Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)

  • From: Sandy Murphy
  • Date: Thu Nov 24 06:57:04 2005

>the rir attests to the delegation of the prefix and an asn to the
>identified isp.
>the isp signs, using their isp identity to
>  o originating from the asn
>  o originating that prefix (in sbgp, toward another isp)

Looks to me like:

proof of allocation:
S(withRIRkey, Prefix_p_key, prefix_p)
             as Steve pointed out, there could be two of these,
             one with CA bit set for use in suballocation
             and one without the CA bit set for use in routing

proof of identity
S(withRIRkey, AS_A_key, AS_A)
S(withwebofttrustkeys, AS_A_key, AS_A)
             maybe Randy is saying this is two steps, not an "OR"

proof of origination authorization:
S(withPrefix_p_key, authr_origin_AS_#, prefix_p)

proof of origination authentication:
S(withAS_A_key, (AS_A,prefix_p)update)
     could be S(withAS_A_key, (AS_A,prefix_p)||proofoforiginationauthr)

The binding between the proof of origination authorization and
the proof of origination authentication is that the AS_A in the proof
of identity mapping AS_A to the AS_A_key must be the same as 
the authr_origin_AS_# in the proof of origination authorization.

[Future complication of this would have to decide what to do with ISPs
that own more than one AS #. (make "authr_origin_AS_#" a list?)]

  who really should be baking

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.