Internet2 Network Security SIG

[Michael H Lambert <>]

I think David's interpretation is correct.

But then one could consider signing BGP announcements hop-by-hop.  I think I 
saw a presentation on this by Radia Perlman (very sketchy on the name 
recollection) at an IETF routing area open meeting twenty or so years ago.  
The routers at the time didn't have the horsepower.

Michael

> On 19 Apr 2019, at 11:56, Spurling, Shannon <> wrote:
> 
> Unless there were some extension in the BGP address family to attach a 
> signature to the original advertisement…
>  
>  
> Shannon Spurling
>  
> 
>  
> From:  <> 
> On Behalf Of David Farmer
> Sent: Friday, April 19, 2019 10:50 AM
> To: 
> Subject: [Security-WG] BCP for Origin validation (RFC7115)
>  
> The Security Considerations of RFC7115 has the following statement in it;
> 
>    As the BGP origin AS of an update is not signed, origin validation is
>    open to malicious spoofing.  Therefore, RPKI-based origin validation
>    is expected to deal only with inadvertent mis-advertisement.
>  
> I think what this is saying is that the owner of a prefix could maliciously 
> say the prefix is originated by an ASN incorrectly.  However, I don't 
> believe the converse is true, an ASN cannot maliciously say the prefix is 
> originated by it.
>  
> Or put another way ROAs say which ASNs originate the prefix, and they are 
> signed by the owner of the prefix, but there is no way for an ASN to say 
> which prefixes it originates, that is then signed by the owner of the ASN.
>  
> Do I have that right?
>  
> Thanks.
>  
>  
>  
> -- 
> ===============================================
> David Farmer               Email:
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota   
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================