On 2015-06-05 02:40, Roland Dobbins wrote:
On 5 Jun 2015, at 10:56, David Mandelberg wrote:
Could you elaborate on your enumeration and DDoS concerns?
Crypto = more overhead. Less priority to crypto plus DDoS = routing update issues.
I don't think there's an update issue here. The crypto verification is probably going to be deferred in addition to being low priority. If I understand it correctly, this means that a route can be passed along right away without waiting for the crypto checks.
One can infer peering relationships in a way not possible before.
How?
What about bogus signatures?
If I understand correctly, these routes (and all newly received routes) will initially be treated similarly to unsigned routes. Once BGPsec validation completes, then local policy determines what to do with the validation results. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/