> The second major area of concern I have about this proposal is the > transitive nature of the bgp community. The issue is that the draft > specifies a mechanism to cause traffic to be dropped on the floor, > that the signaling mechanism is globally transitive in scope, and the > specific intent is that prefixes tagged in this way are exported to > other ASNs. In other words, the draft specifies behaviour that is > risky by default. risky? this is a disasterous vulnerability large enough to handle a very large truck. we really do not need a global mecahnism by which an attacker can spoof a bgp announcement of someone's prefixes and cause traffic to the specified address space(s) to be discarded on a significant portion of the internet. until bgp annoucements can be rigorously authenticated, this is a disaster waiting to happen. and it will not wait long. randy