Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: Randy Bush
  • Date: Wed Nov 23 20:20:15 2005

> So when one receives an update, which part is it that you verify with
> the certificate derived from the RIR chain and which part is it that you
> verify with the certificate derived from the web-of-trust?  I'm guessing
> the answer in part is that there's a signature attesting to the
> prefix origination based on the RIR-rooted certificate, but I'm not
> certain what you are suggesting you would sign with the web-of-trust
> based ISP identity certificate (the origination announcement, indicating
> that it is not only authorization to originate but also source
> authentication?)

something like

the rir attests to the delegation of the prefix and an asn to the
identified isp.

the isp signs, using their isp identity to
  o originating from the asn
  o originating that prefix (in sbgp, toward another isp)
  o possibly delegating a subset of that prefix
  o passing other prefixes on (in sbgp, toward ...)

but either you, smb, or jis should be able to get it more correctly
than i.

randy





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.