nanog mailing list archives
Re: LOAs for Cross Connects - Something like PeeringDB for XC
From: George Michaelson <ggm () algebras org>
Date: Tue, 23 Feb 2021 09:39:25 +1000
The LOA type model is one of the ones we showed on slideware when we presented RTA in IETF, and at the CloudFlare RPKI workshop years ago. The detached signature model inherent in RTA and RSC goes to "you define the business logic" It's not proscriptive. I saw nothing proposed here which I thought wasn't a rational thing to try and certify in this manner. The key point is, the "action" you want to approve has to vest in "who controls the stated internet number resources" -If they have no bearing, then its not rational to propose using (R)PKI to do it. some other PKI? sure. Randy is correct that the processes are baroque, not well defined, come with all kinds of corner cases: what does a more specific command (regarding some IP address) if its not signed and the parent is? or, if the more specific is, and the parent isn't?) Randy is also correct that RPKI certificates by design, do not permit their use in ways which go directly to things like identity proofs. detached signatures open the door to doing some things here, because you can sign over something which ways "the person identified by the following public key is to be permitted to ..." And in like sense, we removed the uses which go to message encryption, sender or receiver. You can't directly use an RPKI certificate to do "for your eyes only" -it can only say "the person controlling these numbers, says the following" Obviously, I think this detached signature model is good :-) On Tue, Feb 23, 2021 at 6:31 AM Randy Bush <randy () psg com> wrote:
What if PeeringDB would be the CA for the Facilities? Supposedly this solves the CA problem of the "Colo Folks".I think pushing your security identification out (as the notional equinix) to a third party where you can't revoke/change/etc is asking for dangerous things to happen.there are a few examples of industry associations with simple, strong, and formal ties sufficient to allow forms of trust automation. folk such as karen o'donoghue, lucy lynch, and heather flanagan would be able to speak vastly more knowledgeably in this space than i.again, that draft is a... draft still and I"m sure we'll have a bunch of chatter/discussion/changes before done, but it smells like it might help.you might notice that we use it in draft-ietf-opsawg-finding-geofeeds. but that application is specifically to use rpki data to attest to ip address ownership. the problem there is that the draft is a cool proof of concept, but is not operationally easy to use. randy --- randy () psg com `gpg --locate-external-keys --auto-key-locate wkd randy () psg com` signatures are back, thanks to dmarc header mangling
Current thread:
- STOP USING FONT SIZE SMALL Was: Re: LOAs for Cross Connects - Something like PeeringDB for XC, (continued)
- STOP USING FONT SIZE SMALL Was: Re: LOAs for Cross Connects - Something like PeeringDB for XC Mark Andrews (Feb 22)
- Re: STOP USING FONT SIZE SMALL Was: Re: LOAs for Cross Connects - Something like PeeringDB for XC Randy Bush (Feb 22)
- Re: STOP USING FONT SIZE SMALL Was: Re: LOAs for Cross Connects - Something like PeeringDB for XC Douglas Fischer (Feb 23)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Randy Bush (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Christopher Morrow (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Randy Bush (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Christopher Morrow (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Douglas Fischer (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Christopher Morrow (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Randy Bush (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC George Michaelson (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Randy Bush (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Christopher Morrow (Feb 22)
- Re: LOAs for Cross Connects - Something like PeeringDB for XC Randy Bush (Feb 22)