David, Thanks a lot for raising this issue.
Based on the discussion in Dallas, I was hoping that we could just go with the clean approach of including the MP_REACH_NLRI attribute in the signature. As you correctly point out, we can't sign MP_REACH_NLRI, because the "Network Address of Next Hop" field within MP_REACH_NLRI changes as an update message propagates through network. (I.e., if we sign what the -12 draft says we should sign, verification will often fail.) I have just submitted a -13 version of the document that pulls out the fields from MP_REACH_NRLI which aren't changed in transit (and thus can be safely signed). - Matt Lepinski On Mon, Jun 22, 2015 at 9:21 PM, David Mandelberg <da...@mandelberg.org> wrote: > On 2015-06-19 14:00, Sandra Murphy wrote: > >> Anyone who commented on draft-ietf-sidr-bgpsec-protocol-11.txt is >> encouraged to review this version and report if your comments have or >> have not been addressed. >> > > My comments have been addressed, but I have some questions about the way > one of them was addressed: > > Is the MP_REACH_NLRI encoded with or without the attribute flags and type > code? > > Don't the values of MP_REACH_NLRI's "Length of Next Hop Network Address" > and "Network Address of Next Hop" change with each hop, making it > infeasible for remote ASes to verify the origin's signature? > > MP_REACH_NLRI has a reserved field that "MUST be set to 0, and SHOULD be > ignored upon receipt". If a BGPsec speaker receives an update where > reserved is non-zero, what should it do? With the current text, I could > interpret "SHOULD be ignored upon receipt" as meaning either "calculate the > signature using the reserved field as received" or "calculate the signature > using all zeroes in place of the reserved field". > > -- > David Eric Mandelberg / dseomn > http://david.mandelberg.org/ > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr