I have updated the BGPSEC protocol specification.
At the SIDR meeting in Quebec, there was significant discussion about
how BGPSEC could provide security of the AS-PATH attribute while still
accommodating the needs of route servers that participate in BGP, but do
not wish to increase the length of the AS-PATH attribute. The -01
version of the draft contains a mechanism (a field called pCount) which
attempts to address this issue by having route servers create BGPSEC
signatures without increasing the effective length of the AS-PATH
attribute. I would greatly appreciate comments on this mechanism and
whether it adequately addresses the issues raised at the last SIDR
meeting and subsequently discussed on the list.
There was has also been significant discussion on the SIDR list of the
"Expire TIme" field in BGPSEC and the associated "Beacon-ing" (that is,
periodic re-advertisement of a prefix with a new signature and a new
Expire Time) as a mechanism to address replay attacks (as well as
attacks where a malicious peer fails to propagate the withdrawal of a
route). My understanding is that the consensus of the working group was
that the current Expire Time mechanism is reasonable as long as
re-advertisement is only required at the origin AS (and not at
intermediate ASes). The current -01 version of the draft attempts to
reflect that consensus.
Finally, there are a number of small editorial changes that I believe
will improve the clarity of the draft. Thanks again to everyone who has
reviewed the document, feedback on how the text could be made more
easily understandable is especially welcome.
- Matt Lepinski
On 10/31/2011 3:38 PM, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of
the IETF.
Title : BGPSEC Protocol Specification
Author(s) : Matthew Lepinski
Filename : draft-ietf-sidr-bgpsec-protocol-01.txt
Pages : 28
Date : 2011-10-31
This document describes BGPSEC, an extension to the Border Gateway
Protocol (BGP) that provides security for the AS-PATH attribute in
BGP update messages. BGPSEC is implemented via a new optional non-
transitive BGP path attribute that carries a digital signature
produced by each autonomous system on the AS-PATH.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-protocol-01.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-protocol-01.txt
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
