Hi Iljitsch, >But unless I missed something, the BGPsec drafts don't even talk about the >unknown state: >"The validation procedure results in one of two states: 'Valid' and 'Not >Valid'." >I don't see any reasonable deployment scenario with only valid and invalid. I >think this needs to be addressed in a BGPsec document.
The validation in the BGPsec draft is only about the AS path signatures in signed updates. It is talking about the validity of the Secure_Path. If all the signatures in a Signature_Block are valid, then the Signature_Block (and hence Secure_Path) is 'Valid'; Else, the Signature_Block is 'Not Valid'. If there are two Signature_Blocks (e.g. when two different algorithms are in use) in an update, then at least one of them must be 'Valid' in order for the Secure_Path to be valid. Separately, prefix-origin validation has three possible outcomes as you have observed already. That is the topic of RFC 6483 (Informational) and RFC 6811 (Standards Track). Sriram _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr