Re: [Sidrops] [routing-wg] misconceptions about ROV
"Montgomery, Douglas C. (Fed)" <dougm@nist.gov> Thu, 24 February 2022 23:53 UTC
Return-Path: <dougm@nist.gov>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id B1A253A0945
for <sidrops@ietfa.amsl.com>; Thu, 24 Feb 2022 15:53:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.026
X-Spam-Level:
X-Spam-Status: No, score=-3.026 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
FROM_GOV_DKIM_AU=-0.351, HTML_MESSAGE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id K3veT3uCJGB2 for <sidrops@ietfa.amsl.com>;
Thu, 24 Feb 2022 15:53:30 -0800 (PST)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com
(mail-dm3gcc02on20710.outbound.protection.outlook.com
[IPv6:2a01:111:f400:7d04::710])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 81FB23A0822
for <sidrops@ietf.org>; Thu, 24 Feb 2022 15:53:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=UV+MvXDNLZYJntetWQjs3JGqcWgMceq2FD5GP57+G5Be0FwpKGyJ11YNYuT9B6fghOQiSWdCoH/uFEyW1rY6QSxZ91B0EBCJBES/1smTXgDf6lR/c0Msr/UqFgOVhFWE+gHcQjTUjGJbM7bpsMGQf7pu/Mnq/6rfwMwILi0ctopvdJHiTcjjTxCTnRMPBD5Pr7mZpEcTT29nYwUxczBgdxF7Cu6oSG0F5O7nLI85Muj2AgwXoUJy/4TdJjgfPN6YyNTb6QhBv8GqsKJRq2gxqai31UvXV/lG1yaQSPDXDF5WbzOmeSbBRozXsKXM9FKMz22QOpA3wkrGTl2J8gSzxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=dJQb/PwfOa8Kh22XDZGalFSBhjXo4vLaYm83WHITW2s=;
b=Gv5KoJE+w7EGJW1IHxtaWWl23F33HpFXWDz1Nv/uKlWGZll/kfSKewKmrXVbgfjLh4gD1/63lFC5MyeAarKozPDuJGgRs9/HQNwsALuAODHmdz4eUdqBPj75L6ETqIdksJHIdsX+iui11oI2MCe9j4U/DlIQ1aW/nxabtJLRgQ1ig/Vp9yVeNapkq9vNvXie41DU0oFqKEKrbqX5GmSmRRqkpHolMRHEk7XdacZxyQzgXRmWcF9xlCKZwJhHl4fdbD8bw4JpHWM9HEhPzOnvQEpLVA+8blbbQg8539fDs2G7ieAa9VK4N5/2QR7xAfqDEzriardLJ9YBQinZFmEGqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov;
dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=dJQb/PwfOa8Kh22XDZGalFSBhjXo4vLaYm83WHITW2s=;
b=nBpBFvLERbvk5pXzS8RF3dUeeyUM6LMyyaD9h2Jxd2jrHSTmoWVusCxpZiYuk+UXJxTlk6PZ8KVypLzihxUE7sf6+pg6CT/+hEbwhtfNo6wlwhezpfIbA9md5f8AwnyhvnIZVel3nQnkIRmszBmTDzjN2sj7JCaAxa27fsVh9E4=
Received: from DM8PR09MB6294.namprd09.prod.outlook.com (2603:10b6:5:2e7::20)
by DM8PR09MB7157.namprd09.prod.outlook.com (2603:10b6:5:2ef::23) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.22; Thu, 24 Feb
2022 23:53:25 +0000
Received: from DM8PR09MB6294.namprd09.prod.outlook.com
([fe80::54cd:466f:98b6:49e6]) by DM8PR09MB6294.namprd09.prod.outlook.com
([fe80::54cd:466f:98b6:49e6%5]) with mapi id 15.20.4995.027; Thu, 24 Feb 2022
23:53:25 +0000
From: "Montgomery, Douglas C. (Fed)" <dougm@nist.gov>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>, Job Snijders
<job=40fastly.com@dmarc.ietf.org>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] [routing-wg] misconceptions about ROV
Thread-Index: AQHYJ4Vl6XzI7P0aSEeIDkLJO3o9JayexX2AgAB7eACAAALMAIAAB8OAgAAYuoCAAA5HgIAAfxmAgAAoMICAAC7LAIAAgrYAgABHDQCAABUpAIABO0gAgAAMnYCAAOoVFQ==
Date: Thu, 24 Feb 2022 23:53:25 +0000
Message-ID: <DM8PR09MB6294D4538DAA3C3094F0E661DE3D9@DM8PR09MB6294.namprd09.prod.outlook.com>
References: <015C9C28-4230-40D8-A9F2-7420B726C00F@juicybun.cn>
<DF148DA2-C94D-42BF-A37F-668D9B37860B@nlnetlabs.nl> <YhS/WR3czIP3jNLF@snel>
<ABE3FA29-6C9D-492B-A72A-68C20176E76D@nlnetlabs.nl>
<949277FD-27AF-40E8-B557-AA58C62BFEA7@apnic.net>
<E16290C1-77ED-4CB1-8712-F6163304ED45@nlnetlabs.nl>
<m2k0dmmntj.wl-randy@psg.com>
<6D314C7A-8CEC-4B9B-8F80-6B1AC48037E2@nlnetlabs.nl>
<85D947F4-E2A4-4FFE-86AF-2D129C49FB9C@psg.com>
<8413F0CA-F50A-42B7-B0DA-19A0A90ABE6F@nlnetlabs.nl> <YhdCYjS+yDVsFgNF@snel>
<60B6D863-047D-40A6-80DD-95C05391A0BA@nlnetlabs.nl>
In-Reply-To: <60B6D863-047D-40A6-80DD-95C05391A0BA@nlnetlabs.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2a463b35-1010-4644-66a7-08d9f7f0d939
x-ms-traffictypediagnostic: DM8PR09MB7157:EE_
x-microsoft-antispam-prvs: <DM8PR09MB7157E7221164A4E057AC3013DE3D9@DM8PR09MB7157.namprd09.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SCUv0NerkWzCZrt+3Nz/XdA7T0Fd83jcX61FBVXJEFzt/YNZShB1OBjbLyxvc6dGcRcuET1XvypapEdVpREe50WF0Rca3qaUgrzz65tbaK/FaLNRlzGfP6GNgCff/qOvHCSNgj+J9SGm2PCWDNsD4+kxl77lwhPwtf8Npz8EV3OGnV58Lj6w0yhLm3NkOBCaCDZNOUIT2UNMUn650rKN9qqmv/AkQfv4L3QjRu4op9oE1Wfub6M5MpGyWjGZgQtr3es0xToI1QDm6oyDzTZvPYYnYn78p3cmi4OXTuoOeIDhtbH7X2xPalcoMPiEEr71qPSesUmfxnLeN6Yf6Dc3lRqitlWWsnTtgeR4uAUbhf1Sn/EFdDaLYGMyDG46Vt8lrOLa9fZ8e6QteQvF6PO4no+Gy49THPOwzlMIBV5mu04SW4PmExYIu2c2VMrg47/Zi+6iUB6TySof1UecAWQy8ZNKQq+il/jpZnlVa4z9NQY3NB6omkNuCyQdFBSWidxCE39dR4Xp7JqUDtjQ42lALzUqgGvkX3R4Smabu6xS0/rnLNsXRd8A7j0/HpwGfLpWiw8f4aFmIFZT+0GCn2PWVccZTmywBjmZvscRNMMaD25VNLYSDYMUXhqOtnIWlT1GODqodixZ0RWCd+UqURSXIhbMRI+0JDJMCYukzFCl65BNlOI48l2e2DNGu90IQz003TiL9yADFUfODi0SmbyoIfxkTBPQ2g0+S2C8w5YR2zk3KnQq9bg1cRlvsv89T4yoM3rtcGNMA2PVZVLU+Z1ueP1XC1KYG7UyFapGrJEBKoY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:DM8PR09MB6294.namprd09.prod.outlook.com; PTR:; CAT:NONE;
SFS:(13230001)(4636009)(366004)(38070700005)(186003)(66574015)(8936002)(30864003)(52536014)(83380400001)(82960400001)(2906002)(5660300002)(8676002)(45080400002)(91956017)(4326008)(66476007)(66446008)(64756008)(66946007)(33656002)(66556008)(76116006)(9686003)(966005)(6506007)(7696005)(508600001)(53546011)(71200400001)(38100700002)(166002)(122000001)(86362001)(55016003)(110136005)(316002);
DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?PFnjtup80nSGB8oEbd0HWBU3UlNrLe5qjepRzBVE8HLSy4UX9RsnIhGj?=
=?Windows-1252?Q?oSpbD+n8YsdpYAi9M1+bjBvkhHG/idQLmhcySsxs7/ivXMbqE4Adu3jv?=
=?Windows-1252?Q?32Or19z+AwSyZmEeOslDgwYLc9DTBZZwqshjRvGgKxJk39jctmXmyoLp?=
=?Windows-1252?Q?HFkpUXkpFhS5u4ljDKkskL8uA4TQzMEuXpo8mEVFsOd1L761r1bsshCr?=
=?Windows-1252?Q?U6ugmKHKGZVAqAxxFAi3yxflnAmfJKlL6UfY7gffCStxlAOY29FGLFV9?=
=?Windows-1252?Q?IlIIlAfdhWwPaZptcgpH+NNIR4bpBt1n4FM13pJLhzBY5ZU3X5hK36pq?=
=?Windows-1252?Q?ngHeJaJ4rtd2IfLf71kW80mStVy/qFRWwVWsu0cyfYACMdrebzZcPVUh?=
=?Windows-1252?Q?OyGED2Pfd0hh6GGR1e3l1VB4AHtxZ85w5kDZ5uT73gG9lYDdhJqWqbkH?=
=?Windows-1252?Q?X+cJZAOlDgiw9+bNAa3bpJTjvgW/YyFPcw6YHKXGDuW7RFc8Gx64/zHy?=
=?Windows-1252?Q?V7FIZuYH3OWynHshdmdOpY/TGJtdzMNEW4Da1i5kkIRdq5DBstAKgD3L?=
=?Windows-1252?Q?gHRaDhxUIcwGAh1pTYcpYqhJAwsW1dvHe10lseYVPhxYJZwM3pl1FJUL?=
=?Windows-1252?Q?r++tjP4z3uFgkWKXPnUmxm2RHF/t49h3WwGh6sMi9YaC6JMKJfDolggP?=
=?Windows-1252?Q?wB8nLUdGDmmvIewWT9Ctp+RFL6XZfvh94p9nEZDu7LLigLZJSdnPDhw5?=
=?Windows-1252?Q?oKebnCgpgm4+QBp/DadHVO6f2X6HQ2AM5G8manJPFx4VqW8gn9Xgf7/u?=
=?Windows-1252?Q?JqBoROLMHARqy8Z7phH5bb6y0dYo9++vNbym8VdtLWkz6U6bswBDZRnH?=
=?Windows-1252?Q?bxOO5mFxiQcqra/sUW8GwG0Iw6dCfl/PmlJKFdjYcP66t8Xb2gmLrCFm?=
=?Windows-1252?Q?E3EMuwGAFtJ1vFbetquTJdSOxvD7HEFlQa2wCN2FMvvPwPsHO9SEco4N?=
=?Windows-1252?Q?M+AnMWlvYadROBgETv6wnmxXBHzjPY8Cc3QjEtD+lC8GXzhjOIzXIhbY?=
=?Windows-1252?Q?OR97HnW59HuNcAMoyibd2xEwkgopJ2dqyVduoTaWRv13KiS3WkcyHQ2n?=
=?Windows-1252?Q?qh1dct34PLXkB+sheQx4xdkGHDNJZb9/dykUE4V6x984MgKyXpfws/DK?=
=?Windows-1252?Q?6gJcYCIUoCV9gH6uYvAz4jHwBDpcTAbWO9xF6Emxk28NKLAHlU4ZPRZk?=
=?Windows-1252?Q?vPbL7EZIfI1YqTLIzGlzCVxY8YsYjYV278zuqasjxqFep0W/3jbaqhUh?=
=?Windows-1252?Q?58CfDyIWYmKAAT5oO44bXWFE6d/ra37xxBWT1hqHOtFkYRFxFyfvmgul?=
=?Windows-1252?Q?Q0CzQMFy9VGA40atzOAUn9ES5IfBG018WYdjeeVULQM8igXz5P1a3CTA?=
=?Windows-1252?Q?W1Ai2VNB3DaUw2HCtnUiAHwe7gigWMbWrLbO6tEfdnA=3D?=
Content-Type: multipart/alternative;
boundary="_000_DM8PR09MB6294D4538DAA3C3094F0E661DE3D9DM8PR09MB6294namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR09MB6294.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a463b35-1010-4644-66a7-08d9f7f0d939
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2022 23:53:25.7327 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR09MB7157
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/GG17Ze1b3kAh8avg499PkB0R6Ws>
Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>,
<mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>,
<mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2022 23:53:36 -0000
For what it is worth, I have long thought the ability to indicate, in a globally accessible system, that BGPSec is being used on a given logical peering between two ASes is the only way address the down-grade attack on BGPsec as currently specified and would increase the utility of BGPsec over multi hop paths. I agree with Tim’s point, as I understood it, that this information can’t just be local to a peering session, as I need to know if I received an unsigned (BGP4 PATH) that appears to come from a sequence of ASes that all stated that they were doing BGPsec with each other. I get Job’s (I think) point that a simple mechanism at the AS level can’t deal with the scenario where I do BGPsec on some peering’s with my neighbor but not on others with the same neighbor. Given that distinct peering sessions between the same peers are not visible in BGP downstream of the ASes in question, there is not much to do about this other than wait until all peering sessions between a given pair of ASes enable BGPsec. The utility of any optional security mechanism is significantly increased by having secure out of band mechanism to signal that it is operationally enabled for use. Actually, in my mind DMARC is a useful general model because you can both signal you are using a security mechanism, suggest how receivers should treat failures, and provide a notification channel to send back info on failures. The latter two allowing you to pilot the security mechanism (policy=monitor) before you signal policy=reject. We seem to create many security mechanisms (e.g., BGPsec, ROAs, MUD profiles, etc) that don’t have a safe means for individual users to globally test/pilot them before going into production mode. That increases the risk/barrier to entry to those who wish to enable the technologies. dougm -- DougM @ NIST From: Sidrops <sidrops-bounces@ietf.org> on behalf of Tim Bruijnzeels <tim@nlnetlabs.nl> Date: Thursday, February 24, 2022 at 4:19 AM To: Job Snijders <job=40fastly.com@dmarc.ietf.org> Cc: sidrops@ietf.org <sidrops@ietf.org> Subject: Re: [Sidrops] [routing-wg] misconceptions about ROV Hello Job, others > On 24 Feb 2022, at 09:31, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: > > Hello Tim, others, > >> What I meant here by "accept... on islands" is that the operator would >> have to know - somehow - where to enable BGPSec validation. >> >> I believe that the idea was that this would be done on a BGP session >> basis. E.g. providers would insist on BGPSec from customers, or peers >> between each other etc. > > "In order to indicate that a BGP speaker is willing to send BGPsec > UPDATE messages (for a particular address family), a BGP speaker > sends the BGPsec capability" > source: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8205%23section-2.2&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1BEYOsez4uQzGJ8gu0rkKKHrBS%2BXYtvGWwLEU0V7VFU%3D&reserved=0 > > Indeed, it is an operator choice whether to enable BGPsec or not, and it > is choosen per-session. Luckily most large operators have automated the > provisioning of BGP sessions. > >> I wondered if (new) signed statements in the RPKI could be used to >> conclude that ASNs have pledged to use BGP Sec when possible. I.e. >> such ASNs would sign a path if they are the origin / or if the receive >> a signed path. >> >> The receiving router could then conclude that IFF all ASNs in a path >> had made these signed statements - BGPSec validation on *that* path >> could be performed. It would be an error if signatures were missing or >> invalid. >> >> This way operators would not have to enable this manually on a per >> session basis, and because it would be based on signed validated >> statements they could trust that it would be safe to apply for ASNs >> who issued those statements - without the need to know these ASNs >> first hand - e.g. across transit. >> >> It would still allow for path spoofing and signature removal by >> injecting an ASN that did not sign a statement that they would do >> BGPSec. However, the options would become more limited as more ASNs >> participate - and ASPA validation would further limit the available >> choices. >> >> As for how an ASN could sign such a statement.. one could overload >> existing router certificates but I think that is probably a bad idea - >> it could very well lead to timing issues when adopting. An alternative >> could be to have a new separate signed object for this, which would >> allow that BGPSec is tested first, before letting the world know. >> >> Just an idea.. hoping it might help. > > I am not sure it is helpful at this stage. > > It seems you overlook some deployment aspects, for example: within a > given Autonomous System (during the incremental deployment of BGPsec - > which may take years) there will be ASBRs that support BGPsec and ASBRs > that are unable to negotiate support for BGPsec. For example, it is > entirely possible that at a given moment in time only half the > adjacencies for 206238_15562$ are BGPsec capable, and half are not (yet). Not at all - any adjacencies that are not BGPSec capable would not issue any statement that they are capable. So stripping the signatures there would be entirely expected. I am talking about something else: signalling deployment beyond direct sessions in order to enable detection of downgrade attacks. If router can detect that the *entire* path is not only capable but also committed to do BGPSec then removal of signatures can be flagged as an attack. > See this posting for a similar story on RPKI ROV invalids: > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.nanog.org%2Fpipermail%2Fnanog%2F2021-April%2F213346.html&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Tom4cL9nHEw9PVbNGH21p2RkeTdcvo6xdxj57F2sjOQ%3D&reserved=0 > > Frankly speaking, wouldn't it make far more sense to implement the > specifications AS SPECIFIED AND PEER-REVIEWED BY MANY PEOPLE, > *before* advocating new object profiles? > > Especially since the CA side of BGPsec is so straight-forward and > simple to implement ... ? There is no need to shout Job.. I was trying to have a discussion about a possible way to help operational future deployment. This is in no way preventing the development and deployment of current standards. And should the idea be useful and accepted then of course it would be handled as a WG document, be peer-reviewed etc. I know - it's naive to think that that would be what the IETF is for. Fine. I will stop here. Discussion once again seems entirely pointless. > > Regards, > > Job > > ps. Since you asked, here are required reading materials: > > BGPsec Protocol Specification > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8205&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6ruh6AJPkmReg%2BEt5Yh9A7G6KrQJvlpzqXZ%2B%2B%2B9xLvw%3D&reserved=0 > > BGPsec Considerations for Autonomous System (AS) Migration > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8206&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=c0Kh9YdXBICdNgVhka9zVtRMTWgyfjDnwXduHcR6c%2Bc%3D&reserved=0 > > BGPsec Operational Considerations > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8207&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2F2AQrHIqzvReQ0spKjNnMmRNFvmFpfSJayFvDrWDA5c%3D&reserved=0 > > BGPsec Algorithms, Key Formats, and Signature Formats > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8208&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RH8GcLnRFf3CafW8%2FTFkaH936M3nE3%2BFlnZVY0IPo7c%3D&reserved=0 > > BGPsec Design Choices and Summary of Supporting Discussions > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8374&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=amNinyrayWu0Skqw5TFepEpjS0mKQT6WAiDWuzawuVA%3D&reserved=0 > > Router Keying for BGPsec > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8635&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AQfk6fmJvWo1lQPeFjqU61n8n0MWw%2BRjM%2Fun5R9UOpA%3D&reserved=0 Thank you Job - somehow I managed to find these documents myself. I did not ask about these. I asked about the downgrade issue. Randy was kind enough to answer. Tim > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gx6OU7d8kL0qGcOyNcap%2FMppIWDaq82xlIKdwiDiGsE%3D&reserved=0 _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsidrops&data=04%7C01%7Cdougm%40nist.gov%7C7396569117474f31495d08d9f7767196%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637812911853664452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gx6OU7d8kL0qGcOyNcap%2FMppIWDaq82xlIKdwiDiGsE%3D&reserved=0
- [Sidrops] Fwd: [routing-wg] misconceptions about … Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Di Ma
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Di Ma
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Geoff Huston
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Randy Bush
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Tim Bruijnzeels
- Re: [Sidrops] [routing-wg] misconceptions about R… Jeroen Massar
- Re: [Sidrops] [routing-wg] misconceptions about R… Montgomery, Douglas C. (Fed)
- Re: [Sidrops] [routing-wg] misconceptions about R… Job Snijders