Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
the rir attests to the delegation of the prefix and an asn to the identified isp.
the isp signs, using their isp identity to o originating from the asn o originating that prefix (in sbgp, toward another isp)
Looks to me like: proof of allocation: S(withRIRkey, Prefix_p_key, prefix_p) as Steve pointed out, there could be two of these, one with CA bit set for use in suballocation and one without the CA bit set for use in routing proof of identity S(withRIRkey, AS_A_key, AS_A) or S(withwebofttrustkeys, AS_A_key, AS_A) maybe Randy is saying this is two steps, not an "OR" proof of origination authorization: S(withPrefix_p_key, authr_origin_AS_#, prefix_p) proof of origination authentication: S(withAS_A_key, (AS_A,prefix_p)update) could be S(withAS_A_key, (AS_A,prefix_p)||proofoforiginationauthr) The binding between the proof of origination authorization and the proof of origination authentication is that the AS_A in the proof of identity mapping AS_A to the AS_A_key must be the same as the authr_origin_AS_# in the proof of origination authorization. [Future complication of this would have to decide what to do with ISPs that own more than one AS #. (make "authr_origin_AS_#" a list?)] --Sandy who really should be baking
proof of identity S(withRIRkey, AS_A_key, AS_A) or S(withwebofttrustkeys, AS_A_key, AS_A) maybe Randy is saying this is two steps, not an "OR"
S(withRIRkey, someNonRIRidentity, asA) i.e. the rir attests that the entity whose identity is externally certified has been issued asA (or prefixP). the isp may have gotten their identity from thawte, some web of trust, or santa claus. the point, as smb notes, is that the public cert of the isp is given to the rir(s) as part of the business contract. it has no need to be rir-generated, though the rirs offering cert generation as a service will likely be useful to small lirs who have no other corporate buiness/privacy preferences. randy
On Mon, 28 Nov 2005, Randy Bush wrote:
proof of identity S(withRIRkey, AS_A_key, AS_A) or S(withwebofttrustkeys, AS_A_key, AS_A) maybe Randy is saying this is two steps, not an "OR"
S(withRIRkey, someNonRIRidentity, asA)
Good idea. And this "someNonRIRidentity" may actually be another region RIR! (which solves problem for those involved with multiple RIRs but who prefer to maintain one primary identity for all regions). -- William Leibzon Elan Networks william@elan.net
participants (3)
-
Randy Bush
-
Sandy Murphy
-
william(at)elan.net