In the case of confederations, and presuming BGPSEC is used among the confederation members, it should be the case that upon entry to the confederation, the "TO" ASN of the sender's signature is the AS Confederation Identifier, i.e. the externally visible ASN as which the confederation appears to its eBGP neighbors.
The confederation will, in propagating an eBGP announcement, create an AS_CONFED_SEQUENCE, and corresponding signatures. Removing the signatures and removing the AS_CONFED_SEQUENCE, I believe, will preserve the signature validity, since the confederation member sending to a non-confederation member will add the AS Confederation Identifier (ASN) to the AS_SEQUENCE, and add its signature. The AS-path and signatures over such, will be valid/consistent. I.e., I think it "just works". So, I propose the following alternative text: To prevent exposure of the internals of BGP Confederations [RFC5065], and to comply with the requirement that the AS_SEQUENCE be identical to the sequence of ASNs from the Signature-Block, a BGPsec speaker which is a Member-AS of a Confederation MUST remove every Signature- Segment which corresponds to a unique ASN in the AS_CONFED_SEQUENCE prior to the AS_CONFED_SEQUENCE being removed from the AS_PATH, and prior to adding its own Signature-Segment to the Signature-Block. Or, wording to that effect. Brian On Fri, Nov 11, 2011 at 10:40 PM, Randy Bush <ra...@psg.com> wrote: > to two of your comments, in my unpublished edit buffers > > draft-ietf-sidr-bgpsec-ops-02 > > To prevent exposure of the internals of BGP Confederations [RFC5065], > a BGPsec speaker which is a Member-AS of a Confederation MUST NOT not > sign updates sent to another Member-AS of the same Confederation. > > draft-ietf-sidr-pfx-validate-04 > > An implementation MUST support 4 Octet AS Numbers, [RFC4893]. > > as our friendly blood-sucking vendors have said, the latter is thought > to be obvious. but i figured to document it anyway, no harm. > > cool? > > randy > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
