained with new BGP_SIGNED_PATH attribute.

Anyhow my doubt has been answered and I stay by my opinion that not 
sending AS_PATH and AS4_PATH is a terrible idea.

Perhaps one could depreciate it in 20 years when world is upgraded to 
BGPSEC, but recommending this in BGPSEC protocol draft now is IMHO not 
helpful for any even potential BGPSEC deployment model.

Best regards,

> Nope, not assuming that at all. The devices on the edge of the AS
> (those that do eBGP) need to speak BGPSEC, and if the AS is small,
> they will probably be in a full mesh. If the AS is not small (or has
> planned ahead :-)) they will talk to a RR or be part of a confed. If
> they talk through a RR (or set of RRs), these should also speak
> BGPSEC. If you prefer the confed flavor of scaling, well, the devices
> on the edge of the confed are kinda like eBGP speakers, and inside
> the confed they all mesh (or talk through a RR (see previous :-)))