[86943] in North American Network Operators' Group
Re: BGP Security and PKI Hierarchies (was: Re: Wifi Security)
daemon@ATHENA.MIT.EDU (Randy Bush)
Wed Nov 23 20:19:36 2005
From: Randy Bush <randy@psg.com>
Date: Wed, 23 Nov 2005 15:19:08 -1000
To: Sandy Murphy <sandy@tislabs.com>
Cc: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
> So when one receives an update, which part is it that you verify with
> the certificate derived from the RIR chain and which part is it that you
> verify with the certificate derived from the web-of-trust? I'm guessing
> the answer in part is that there's a signature attesting to the
> prefix origination based on the RIR-rooted certificate, but I'm not
> certain what you are suggesting you would sign with the web-of-trust
> based ISP identity certificate (the origination announcement, indicating
> that it is not only authorization to originate but also source
> authentication?)
something like
the rir attests to the delegation of the prefix and an asn to the
identified isp.
the isp signs, using their isp identity to
o originating from the asn
o originating that prefix (in sbgp, toward another isp)
o possibly delegating a subset of that prefix
o passing other prefixes on (in sbgp, toward ...)
but either you, smb, or jis should be able to get it more correctly
than i.
randy
