Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: Steven M. Bellovin
  • Date: Wed Nov 23 20:46:01 2005

In message <20051124113104.0bd275d2@garlic.apnic.net>, George Michaelson writes
:
>
>
>According to what I understand, there have to be two certificates per
>entity:
>
>	one is the CA-bit enabled certificate, used to sign subsidiary
>	certificates about resources being given to other people to use.
>
>	the other is a self-signed NON-CA certificate, used to sign
>	route assertions you are attesting to yourself: you make this
>	cert using the CA cert you get from your logical parent.
>
Or your parent could have a CA and issue you two certs, one for signing 
route assertions and one for signing certificates you issue to your 
downstreams.  That in turn has another interesting implication: an ISP 
can *enforce* a contract that prohibits a downstream from reselling 
connectivity, at least if the resold connectivity includes a BGP 
announcement -- the ISP would simply decline to sign a CA certificate 
for its customer, thereby depriving it of the ability to delegate 
portions of its address space.  (N.B.  Certificates include usage 
fields that say what the cert is good for.)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.