North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
- From: Randy Bush
- Date: Wed Nov 23 20:20:15 2005
> So when one receives an update, which part is it that you verify with
> the certificate derived from the RIR chain and which part is it that you
> verify with the certificate derived from the web-of-trust? I'm guessing
> the answer in part is that there's a signature attesting to the
> prefix origination based on the RIR-rooted certificate, but I'm not
> certain what you are suggesting you would sign with the web-of-trust
> based ISP identity certificate (the origination announcement, indicating
> that it is not only authorization to originate but also source
> authentication?)
something like
the rir attests to the delegation of the prefix and an asn to the
identified isp.
the isp signs, using their isp identity to
o originating from the asn
o originating that prefix (in sbgp, toward another isp)
o possibly delegating a subset of that prefix
o passing other prefixes on (in sbgp, toward ...)
but either you, smb, or jis should be able to get it more correctly
than i.
randy
|
