Hi Sandy,
The owner of the advertised prefix doesn't have ownership of the next
hops along the path. nor does it have anything to say about the
legitimacy of next hops along the path.
There's this whole "third part next hop" concept which would make
determining legitimacy of the next hop complicated.
Third party next hop (typical in IX cases) assures that the ownership of
the next hop stays unchanged. So I would observe that this would make it
actually easier there.
Moreover there are deployed applications which specifically mandate to
not change next hop across AS boundaries. As example I could bring
Inter-AS option C for L3VPNs. Note that there can be transit ASes in the
path too. So how are we going to assure a customer of such service that
the advertising prefix from customer site attached to AS 1, transiting
via AS 2 and terminating at AS 3 got to the final site on the other side
uncompromized ?
Maybe one should ask the bigger question: Is BGPSec as is being defined
in SIDR applicable to other address families other then 1/1|2 and 2/1|2
which still carry IP prefixes or is it out of scope ?
How about Internet as a VPN (aka Internet in a VRF scenarios) where
internet routes may travel as vpnv4/vpnv6 updates ?
How about those address families in BGP which are designed to carry
control plane information between domains for example: bgp flowspec or
rt-constrain ?
I am just trying to understand if we are talking more of enhancements to
bgp security (bgp being the protocol) or perhaps about just limiting the
SIDR scope to build a new layer for controlling traditional Internet
prefix propagation ?
Many thx.
R.
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
