At Tue, 03 Jan 2017 00:33:49 +0900, Randy Bush <ra...@psg.com> wrote: > > hi mirja, > > > could there be a similar case here, where a router is known to support > > BGPsec and others would ignore/drop non-signed announcements? > > hmmmm. as far as i can remember, this has not actually been discussed.
i think this is correct. (I don't remember discussing something like this in the past) I can imagine a future where the operations staff decides: "We only do bgpsec (with peers x, y, z) turn on the knob that requires bgpsec at peer establishment!" In that case, if it were to be true, the operator would have chosen to only do bgpsec and not fallback to normal bgp... The router(s) aren't really remembering that their peer did bgpsec in the past as much as requiring the bgpsec capability at peer 'connect'. > how would a router be known to support bgpsec? well, if i saw it on a > signed path. (for the moment, let's ignore changes over time). but it > might have an out-degree of O(100) and some portion are signed and the > rest not. the ones that are not signed are due to the peer not > negotiating bgpsec, or that one or the other is configured to not have > the peering be bgpsec. I bet with a distant view of one ASN (or all ASN) you could tell, over time, whom the ASN peers with via 'bgpsec' vs 'bgp'. You MAY choose to do some policy stuff that says: "ASN X, Y, Z seem to always do bgpsec with +XX% of their peers in my view of them... so only accept routes originated by these ASN if the routes arrive on bgpsec-enabled peerings." This seems dangerous, today anyway, but maybe tomorrow it'd be more feasible? I also don't know that you could easily tell: "the router" vs "the asn", because as you get further away on the network your entrypoint (and whom in that ASN you hear routes FROM) to the remote ASN is less guaranteed. > and it's way too late here for me to do the necessary deep dive into > draft-ietf-sidr-bgpsec-pki-profiles-18.txt to know if i can definitively > identify a router, especially as one router can have multiple ASs and > therefore multiple certs and therefore multiple skis. > > maybe someone on the us beast coast has had enough coffee to hit me with > a clue by four when i wake. > > randy _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
