Re: [sidr] New Version: draft-ietf-sidr-bgpsec-protocol-12

Mon, 06 Jul 2015 16:55:24 -0700 

The -13 revision addresses all of my questions, thanks.

On 2015-07-06 19:26, Matthew Lepinski wrote:

David,

Thanks a lot for raising this issue.

Based on the discussion in Dallas, I was hoping that we could just go
with the clean approach of including the MP_REACH_NLRI attribute in
the signature. 

As you correctly point out, we cant sign MP_REACH_NLRI, because the
"Network Address of Next Hop" field within MP_REACH_NLRI changes as an 
update message propagates through network. (I.e., if we sign what the
-12 draft says we should sign, verification will often fail.)
I have just submitted a -13 version of the document that pulls out the fields from MP_REACH_NRLI which arent changed in transit (and thus can 
be safely signed).

- Matt Lepinski

On Mon, Jun 22, 2015 at 9:21 PM, David Mandelberg
<da...@mandelberg.org [4]> wrote:


On 2015-06-19 14:00, Sandra Murphy wrote:


Anyone who commented on  draft-ietf-sidr-bgpsec-protocol-11.txt
is
encouraged to review this version and report if your comments
have or
have not been addressed.


My comments have been addressed, but I have some questions about
the way one of them was addressed:

Is the MP_REACH_NLRI encoded with or without the attribute flags
and type code?

Dont the values of MP_REACH_NLRIs "Length of Next Hop Network
Address" and "Network Address of Next Hop" change with each hop,
making it infeasible for remote ASes to verify the origins
signature?

MP_REACH_NLRI has a reserved field that "MUST be set to 0, and
SHOULD be ignored upon receipt". If a BGPsec speaker receives an
update where reserved is non-zero, what should it do? With the
current text, I could interpret "SHOULD be ignored upon receipt" as
meaning either "calculate the signature using the reserved field as
received" or "calculate the signature using all zeroes in place of
the reserved field".

--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/ [1]

_______________________________________________
sidr mailing list
sidr@ietf.org [2]
https://www.ietf.org/mailman/listinfo/sidr [3]




Links:
------
[1] http://david.mandelberg.org/
[2] mailto:sidr@ietf.org
[3] https://www.ietf.org/mailman/listinfo/sidr
[4] mailto:da...@mandelberg.org


--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to