Design Discussion and Comparison of Replay-Attack Protection Mechanisms for BGPSEC

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Authors Kotikalapudi Sriram  , Doug Montgomery 
Last updated 2014-09-26 (latest revision 2014-03-25)
Stream (None)
Expired & archived
pdf htmlized bibtex
Additional Resources
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The BGPSEC protocol requires a method for protection from replay attacks, at least to control the window of exposure. In the context of BGPSEC, a replay attack occurs when an adversary suppresses a prefix withdrawal (implicit or explicit) or replays a previously received BGPSEC announcement for a prefix that has since been withdrawn. This informational document provides design discussion and comparison of multiple alternative replay-attack protection mechanisms weighing their pros and cons. It is meant to be a companion document to the standards track I-D.-ietf-sidr-bgpsec- rollover that will specify a method to be used with BGPSEC for replay-attack protection.


Kotikalapudi Sriram (
Doug Montgomery (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)